MC-IDS - Error Updating Network IDS Signatures

Similar Messages

• Update Network IDS/IPS Signatures

  In the IPS Manager (CSM 3.0) Configuration > Updates > Update Network IDS/IPS Signatures
  Clicking on Apply (For instance, Update File: IPS-sig-S242-minreq-5.0-6.pkg) it appears the following error:
  Object update failed. Unknown update type.
  What is the problem?

  It should be .zip file...
  you can download from the below link
  http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips-sigup-arch

• IDS Signature Updates

  When I update my IDS sensors using the IDS MC 3 of my 4 sensors hang. They never restart all of the services. When I telnet to them I get the message "Error: Cannot communicate with system processes. Please contact your system admi
  nistrator.". The IDS MC progress veiwer shows 100% but with errors. It's errors are :Sensor Int_IDS1: Signature Update Process
  An error occurred while running the update script on the sensor named Int_IDS1. Detail = An RDEP communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: Error in parsing the status line from the response: unable to find line starting with "HTTP"
  One sensor works fine with no problems.
  I have tried upgrading the sensors individually through IDSMC and the same 3 fail with the same error message. I have tried doing it through command line and ftp and the same 3 fail. The 3 sensors that fail are 4235's and the successful sersor is a 4250 XL.

  If you are not running the 'f' patch on your sensors, 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.
  The patch location is posted in another thread.

• Cisco IDS signature update vs. Snort

  Greetings all
  I have a question for anyone using any Cisco IDS products.
  How often the Cisco IDS/IDSM update it's signatures and are the updates
  comparable to Snort? Example: An exploit is known...Snort publishes an
  update...can a similar update be found for Cisco IDS?
  Regards
  Fredrik Hofgren

  Cisco does not update as frequently or completely as Snort. Cisco also tends to give much higher priority to releasing signatures on vulnerabilities that affect their own products. There are also many signatures released for Snort that never seem to make their way to Cisco from what we have seen.

• IDS Signature update S(184)

  The IDS signature update S(184) included [MS plug and play - 6131] This particulare SIG ID is disable, and the severity is Information. is there is any one know how to enable it and change it to high?
  thnak you

  You can use IDM (https://) to change the severity and enable the signature. The other management platforms also provide you a meands to change it as well.

• How to updating the attack signatures on 3845 IDS module

  I have bought a cisco 3845 with IDS module,but I think I also need a account to update the attack signature on IDS module periodly,who can tell me how?

  Hi,
  To get signature updates you also need to purchase "Services for IPS" - your reseller should be able to get you a quote. Without this you won't be able to get either signatures or any support other than warranty. (because Smartnet has been replaced by Services for IPS for IPS devices.)
  HTH
  Andrew.

• IDS Signature Attacks - OVERLOAD

  Guys,
  I know that this has been talked about many timres, but wanted to ask a couple of points.
  Question 1. On the WCS, on some days we are receiving up to 70+ critical alarms for signature attacks. These are all Deauth, Auth Flood attacks. (There are a couple of Assoc floods).
  Pls see similar post on open forum
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0798a
  Now, in the signature file we have the following profiles set. (Pls note Deauth flood and Assoc Flood, BUT NO AUTH FLOOD)
  Name = "Deauth flood", Ver = 0, Preced= 8, FrmType = mgmt, Pattern = 0:0:0x00C0:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Deauthentication flood", Track=signature_n_mac, MacFreq=30
  Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0:0x0000:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Association Request flood", Track=signature_n_mac, MacFreq=30
  Can you guys or Cisco TAC advise us on if we need to change these values and are there any rules? and where is the signature pattern for an "Auth flood"? Dont see it in the file?
  Question 2. The WCS only appears to report these critical signature alarms (and other alarms) for the last 7 days. I have tried to read through the WCS documentation and cannot find what happens to the alarms after 7 days and if this 7 day period is configurable?
  Once again, Many thx guys for all the help,
  Ken ( all IDS'd out )

  I hadn't noticed before that the AUTH FLOOD has no corresponding IDS signature file entry - bizarre!
  Attempts to get TAC to come up with any recommended changes for the signature file (at least in my experience going all the way to 3rd level TAC) resulted in an akward silence the other end of the line. I hope that your experience is better.
  Each version of WLC software appears to fix some false alarms, but sometimes generates new ones. It is unclear if this is due to differing values in the signature file or (more likely) due to new code anomalies.
  If you do run across better documentation on the Wireless IDS signature file, please feed it back into the forum.
  As regular forum readers can attest, the Wireless IDS system false alarms, lack of explanation of the threat posture of these alarms, as well as the lack of documentaiton for tuning the signature file values without completely disabling the alarms, have been a sore spot with me.
  I would even submit that it would be more helpful if Cisco would add a mechanism that would automatically forward these WIDS alarms (on a voluntary basis) back to Cisco. This would help Cisco developers to get a better idea of the numerous false positives we are seeing out here in the field enable them to provide a better-tuned signature file in the first place!
  You may find the following post of interest:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc08c87
  As far as question 2 goes, when I tested this on our WCS 5.0, I am showing critical level security "WPA MIC" errors that go back to 5/19/08 (almost a month old).
  Please remember to rate helpful posts.
  John

• IDS Signature attack detected...

  I think my WLAN is under two DOS attacks, Deauth flood and Reassociation flood... The following are the traps shown on the controller (WLC 4402):
  IDS Signature attack detected. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-Mac, Detecting AP Name: W-Seattle-StudioRm8-02Flr-B-Fa36, Radio Type: 802.11b/g, Preced: 9, Hits: 30, Channel: 1, srcMac: 00:15:AF:ED:96:36
  IDS Signature attack detected. Signature Type: Standard, Name: Reassoc flood, Description: Reassociation Request flood, Track: per-signature, Detecting AP Name: W-Seattle-StudioRm2-02Flr-B-Fa43, Radio Type: 802.11b/g, Preced: 6, Hits: 50, Channel: 6, srcMac: 00:1D:E0:99:5E
  The network is for hotel guests so there is no authentication/encryption... Any suggestions about how I can mitigate those attacks?
  In the trap messages they also list the Src MAC addresses. However I was reading about those two attacks and seems the attacks are actually spoofing MAC addresses of clients. So are they the real mac addresses of the hacker? Should I block them?
  If I should, how can I do it? I was thinking using MAC-filter however it seems only allow clients with configured MAC addresses and will deny the ones that are not listed... As you can guess, we are hotel enviroment and we can't keep allowing new MAC addresses for new guests... So any suggestions?
  Any advice is welcome! Thank you!

  When you see 'deauth flood' messages this means that an
  AP is seeing a lot of deauths in the air. These messages
  often happen when a NIC card leaves an area where there
  there are dense APs.
  If you want this to trigger less often:
  5.0:
  Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack
  Wireless Protection Policies > Standard Signatures > >
  modify/save
  for example if you wanted to see the alarm on '60' detections of
  'Deauth flood' instead of '50'.
  Below 5.0:
  You can modify the IDS settings so that the messages occurs less often
  or not at all:
  http://www.cisco.com/warp/public/102/controller_ids_sig.html
  If you want it to trigger not at all:
  Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack
  Below 5.0:
  http://www.cisco.com/warp/public/102/controller_ids_sig.html

• Trying to update my ipod but i get the error message network timed out.  I've already uninstalled and reinstalled the latest version of itunes. I also do not have software update in settings on the ipod. How do i get the ipod to update?

  trying to update my ipod but i get the error message network timed out.  I've already uninstalled and reinstalled the latest version of itunes. I also do not have software update in settings on the ipod. How do i get the ipod to update?

  Try the manual method specified here:
  iDevice Troubleshooting 101 :: iPhone, iPad, iPod touch

• I tried to update my iphone to ios 5 but it gives me error ( the network connection timed out )

  i tried to update my iphone to ios 5 but it gives me error ( the network connection timed out )

  If you don't tell us the error, we can't help you

• IDS signature tuning... interval questions.

  Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.
  For example: 2152 - ICMP flood
  It uses the "Flood Host" engine with the action parameters:
  Limit type: percentage (100)
  Rate: 25
  Event count: 1
  Event count key: victim address
  Specify interval: No
  Summary mode: Fire all
  Threshold: 10000
  Interval: 30
  Global threshold: 20000
  Summary key: victim address
  Can someone translate into english?
  I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?
  And the summaries?
  At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."
  What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".

  I can't claim to understand some of the "scan" signatures either...most of ours are disabled.
  The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.
  For this particular signature I believe the most relevant variable is rate, which you already seem to understand.
  The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.
  As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.

• Receiving error updating creative cloud after firewall changes to our network.

  Receiving error updating creative cloud after firewall changes to our network.
  We have an end user that is trying to update through the creative cloud application.  We have tried track down what is being blocked but have hit a dead end.
  When the Creative Cloud Software tries to call out we are seeing a connection attempt to https://ops:443/ims/token/v1
  I have researched and the only reference to IMS for Adobe I was able to locate was the IMSService.  This appears to be an authentication service.  The issue is that "ops" is not a valid domain.
  This issue only appears to affect the Creative Cloud Software as I was able to update a test machine with Creative Cloud through the Adobe Application Manager.
  The user's system and our test system are running OS X Yosemite

  Hi There,
  Can you please confirm if below links with ports combination are white listed on your firewall. Adobe creative cloud desktop app uses these ports only.
  Address
  Ports
  ccmdls.adobe.com
  443
  ims-na1.adobelogin.com
  80
  443
  ims-prod06.adobelogin.com
  443
  na1r.services.adobe.com
  80
  443
  prod-rel-ffc-ccm.oobesaas.adobe.com
  443
  prod-rel-ffc.oobesaas.adobe.com
  443
  lm.licenses.adobe.com
  80
  443
  ccmdl.adobe.com
  80
  swupmf.adobe.com
  80
  swupdl.adobe.com
  80
  acp.adobeoobe.com
  443
  interaction.adobe.com
  443
  Thanks,
  Ashish

• Best Practise for WLC IDS Signature Thresholds

  Hi, are there any best practices for WLC IDS Signature thresholds?
  Thanks!
  KR,
  Rena

  You can configure IDS signatures, or bit-pattern matching rules used to identify various types of attacks in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. If an attack is detected, appropriate mitigation is initiated.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_0111110.html#d162818e187a1635

• I want to update my ipad2 when i used to download the os it shows error as network timed out and i repeated again and again always it shows that network timed out but the apps are downloading but large apps are't why?

  i want to update my ipad2 when i used to download the os it shows error as network timed out and i repeated again and again always it shows that network timed out but the apps are downloading but large apps are't why?

  Try temporarily turning off all your firewall and antivirus software until the download has completed.

• Software updates deployment error message: Network path cannot be found

  Dear All,
  I am trying to deploy software updates to the collection but not matter what i try it is always failing with the error message" Network path not found".
  Version : SCCM 2007
  Rgs,

  Hi Can you share what are the errors you can find in the cas.log file. Have you replicated the package to the DPs?
  Blog: http://theinfraguys.com
  Follow me at Facebook
  The Infra Guys Facebook Page
  Please remember to click Mark as Answer on the answer if it helps you in anyway