OOB warning during IPS 4260 signature update via CSM

Similar Messages

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer

• How often ARE those IPS virus signatures updated?

  I was looking at a "show version" on one of my current sensors and noticed that the last virus signature was over 7 months ago. Now, one of the big reasons I was told we had to pay for our 5.x licenses was these virus signatures. If that's true, and this is the additional value Trend Micro has brought to our sensors, should they get updated a little more frequently?
  (from my sensor)
  Cisco Intrusion Prevention System, Version 5.1(1p1)S235.0
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S235.0 2006-06-22
  Virus Update V1.2 2005-11-24

  The Virus Signature from Trend was one reason for the licensing in 5.x, but was not the only reason and was not even the primary reason.
  Even as far back as version 2.x a Support Contract was required for downloading and installation of signature updates. But was not enforced by the software. We relied on the users keeping the support contracts up to date on their own. Many users downloaded and installed signature updates without paying for the support contract. And the vast majority did not realize that a support contract was needed to receive the signature updates.
  With the lack of support contract purchases it became difficult to continue fielding a team for writing IPS signature updates.
  So in version 5.x it was decided to begin enforcing the purchase of support contracts through the use of Signature Update Licenses as part of the Cisco Service for IPS Contracts. Thus ensuring funding for the signature team, and allowing the team to spread out world wide for 24 hour coverage.
  The additional cost of a Cisco Service for IPS contract when compared to standard SmartNET contracts for other Cisco products is for the specific funding of the Cisco signature team, and a small amount sent to Trend for assistance in signature creation. Only a small portion of the support contract is paid to Trend Micro for their support.
  The Virus signatures are part of the Cisco Incident Control System (Cisco ICS). With the purchase of ICS there is a faster deployment of signature for Virus/Worms. When a virus or worm reaches a critical level then TrendMicro can create their own Virus signatures and have Cisco ICS deploy those signature to the sensors as soon as they are written.
  Cisco then includes these Virus signatures in a later standard Cisco signature update.
  Now as for why there have not been any recent updates to the Virus Signatures is that there has not been a major out break in the past 6/7 months. The virus signatures are only created on an emergency basis when a virus or worm reaches a critical level. Cisco ICS was specifically designed for handling virus and worm outbreaks, and is referred to as Outbreak Prevention.
  If the virus/worm does not reach a critical level, then the emergency Virus signatures are not created.
  Instead the Cisco signature team will take care of them as part of the standard Cisco signatures that are included as part of the standard S updates.
  This doesn't mean that we are not receiving information from Trend. For Virus/Worms that do not reach that critical level, the Trend team will instead send information to Cisco for creation of standard Cisco signatures by the Cisco signature team. This way the Cisco team can create a mroe general signature designed to catch all attacks for a certain vulnerability that will catch that specific virus/worm as well as future virus/worms that may also attempt to exploit the same vulnerability. These signatures wind up as part of the standard S update. This method is used because the Cisco signature team has more in depth knowledge of the various engines in Cisco IPS and can often write signatures that the Trend engineers would not be able to.
  It is only when the Trend Micro engineers need to create an emergency update that they will create their V signatures for the specific virus/worm.
  Otherwise they share share the information with Cisco and the Cisco engineers creates the signature.

• Signature updates and CSM error message

  Hi,
  I have started getting the following error message in CSM when pushing signature updates to our 4200 series and IDSM-II blades:
  Could not get device version after pushing down sensor update package to device
  The actual signature updates work fine, but just wondering if I can get rid of this error message.  Any ideas?
  Many thanks

  Hi Dustin,
  Here is the deployment log for one of the devices:
  Device version before update is: 7.0(2)E4S581.0
  Going to send the following package(s) to sensor: IPS-CS-MGR-sig-S583-req-E4.zip,
  Processing package file: IPS-CS-MGR-sig-S583-req-E4.zip
  Package is ready for update
  Checking analysis engine status from device XXXXXX
  Analysis engine is up running and device is ready to take updates
  Pushing package: IPS-sig-S583-req-E4.pkg to device
  Device did not respond to pushUpgrade command from CSM. It may have been upgraded. Will query to find out
  Device not ready, retry getVersion in 30000 milliseconds. (1/16)
  Device not ready, retry getVersion in 30000 milliseconds. (2/16)
  Device not ready, retry getVersion in 30000 milliseconds. (3/16)
  Device not ready, retry getVersion in 30000 milliseconds. (4/16)
  Device not ready, retry getVersion in 30000 milliseconds. (5/16)
  Error when trying to update: Could not get device version after pushing down sensor update package to device: XXXXXX. Please access the device using Command Line Interface, and check if it is working properly
  Device version before update is: 7.0(2)E4S581.0
  Going to send the following package(s) to sensor: IPS-CS-MGR-sig-S583-req-E4.zip,
  Processing package file: IPS-CS-MGR-sig-S583-req-E4.zip
  Package is ready for update
  Checking analysis engine status from device XXXXXX
  Analysis engine is up running and device is ready to take updates
  Pushing package: IPS-sig-S583-req-E4.pkg to device
  Device did not respond to pushUpgrade command from CSM. It may have been upgraded. Will query to find out
  Device not ready, retry getVersion in 30000 milliseconds. (1/16)
  Device not ready, retry getVersion in 30000 milliseconds. (2/16)
  Device not ready, retry getVersion in 30000 milliseconds. (3/16)
  Device not ready, retry getVersion in 30000 milliseconds. (4/16)
  Device not ready, retry getVersion in 30000 milliseconds. (5/16)
  Error when trying to update: Could not get device version after pushing down sensor update package to device: XXXXXX. Please access the device using Command Line Interface, and check if it is working properly

• IPS/IDS Signature updates

  Just a quick question, will there be a charge for upgrading the signatures? In other words will you have to pay to download the new updates as they come out?

  What about the IOS IPS with 5.x? It looks like the IOS IPS doesn;t support the 5.x signatures due to current engine support, yet I havn't been able to find an EOL on IOS IPS.

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• Update via iPhone 4S on facebook.

  Is it possible to enable the signature 'updated Via IPhone 4S' on facebook whenever we are using facebook? if yes then let me know how.

  You need to ask the makers of the facebook app that question. Apple has nothing to do with the app except to host it on the app store.

• IPS Signature Updates with no Internet Access

  Hi all,
  I've got a bit of an interesting dilemma that I'm hoping that someone could help with. I have two distinct networks: A "regular" network, along with a "secure" network. I've not been involved in the setup/configuration, but I've been handed some work to do now that has me puzzled.
  The two networks are separated with a pair of ASA devices with IPS modules installed. User access to the secure side works by using Cisco VPN client, terminating on the ASA's, and once connected applications are delivered via Citrix. Management of the ASA's involves connecting via management VPN to the "external" ASA interface, connecting to a management server via Citrix and from there, management via MARS, ASDM & IME.
  My issue is that I have been asked to configure auto-updates for the IPS modules. However, there is no internet access from the secure network. Servers on the secure side can request files, etc, from the regular side but there is no direct access can be initiated from the regular side back to the secure network. There are no ASA devices that are contactable/manageable from the regular side.
  I've read that it's possible to somehow download updates from cisco.com via FTP or similar, but I fail to see how I can automate the process. What I originally thought to do was to install another copy of IME on the regular network, set up a dummy device and there on configure auto-updates, but unfortunately the IPS needs to be contactable for that to work.
  Can anybody think of a solution that could make this work for me?

  Hi Jennifer,
  Thanks for that, but the instructions in that document appear to be related to updating a sensor from an FTP server where the updates have already been copied to it.
  I have searched and searched, but I'm unable to locate the relevant location to download the signatures direct via FTP/SCP. I have attempted to locate them on ftp.cisco.com, but with no luck.
  Regards,
  James

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IPS Signature Update - CSM v3.3 SP1

  Hi,
  I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
  "Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
  The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
  Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.
  Many thanks

  Hi Liam,
  As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
  In that case, how did you create that policy ?
  Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
  If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
  This is the workaround that should work for you in case you are indeed running into this issue:
  1. Rediscover or newly add any one IPS device running 7.x version
  2. Create entries for "Allowed Hosts" according to requirements.
  3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
  4. Assign this "Allowed Hosts" shared policy to one or more devices.
  5. Deployment should now be successful for "Allowed Hosts".

• IPS Signature Updates and CCO logins

  I cannot seem to get my IPS 4255 on version 7.0(3)E4 go gather signature updates and I think it is becasue my CCO accound is not setup correcly. I took a browse through the discussions (admittedly did not read them entirely) but can anyone point me to a discussion on how to setup my CCO account or give me instructions on what I need to do?
  Thank You
  Unprotected,
  Jason Bielenda

  Small correction.
  The URL to create the account is https://tools.cisco.com/RPF/register/register.do
  And you need an IPS services contract to get access to them.
  There are trial licenses available too
  https://tools.cisco.com/SWIFT/LicensingUI/demoPage

• IPS Signature Update S480?

  I noticed that the software for the E4 engine update has been posted for all IPS devices, but no matching signatures (yet).  Also, I see that the IPS updates for MARS now have an update for S480 available, but no matching signatures for IPS.
  Is this just a mix-up with release dates?  Or am I just missing where the S480 signatures are?  Also, will S480 be the first set of sigs released for the E4 engine?
  Anyone with any insight?

  Whoops ... guess I should have read that E4 engine "readme" file that came with the download ...
  "The E4 Engine Upgrade includes a Signature Update labeled S480. S480 will not be available for separate download.  Refer to the archived Active Update Bulletin for S480 for more details on this signature update release.  Active Update Bulletins are available at:
  http://tools.cisco.com/security/center/bulletin.x?i=57 "

• 2651XM IPS Signature Update?

  Hello,
  I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file.  I see that the last update for 256MB.sdf was from Aug 2008.  The latest IPS I found is IPS-sig-S518-req-E4.pkg from
  http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
  I've tried the command
  ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
  ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
  but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
  I also tried seeing if the latest SDM will help but nothing.
  My question is, what is it that I am doing wrong or missing?  Is my router too old to be able to get the latest signature files?
  Any advice or guidance to the right direction is much appreciated.
  Thanks

  You have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4).  This release only supports signature updates using the SDF formatted files.  These files are no longer updated.
  The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
  The current IOS IPS feature (referred to as v5) also makes use of .pkg files.  You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
  You can find out more about the IOS IPS feature set here:
  http://www.cisco.com/go/iosips
    For starting with IOS IPS v5:
  http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
  Scott