S363 Signature Update

Similar Messages

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Signature updates status not updated in DB

  error

  i see this (signature updates) is more of related to ForeFront issue update,would better suggest to look at  http://social.technet.microsoft.com/Forums/en-US/home?category=forefront
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• Scheduling a signature update through MC

  How can you schedule a signature update to take place for example at 3:00 in the morning? When I do a signature update through MC, I select the sensor I want to update then click continue and it updates at that time. Can I schedule this somehow? I am using IDS MC and apply updates through the Management Center.Thanks for the help.

  Hi,
  Any one can help me on this please?
  Angshuman

• IDSM Signature Updates

  Hi,
  Sudenly after Upgrade our IDSM-2 in the Realeses Tab the signature are not been updated but the IDS it self is up to date.
  Generaly the IDS is update but I can't see the last aplied signatures on IPS>sig>releases...
  Who has the solution?
  Regards,
  Sent from Cisco Technical Support iPad App

  Hello.
  Sudenly after Upgrade our IDSM-2 in the Realeses Tab the signature are not been updated but the IDS it self is up to date. Generaly the IDS is update but I can't see the last aplied signatures on IPS>sig>releases...
  Are you encountering this behavior in IDM (the sensor's built-in GUI) or in IME (IPS Manager Express)?
  I recently encountered a customer who ran into this behavior with IDM and the issue was due to the signature update(s) not actually completing 100% due to a defect being encountered.
  I also recently encountered a customer who ran into this with IME and the issue was eventually resolved via an uninstall and re-install of the IME application software.

• Signature Updates for AIP-SSM 10

  Hi all how can i obtain Signature Updates for AIP-SSM 10 where i am having 60 day trial license with me

  Here is the main file download page for the IPS sensors.
  Find the section for the version you are running and click on the Latest Signature Updates link to take to you to the download page for signature updates.
  You can then download which ever signature update you want.
  NOTE1: Each Signature Updates contains all signatures from previous Sig levels. So you only need to download the latest one.
  NOTE2: Each signature update has a specific E (Engine) level requirement. You can execute "show ver" on your sensor to determine if it is at an E1 or E2 level. If it is at E1 and you want the latest sigs that require E2 then you will first need to install the E2 upgrade.
  On that main download page look for the "Latest Upgrades" link for your version, and look for the IPS-engine-E2-req-X.X-X.pkg file where the X.X-X matches your sensor version.
  If there is not an X.X-X matching your sensor version, then you may need to upgrade the software version for your sensor as well.
  NOTE3: Many of these links will also require an account on cisco.com. And for some of these files that account may also need to be verified for being from a country where the USA's export restrictions allow downloads for encryption. (Most countries qualify but you do have to go through that qualification step). It has been over 10 years that I have had do this so I am not sure of the latest procedures for getting an account or validating it for encrpytion downloads.

• Verifying the Correct Signature Updates, Management Software, and Version

  I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.
  I am not certain how to proceed with respect to signature updates on this box.
  Under signature definition, it lists the following:
  Signature Update S291.0 2007-06-18
  I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?
  Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??

  IME = Intrusion Prevention Manager Express
  - IME is fairly new (released only a month or 2 ago) IME is a next generation of IEV. It does the event monitoring of IEV, but is also able to do configuration similar to IDM. So it is IEV and IDM in one tool. The configuration screens of IME will only work IPS 6.1, but the event monitoring screens will work with 5.1, 6.0, and 6.1.
  IPS MC = Intrusion Prevention System Management Center
  IPS MC was a part of VMS (VPN and Security Management System). IPS MC was configuration of a large number of sensors.
  IPS MC and VMS are both End Of Saled and were replaced with CSM
  CSM = Cisco Security Manager
  CSM is a multi-security device configuration management system. It is targeted at Enterprise customers with more than 5 sensors.
  ICS = Intrusion Containment System
  ICS was a product produced by Trend Micro Systems. Trend could create signatures for Viruses and Worms and then send an update to ICS and ICS would then create the signatures on the sensors. These signatures were known as the V signatures.
  ICS has been End of Saled
  So from your perspective you need not be concerned with IPS MC (VMS) or ICS.
  IME should be of interest to you as an upgrade from IEV (IME like IEV is available as part of your existing sensor support contracts and is not an additional charge).
  As you upgrade sensors to IPS v6.1 you might consider upgrading IEV to IME.
  CSM (and also MARS) would be of interest if you are going to manage more than 5 sensors. (IME and IEV are limited to 5 sensors).

• How to disable scan after signature update in scep 2012 r2?

  I have found that after a reboot of 16 VM's suddenly my SAN had >1000 IOPS on a host with just 16 VM's.
  That might not look bad based on numbers but we still run more or less green and now we have just 16 VM's soon there will be 500+.
  I rebooted the VM's simulating a HA situation and found the huge amount of IOPS for some time.
  MSMPENG.EXE was scanning and we disabled all automatic scanning so I was looking in eventviewer.
  There I discovered a signature update.
  It is highly unwanted to have a partly or full scan on servers. So my question is how can we disabled this?

  Hi,
  I find a scan setting in Antimalware Policy - "Check for the latest definition updates before running a scan". You could check the policy in your SCCM console.
  Please also confirm this is not a scheduled scan.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Cisco signature update site down?

  I just noticed that I haven't been getting my daily updates since Sunday.  I get the following error:
  AutoDownload Job Report:
  No files available for download.
  Error: Unable to communicate with locator service to retrieve available files.
  Has anyone else seen this?

  This seems to be an intermittent problem, becoming more visible today (not sure if it was occurring prior to today). If you urgently need a signature update file, for now (as a workaround), you can manually download the file from here:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup
  And, place it in the CSCOpx\MDC\ips\updates directory on your CSM (Cisco Security Manager) system.
  If you have time, if you could let us know what www.cisco.com resolves to on your CSM system. ? This may help confirm/track down the source of the issue. You should be able to do this from a Command Prompt (cmd.exe) on the CSM system using the nslookup utility. Example:
  C:\nslookup www.cisco.com

• Use Active FTP for signature updates

  Is it possible to use active ftp opposed to passive when upgrading IDS signatures? I am running 4210s with v.4.1. During signature updates for some reason the FTP connection uses a random ephemeral port instead of port 21. When I ftp manaually from the service account with the PASS command to turn off passive ftp, the file transfers fine. ACLs are blocking the connection because the port always changes and I don't want to open up the ephemeral port range.
  Thanks,
  Joel

  As far as I know, you can only use the passive ftp for the sig updates.

• New Signature updates will they overwirite old Tuned signatures

  Good day,
  I will be updating my sensors from s328 to S356. Question, will my previous Tuned rules/actions be overwritten by the new signature defaults ??
  Thanks,

  I'd give this a qualified "maybe". There is a case where the signature team might have disabled or retired a signature. That disable/retired action could pull the signature from your active list. It will still appear tuned, but it will also be disabled and/or retired. Other parameters that the sig team changes will be overridden by your tunings.
  The issue with the enable/retire settings is that they are default enabled and not retired.... When you tune a signature, the instance file (/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig?.xml) records the changes to the default settings (default.xml). Since the signature is enabled and not retired when you tune it(typically), you typically don't change that default. Now the signature team changes the default value, then there is nothing in the sig?.xml file to override the "new default" and the signature is disabled and or retired.
  A workaround for this is that you can explicitly tune the signature to be enabled and not retired. This tuning will be stored in the instance file and override any changes to the default values.
  The exception to the default value override is the signature team's use of "obsoletes"...they have the ultimate trump to replace one signature with another (but thats a topic in itself).
  The customer's equivalent counter-trump is that they can clone the Cisco signature into a custom signature. The signature updates can't mess with them.
  Scott C.

• IDS Signature Updates

  When I update my IDS sensors using the IDS MC 3 of my 4 sensors hang. They never restart all of the services. When I telnet to them I get the message "Error: Cannot communicate with system processes. Please contact your system admi
  nistrator.". The IDS MC progress veiwer shows 100% but with errors. It's errors are :Sensor Int_IDS1: Signature Update Process
  An error occurred while running the update script on the sensor named Int_IDS1. Detail = An RDEP communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: Error in parsing the status line from the response: unable to find line starting with "HTTP"
  One sensor works fine with no problems.
  I have tried upgrading the sensors individually through IDSMC and the same 3 fail with the same error message. I have tried doing it through command line and ftp and the same 3 fail. The 3 sensors that fail are 4235's and the successful sersor is a 4250 XL.

  If you are not running the 'f' patch on your sensors, 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.
  The patch location is posted in another thread.

• EOL for mars 20 signature updates?

  The EOL/EOS document for the MARS 20 does not mention when signature updates will end. 
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/end_of_life_notice_c51-470242.html
  The EOL notice for the newer devices lists the date as June 2, 2014
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/eol_c51-636888.html
  Does the MARS 20 use the same file, and will updates continue to be available until June 2, 2014?  If not, what is the date when this will end?
  Thanks
  H

  FYI: I opened a tac case on this and got the following response
  "new MARS20 signature files will be available for automatic download from that URL until June 2 2014, assuming the MARS has a valid support contract and that contract is associated to the CCO account used by MARS box to log in to that URL."

• Problem updating signature updates in IDS 4215

  Problem upgrading the signatures of IDS 4215
  I have to upgrade the signature file of ids 4215. The latest signature update version is IDS-sig-4.1-5-S252. To upgrade the signature file I install the service pack IDS-K9-sp-4.1-5-S189. The service pack was installed properly but while updating the signatures it is giving the following error
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  Administrator.
  Would you like to run cidDump? [No]:
  Procedure Followed
  I installed a ftp server in the network and put the signature update file there. I then issued the command
  upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  Pmg.pk-g4.1-5-S252.rpm.pkg
  After that it gave me the above error
  Question
  How can I recover the image while recovery partition is already there?
  The snapshot of the procedure that I followed is given below
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption.
  http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  customer-ids4215#
  customer-ids4215# sh ver
  customer-ids4215# sh version
  Application Partition:
  Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S189
  OS Version 2.4.26-IDS-smp-bigphys
  Platform: IDS-4215
  Using 424386560 out of 460161024 bytes of available memory (92% usage)
  Using 4.4G out of 17G bytes of available disk space (27% usage)
  MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
  Upgrade History:
  * IDS-sig-4.1-4-S119 17:29:28 UTC Sat Oct 16 2004
  IDS-K9-sp-4.1-5-S189.rpm.pkg 09:28:03 UTC Wed Dec 27 2006
  Recovery Partition Version 2.4 - 4.1(4)S91
  customer-ids4215#
  customer-ids4215#
  customer-ids4215# conf t
  customer-ids4215(config)#
  customer-ids4215(config)# upgrade
  <source-url> Location of upgrade
  customer-ids4215(config)# upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  pmg.pk-g4.1-5-S252.rpm.pkg
  Password:
  Warning: Executing this command will apply a signature update to the application
  partition.
  Continue with upgrade? : yes
  Broadcast message from root (Sun Jan 7 14:46:24 2007):
  Applying update IDS-sig-4.1-5-S252. This may take several minutes.
  Please do not reboot the sensor during this update.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use.http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  administrator.
  Would you like to run cidDump?[no]:
  Connection to host lost.
  C:\>

  Just so you know, you will need to update your IPS from 4.1-5 to 5.0-1 to get signatures up to 217. To get a signature beyond 217, you'll need to upgrade to 5.0-5. This isn't that lengthy of a process, but it is required if you want to go beyond 217. Also, 252 is an older signature, 265 is been out now for a few. Just an idea of how fast these signatures update. Shoot a reply back if you don't know how to upgrade.

• IPS Signature Updates and CCO logins

  I cannot seem to get my IPS 4255 on version 7.0(3)E4 go gather signature updates and I think it is becasue my CCO accound is not setup correcly. I took a browse through the discussions (admittedly did not read them entirely) but can anyone point me to a discussion on how to setup my CCO account or give me instructions on what I need to do?
  Thank You
  Unprotected,
  Jason Bielenda

  Small correction.
  The URL to create the account is https://tools.cisco.com/RPF/register/register.do
  And you need an IPS services contract to get access to them.
  There are trial licenses available too
  https://tools.cisco.com/SWIFT/LicensingUI/demoPage