Signature Update Version : AIP-SSM GUI

Similar Messages

• Signature Updates for AIP-SSM 10

  Hi all how can i obtain Signature Updates for AIP-SSM 10 where i am having 60 day trial license with me

  Here is the main file download page for the IPS sensors.
  Find the section for the version you are running and click on the Latest Signature Updates link to take to you to the download page for signature updates.
  You can then download which ever signature update you want.
  NOTE1: Each Signature Updates contains all signatures from previous Sig levels. So you only need to download the latest one.
  NOTE2: Each signature update has a specific E (Engine) level requirement. You can execute "show ver" on your sensor to determine if it is at an E1 or E2 level. If it is at E1 and you want the latest sigs that require E2 then you will first need to install the E2 upgrade.
  On that main download page look for the "Latest Upgrades" link for your version, and look for the IPS-engine-E2-req-X.X-X.pkg file where the X.X-X matches your sensor version.
  If there is not an X.X-X matching your sensor version, then you may need to upgrade the software version for your sensor as well.
  NOTE3: Many of these links will also require an account on cisco.com. And for some of these files that account may also need to be verified for being from a country where the USA's export restrictions allow downloads for encryption. (Most countries qualify but you do have to go through that qualification step). It has been over 10 years that I have had do this so I am not sure of the latest procedures for getting an account or validating it for encrpytion downloads.

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• Obtaining hardware and signature support for AIP SSM-10

  We have a 5510 which we have purchased an AIP SSM-10 card for the ASA which is already under a support contract. We now wish to add hardware maintenance for the new AIP SSM-10 card as well as signature updates. Our Cisco supplier will not confirm that we will receive signature updates with the hardware support though (we have been trying to get an answer from them since June or July now).
  Could someone let us know what the correct part number is so we can ask for the specific option that will provide both hardware cover and signature updates.

  i think this is what you need,
  CON-SU1-AS1A1PK9
  IPS SVC, AR NBD ASA5510-AIP10SP-K9
  cisco smartnet support

• Customizing signatures question on AIP-SSM

  Hi all
  actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
  can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
  i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
  anyone face this issue ??
  please advice.
  regards

  Hi Mohammed.
  Right now I'm preparing the IPS Exam, and I have read some where that:
  "deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
  You can tune the Signature to solve this issue, but this will not solve the main problem.
  But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
  Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
  http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
  I hope this helpful.
  Best regards
  Reda
  [email protected]

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• Signature Updates

  Hello,
  I m very much new to IPS i want to update my AIP-SSM 10 signatures.As if now on cisco website there are updates folder for signature,the latest is S495, what i m having in my IPS is S300,Is that so to upgrade signature all the small packages till S495 i have to download maually 1 by 1 or any link for bulk download of signature till the latest one.
  Thanks,

  Haya;
    You will need to ensure you are running a version of IPS software which contains the E4 analysis engine (i.e. 6.0(6)E4, 6.2(2)E4 or 7.0(2)E4).  You can then download the latest signature update package (S491) and apply that update.  You do not need to apply each and every signature update package.
  Scott

• Problem updating signature updates in IDS 4215

  Problem upgrading the signatures of IDS 4215
  I have to upgrade the signature file of ids 4215. The latest signature update version is IDS-sig-4.1-5-S252. To upgrade the signature file I install the service pack IDS-K9-sp-4.1-5-S189. The service pack was installed properly but while updating the signatures it is giving the following error
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  Administrator.
  Would you like to run cidDump? [No]:
  Procedure Followed
  I installed a ftp server in the network and put the signature update file there. I then issued the command
  upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  Pmg.pk-g4.1-5-S252.rpm.pkg
  After that it gave me the above error
  Question
  How can I recover the image while recovery partition is already there?
  The snapshot of the procedure that I followed is given below
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption.
  http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  customer-ids4215#
  customer-ids4215# sh ver
  customer-ids4215# sh version
  Application Partition:
  Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S189
  OS Version 2.4.26-IDS-smp-bigphys
  Platform: IDS-4215
  Using 424386560 out of 460161024 bytes of available memory (92% usage)
  Using 4.4G out of 17G bytes of available disk space (27% usage)
  MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
  Upgrade History:
  * IDS-sig-4.1-4-S119 17:29:28 UTC Sat Oct 16 2004
  IDS-K9-sp-4.1-5-S189.rpm.pkg 09:28:03 UTC Wed Dec 27 2006
  Recovery Partition Version 2.4 - 4.1(4)S91
  customer-ids4215#
  customer-ids4215#
  customer-ids4215# conf t
  customer-ids4215(config)#
  customer-ids4215(config)# upgrade
  <source-url> Location of upgrade
  customer-ids4215(config)# upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  pmg.pk-g4.1-5-S252.rpm.pkg
  Password:
  Warning: Executing this command will apply a signature update to the application
  partition.
  Continue with upgrade? : yes
  Broadcast message from root (Sun Jan 7 14:46:24 2007):
  Applying update IDS-sig-4.1-5-S252. This may take several minutes.
  Please do not reboot the sensor during this update.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use.http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  administrator.
  Would you like to run cidDump?[no]:
  Connection to host lost.
  C:\>

  Just so you know, you will need to update your IPS from 4.1-5 to 5.0-1 to get signatures up to 217. To get a signature beyond 217, you'll need to upgrade to 5.0-5. This isn't that lengthy of a process, but it is required if you want to go beyond 217. Also, 252 is an older signature, 265 is been out now for a few. Just an idea of how fast these signatures update. Shoot a reply back if you don't know how to upgrade.

• AIP-SSM-10 signature update failure

  Hopefully someone will be able to help me, I am unable to get the IPS signature autoupdate working on our ASA 5510. We have a valid support contract, our username does not incude and special characters and I am able to download the signature files from the website using our CCO.
  When trying to get them via Auto/cisco.com update though I get the following in the event logs every update attempt:
  evError: eventId=1319467413849005289  vendor=Cisco  severity=error 
    originator:  
      hostId: xxxx 
      appName: mainApp 
      appInstanceId: 354 
    time: Oct 26, 2011 11:40:01 UTC  offset=60  timeZone=GMT00:00 
    errorMessage: AutoUpdate exception: HTTP connection failed [1,111]  name=errSystemError 
  I have included a "show conf" and a "show stat host" below.
  <snip>
  xxxxxx# show conf
  ! Current configuration last modified Wed Oct 26 10:48:07 2011
  ! Version 7.0(6)
  ! Host:
  !     Realm Keys          key1.0
  ! Signature Definition:
  !     Signature Update    S604.0   2011-10-20
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 10.x.x.x/24,10.x.x.x
  host-name xxxxxx
  telnet-option disabled
  access-list 10.x.x.x/32
  access-list 10.x.x.x/16
  access-list 10.x.x.x/32
  dns-primary-server enabled
  address 10.x.x.x
  exit
  dns-secondary-server disabled
  dns-tertiary-server disabled
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name GMT00:00
  exit
  ntp-option enabled-ntp-unauthenticated
  ntp-server 10.x.x.x
  exit
  summertime-option recurring
  summertime-zone-name GMT00:00
  start-summertime
  week-of-month last
  exit
  end-summertime
  month october
  week-of-month last
  exit
  end-summertime
  month october
  week-of-month last
  exit
  exit
  auto-upgrade
  cisco-server enabled
  schedule-option periodic-schedule
  start-time 00:40:00
  interval 1
  exit
  user-name xxxxxxxxxxxxxxx
  cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  exit
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service global-correlation
  exit
  service aaa
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit
  <snip>
  xxxxxx# show stat host
  General Statistics
     Last Change To Host Config (UTC) = 27-Oct-2011 08:27:10
     Command Control Port Device = GigabitEthernet0/0
  Network Statistics
      = ge0_0     Link encap:Ethernet  HWaddr 00:12:D9:48:F7:44
      =           inet addr:10.x.x.x  Bcast:10.x.x.x.x  Mask:255.255.255.0
      =           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      =           RX packets:470106 errors:0 dropped:0 overruns:0 frame:0
      =           TX packets:139322 errors:0 dropped:0 overruns:0 carrier:0
      =           collisions:0 txqueuelen:1000
      =           RX bytes:40821181 (38.9 MiB)  TX bytes:102615325 (97.8 MiB)
      =           Base address:0xbc00 Memory:f8200000-f8220000
  NTP Statistics
      =      remote           refid      st t when poll reach   delay   offset  jitter
      = *time.xxxx.x 195.x.x.x   3 u  142 1024  377    1.825   -0.626   0.305
      =  LOCAL(0)        LOCAL(0)        15 l   59   64  377    0.000    0.000   0.001
      = ind assID status  conf reach auth condition  last_event cnt
      =   1 43092  b644   yes   yes  none  sys.peer   reachable  4
      =   2 43093  9044   yes   yes  none    reject   reachable  4
     status = Synchronized
  Memory Usage
     usedBytes = 664383488
     freeBytes = 368111616
     totalBytes = 1032495104
  Summertime Statistics
     start = 03:00:00 GMT00:00 Sun Mar 27 2011
     end = 01:00:00 GMT00:00 Sun Oct 30 2011
  CPU Statistics
     Usage over last 5 seconds = 51
     Usage over last minute = 44
     Usage over last 5 minutes = 50
  Memory Statistics
     Memory usage (bytes) = 664383488
     Memory free (bytes) = 368111616
  Auto Update Statistics
     lastDirectoryReadAttempt = 08:40:00 GMT00:00 Thu Oct 27 2011
      =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
      =   Error: AutoUpdate exception: HTTP connection failed [1,111]
     lastDownloadAttempt = N/A
     lastInstallAttempt = N/A
     nextAttempt = 09:28:00 GMT00:00 Thu Oct 27 2011
  Auxilliary Processors Installed
  <snip>
  Many thanks.

  Hi Bob,
  Thanks for the reply - it got me thinking about how it was actually getting the update.
  I needed to modify an ACL and add a PAT for the sensor management IP as I've tied down the hosts that can get out.
  It's now showing that it is attempting to reach the URL - currently there aren't any updates waiting though....
  Many thanks.

• Upgrade AIP SSM with Signature Engine 4 file

  When I tried to upload Signature Engine 4 file (IPS-engine-E4-req-7.0-2.pkg),  using FTP server both by CLI and IDM, to new AIP SSM sensor, I got the following  error message:
  Cannot upgrade software on the sensor - socket error:110.
  When I tried to do the same by using these steps: IDM --> Configuration  --> Sensor Management --> Update Sensor --> choose Update is located on  this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update  Sensor" button, I got the following error message
  The current signature level is S480.The current signature level must be  less than s480 for this package to install.
  Here is the output for sh ver command
  AIP_SSM# sh version
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E4
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S480.0                   2010-03-24
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1514BAHS
  Licensed, expires:      07-Jun-2012 UTC
  Sensor up-time is 21 days.
  Using 695943168 out of 1032495104 bytes of available memory (67% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 45.4M out of 166.8M bytes of available disk space (29% usage)
  boot is using 41.6M out of 68.6M bytes of available disk space (64% usage)
  application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   Running
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500
  Upgrade History:
    IPS-K9-7.0-2-E4   02:00:07 UTC Thu Mar 25 2010
  Recovery Partition Version 1.1 - 7.0(2)E4
  Host Certificate Valid from: 30-May-2011 to 30-May-2013
  Any idea what could be the problem?
  Regards,

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• AIP-SSM-10 auto update issue

  Hi! experts
  I using AIP-SSM-10 module on ASA 5540
  But it is not working auto update signature.
  So I `m going to attach " show statistics host" result.
  Can you tell me some help?
  Thanks in advance
  Auto Update Statistics
  lastDirectoryReadAttempt = 07:34:50 UTC Tue Oct 20 2009
  = Read directory: https://198.133.219.25/cgi-bin/ida/locator/locator.pl
  = Error: AutoUpdate exception: HTTP connection failed [1,0]
  lastDownloadAttempt = N/A
  lastInstallAttempt = N/A
  nextAttempt = 04:00:00 UTC Wed Oct 21 2009

  It is clear that mgmt ifaces are able to connect to the Internet but if they may connect to inet via proxy you must configure proxy-server.

• Verifying the Correct Signature Updates, Management Software, and Version

  I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.
  I am not certain how to proceed with respect to signature updates on this box.
  Under signature definition, it lists the following:
  Signature Update S291.0 2007-06-18
  I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?
  Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??

  IME = Intrusion Prevention Manager Express
  - IME is fairly new (released only a month or 2 ago) IME is a next generation of IEV. It does the event monitoring of IEV, but is also able to do configuration similar to IDM. So it is IEV and IDM in one tool. The configuration screens of IME will only work IPS 6.1, but the event monitoring screens will work with 5.1, 6.0, and 6.1.
  IPS MC = Intrusion Prevention System Management Center
  IPS MC was a part of VMS (VPN and Security Management System). IPS MC was configuration of a large number of sensors.
  IPS MC and VMS are both End Of Saled and were replaced with CSM
  CSM = Cisco Security Manager
  CSM is a multi-security device configuration management system. It is targeted at Enterprise customers with more than 5 sensors.
  ICS = Intrusion Containment System
  ICS was a product produced by Trend Micro Systems. Trend could create signatures for Viruses and Worms and then send an update to ICS and ICS would then create the signatures on the sensors. These signatures were known as the V signatures.
  ICS has been End of Saled
  So from your perspective you need not be concerned with IPS MC (VMS) or ICS.
  IME should be of interest to you as an upgrade from IEV (IME like IEV is available as part of your existing sensor support contracts and is not an additional charge).
  As you upgrade sensors to IPS v6.1 you might consider upgrading IEV to IME.
  CSM (and also MARS) would be of interest if you are going to manage more than 5 sensors. (IME and IEV are limited to 5 sensors).

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav