Problem updating signature updates in IDS 4215

Similar Messages

• IDS Signature Updates

  When I update my IDS sensors using the IDS MC 3 of my 4 sensors hang. They never restart all of the services. When I telnet to them I get the message "Error: Cannot communicate with system processes. Please contact your system admi
  nistrator.". The IDS MC progress veiwer shows 100% but with errors. It's errors are :Sensor Int_IDS1: Signature Update Process
  An error occurred while running the update script on the sensor named Int_IDS1. Detail = An RDEP communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: Error in parsing the status line from the response: unable to find line starting with "HTTP"
  One sensor works fine with no problems.
  I have tried upgrading the sensors individually through IDSMC and the same 3 fail with the same error message. I have tried doing it through command line and ftp and the same 3 fail. The 3 sensors that fail are 4235's and the successful sersor is a 4250 XL.

  If you are not running the 'f' patch on your sensors, 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.
  The patch location is posted in another thread.

• IDS Signature update S(184)

  The IDS signature update S(184) included [MS plug and play - 6131] This particulare SIG ID is disable, and the severity is Information. is there is any one know how to enable it and change it to high?
  thnak you

  You can use IDM (https://) to change the severity and enable the signature. The other management platforms also provide you a meands to change it as well.

• How to updating the attack signatures on 3845 IDS module

  I have bought a cisco 3845 with IDS module,but I think I also need a account to update the attack signature on IDS module periodly,who can tell me how?

  Hi,
  To get signature updates you also need to purchase "Services for IPS" - your reseller should be able to get you a quote. Without this you won't be able to get either signatures or any support other than warranty. (because Smartnet has been replaced by Services for IPS for IPS devices.)
  HTH
  Andrew.

• IDS/IPS Signatures Update

  Hi,
  I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
  If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
  Please advise!
  Thanks,
  Haitham

  A signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.

• Error while updating signatures with IDSMC 2.0.1

  Hi,
  since 2 weeks while updating my sensors from the Manager, nothing appers in the real time progress viewer although the upc activity is high, but nothing is done after 1 hours.
  I got an Error in the Pending Signature Update Jobs:
  "Unable to interpret the schedule string "once Jun 1, 2005 10:38:13 AM" - java.text.ParseException: Unparseable date: "Jun 1, 2005 10:38:13 AM"
  After many restart of the Manager Daemon services the MC got finally updated.
  But when Deploying configuration to the sensors I got an other error message:
  "Error while pushing files ti the sensor java.lang.Exception"
  Any help please?

  It seems this problem has been seen in older version of the IDS 4.x code. First try to reimport the config and push the sigs, if that doesn't fix the proble, upgrade to the latest 4,x code and re-import. That should fix the problem. Good luck.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Netscape cursor/text problem after Software Updates

  A friend of mine recently ran Software Update (3) updates and ended up with a reasonably serious issue with Netscape which he uses for e-mail. Here's his description...
  "I did a routine Apple update the other day:
  Mac OS X Update (Power PC) 10.4.6
  QuickTime 7.1.1
  J2SE 5.) Release 4 4.0
  Since restarting after that update, the screen display of text in my
  Netscape email program has been damaged. Trying it a second time with
  the update combo did not help.
  The main complaint is that I cannot see the current or previous
  characters being typed, nor the cursor itself, nor the end of the line
  after an automatic return. Ends of lines are replicated for some reason,
  cluttering up the typing window.
  A couple of indications of how screwed up it looks: notice the font
  gibberish below the text, every touch of the return key yields an
  apostrophe, and then there's the other clutter that appears below and
  around the signature.
  When I do spellcheck, some (but not all) of the stuff disappears.
  The spellcheck itself doesn't catch many errors anymore. .
  All the best,
  ph"
  Here's a screenshot of the issue...
  http://homepage.mac.com/wellesgoodrich/grrrr.jpg
  Does anyone have any guesses what might be wrong? I had him run the 10.4.6 Combo Updater as occasionally the combo fixes issues with Software Update versions. It made no difference. Unfortunately, even though I've preached having an external backup prior to any system upgrade, he has not yet done so. His computer is the 17" Flat Panel iMac 800 mhz.
  Thanks!
  G4 1.5GHZ, Rev.A iMac, Mac IIsi, Mac Plus   Mac OS X (10.4.6)  

  Did your friend check his hard drive for any directory problems with Disk First Aid repair via Disk Utility when booted from the Tiger install disc before installing the 10.4.6 Update and other updates and were all running applications quit before the install - namely Netscape?
  As a first step, I suggest Resolving Disk, Permission, and Cache Corruption for system troubleshooting procedures and when doing so, follow all steps/instructions in the order provided including using a system and user cache cleaning utility.

• Scheduling a signature update through MC

  How can you schedule a signature update to take place for example at 3:00 in the morning? When I do a signature update through MC, I select the sensor I want to update then click continue and it updates at that time. Can I schedule this somehow? I am using IDS MC and apply updates through the Management Center.Thanks for the help.

  Hi,
  Any one can help me on this please?
  Angshuman

• IDSM Signature Updates

  Hi,
  Sudenly after Upgrade our IDSM-2 in the Realeses Tab the signature are not been updated but the IDS it self is up to date.
  Generaly the IDS is update but I can't see the last aplied signatures on IPS>sig>releases...
  Who has the solution?
  Regards,
  Sent from Cisco Technical Support iPad App

  Hello.
  Sudenly after Upgrade our IDSM-2 in the Realeses Tab the signature are not been updated but the IDS it self is up to date. Generaly the IDS is update but I can't see the last aplied signatures on IPS>sig>releases...
  Are you encountering this behavior in IDM (the sensor's built-in GUI) or in IME (IPS Manager Express)?
  I recently encountered a customer who ran into this behavior with IDM and the issue was due to the signature update(s) not actually completing 100% due to a defect being encountered.
  I also recently encountered a customer who ran into this with IME and the issue was eventually resolved via an uninstall and re-install of the IME application software.

• Verifying the Correct Signature Updates, Management Software, and Version

  I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.
  I am not certain how to proceed with respect to signature updates on this box.
  Under signature definition, it lists the following:
  Signature Update S291.0 2007-06-18
  I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?
  Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??

  IME = Intrusion Prevention Manager Express
  - IME is fairly new (released only a month or 2 ago) IME is a next generation of IEV. It does the event monitoring of IEV, but is also able to do configuration similar to IDM. So it is IEV and IDM in one tool. The configuration screens of IME will only work IPS 6.1, but the event monitoring screens will work with 5.1, 6.0, and 6.1.
  IPS MC = Intrusion Prevention System Management Center
  IPS MC was a part of VMS (VPN and Security Management System). IPS MC was configuration of a large number of sensors.
  IPS MC and VMS are both End Of Saled and were replaced with CSM
  CSM = Cisco Security Manager
  CSM is a multi-security device configuration management system. It is targeted at Enterprise customers with more than 5 sensors.
  ICS = Intrusion Containment System
  ICS was a product produced by Trend Micro Systems. Trend could create signatures for Viruses and Worms and then send an update to ICS and ICS would then create the signatures on the sensors. These signatures were known as the V signatures.
  ICS has been End of Saled
  So from your perspective you need not be concerned with IPS MC (VMS) or ICS.
  IME should be of interest to you as an upgrade from IEV (IME like IEV is available as part of your existing sensor support contracts and is not an additional charge).
  As you upgrade sensors to IPS v6.1 you might consider upgrading IEV to IME.
  CSM (and also MARS) would be of interest if you are going to manage more than 5 sensors. (IME and IEV are limited to 5 sensors).

• Cisco signature update site down?

  I just noticed that I haven't been getting my daily updates since Sunday.  I get the following error:
  AutoDownload Job Report:
  No files available for download.
  Error: Unable to communicate with locator service to retrieve available files.
  Has anyone else seen this?

  This seems to be an intermittent problem, becoming more visible today (not sure if it was occurring prior to today). If you urgently need a signature update file, for now (as a workaround), you can manually download the file from here:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup
  And, place it in the CSCOpx\MDC\ips\updates directory on your CSM (Cisco Security Manager) system.
  If you have time, if you could let us know what www.cisco.com resolves to on your CSM system. ? This may help confirm/track down the source of the issue. You should be able to do this from a Command Prompt (cmd.exe) on the CSM system using the nslookup utility. Example:
  C:\nslookup www.cisco.com

• Use Active FTP for signature updates

  Is it possible to use active ftp opposed to passive when upgrading IDS signatures? I am running 4210s with v.4.1. During signature updates for some reason the FTP connection uses a random ephemeral port instead of port 21. When I ftp manaually from the service account with the PASS command to turn off passive ftp, the file transfers fine. ACLs are blocking the connection because the port always changes and I don't want to open up the ephemeral port range.
  Thanks,
  Joel

  As far as I know, you can only use the passive ftp for the sig updates.

• Signature update fail

  The following error has occured while updating the signature file IDS-sig-4.1-5-S252.rpm.pkg on VMS 2.2 machine.
  what are the possible cause of the error
  Object update failed. The update package provided appears to be corrupt, or permission was denied for reading the file. Please verify the update package contents and retry the operation.

  Apply the latest signature update to the IDSMC
  Apply all the signature updates starting from the oldest to the latest to the IDSMC
  . Delete the sensor(s) and add them back in... apply the latest signatures to the IDSMC
  If at this point, the error sustains, then the only way to fix is to reinstall the IDSMC.

• S363 Signature Update

  We have 4 Cisco ASA-SSM-AIP modules that need the new signature set applied. We are getting an error trying to ftp the upgrade to the console of these devices. "Error: execUpgradeSoftware : Received only partial file: 131072 bytes". We have downloaded the S363 version multiple times to no avail. Are we missing something? It appears as if the download is corrupt but we have verified the file size with the original. We have tried the upgrade on all four and it fails on each one.
  The show version:
  DOR-DMZ-SSM-1# show ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E2
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S361.0 2008-10-13
  Virus Update V1.4 2007-03-02
  OS Version: 2.4.30-IDS-smp-bigphys
  Platform: ASA-SSM-10
  Serial Number: JAB101701BR
  Licensed, expires: 31-Jul-2009 UTC
  Sensor up-time is 162 days.
  Using 673341440 out of 1032495104 bytes of available memory (65% usage)
  system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
  application-data is using 49.7M out of 166.8M bytes of available disk space (31% usage)
  boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
  MainApp M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500 Running
  AnalysisEngine ME-2008_JUN_05_18_26 (Release) 2008-06-05T18:55:02-0500 Running
  CLI M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500
  Upgrade History:
  * IPS-sig-S360-req-E2 10:30:12 UTC Tue Oct 14 2008
  IPS-sig-S361-req-E2.pkg 14:33:47 UTC Tue Oct 14 2008
  Recovery Partition Version 1.1 - 6.1(1)E1
  Host Certificate Valid from: 14-Feb-2007 to 14-Feb-2009

  Verify your downloaded file using a MD5 checker once you've download it and don't merely rely on comparing the byte size. Many freeware MD5 checkers are available on google. Sometimes proxies cache the file and you keep downloading the same file again and again (even tough you are re-downloading). Sometimes this can be evaded by changing the filename of the downloaded file (then rename it back).
  Also try to use a different FTP server to rule out any issues there (FileZilla is a nice and free one).
  Regards
  Farrukh