Verifying the Correct Signature Updates, Management Software, and Version

Unanswered Question
Jun 4th, 2008
User Badges:

I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.

I am not certain how to proceed with respect to signature updates on this box.

Under signature definition, it lists the following:

Signature Update S291.0 2007-06-18

I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?

Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (8 ratings)
Loading.
rhermes Wed, 06/04/2008 - 11:31
User Badges:
  • Gold, 750 points or more

Both OS patches and signature updates have the potential to distrupt service passing through the sensor when used in the in-line IPS mode. You should update the OS to 6.0(4) and then apply the latest signature update, but you could skip the OS patch and just update the signature pack if you don't require any of the fixes 6.0(4) provides.



Farrukh Haroon Wed, 06/04/2008 - 12:09
User Badges:
  • Red, 2250 points or more

I would highly recommend to update the sensor OS to 6.0(4), as the upcoming Engine2 (E2) update will only support this version, as far as I can recall. This will require a reboot (So downtime for sure).


The signature update does not require a reboot, and to my knowledge if the sensor is configured with the default 'software bypass' settings, the sensing engine will just pass all traffic un-scanned while the signature is being installed (takes 1-2 minutes only).

A valid license file needs to be present tough, otherwise the signature will install, and then un-install itself, pretty annoying :)


Regards


Farrukh

Kevin Melton Wed, 06/04/2008 - 12:36
User Badges:

Is there any reason why I would not go ahead and upgrade the Sensor to 6.1.1 vs. the 6.0.4?


Seems 6.1.1 is the latest published release on the Download Center...

Farrukh Haroon Wed, 06/04/2008 - 12:52
User Badges:
  • Red, 2250 points or more

Yes that would be much better, as then you can enjoy the benefits of the IPS Manager Express (IME).


I think there is some issues with MARS support on the 6.1.x, so I did not do that on our customer network's as of yet. I think this is planned August or something. Other features include auto-updates for signatures from cisco.com.


Regards


Farrukh



marcabal Wed, 06/04/2008 - 13:10
User Badges:
  • Cisco Employee,

If you are using CSM for sensor management, then you would need to stay at 6.0 until 6.1 support is added into CSM.


Choosing between 6.0 and 6.1 is generally just a personal choice.

6.0 has been in the field longer and any issues with 6.0 are more well known.


6.1 on the other hand is still fairly new, and as with any new code, it has not yet been put through the ringer the way 6.0 has been.


If stability is number one priority then stay with 6.0.

If new features are your priority then go to 6.1.




Farrukh Haroon Wed, 06/04/2008 - 17:50
User Badges:
  • Red, 2250 points or more

good information there marcabal, thanks :)


Regards


Farrukh

Kevin Melton Fri, 06/06/2008 - 05:32
User Badges:

I am using IDM right now. Any issues with moving from 6.03 to 6.0.4 as the first post reply had recommended??

Farrukh Haroon Fri, 06/06/2008 - 05:41
User Badges:
  • Red, 2250 points or more

Nope there should be no issues there. Even yesterday they announced the release date for the E2 update (June 15th). So be ready for that too :).


Regards


Farrukh

Kevin Melton Fri, 06/06/2008 - 05:59
User Badges:

Dont mean to be a pest. What is the E2? Thanks for all your help.

Kevin

gdntsoc Mon, 06/16/2008 - 11:08
User Badges:

In the recent Cisco's Bulletin, it stated that E2 engine update will be available by June 15, 2008.


Is there a reason why Cisco hasn't published it yet?


Thanks,

Kevin Melton Tue, 06/17/2008 - 06:38
User Badges:

Question Farrukh


I looked at the link for a few minutes and see that there are many types of engines which govern the inspection of many types of traffic.

The Master Engine seems however to govern most of them.. Is the Pending E2 engine a "Master Engine" ?...

thanks as always

Kevin

Farrukh Haroon Tue, 06/17/2008 - 06:45
User Badges:
  • Red, 2250 points or more

No the E2 engine is just an add-on to the existing engine.


For example a new "Advanced HTTP engine" handling AJAX /XML /DHTML etc. could be included (this is just an example).


Regards


Farrukh

marcabal Tue, 06/17/2008 - 07:19
User Badges:
  • Cisco Employee,

Think of it this way.

The Engine level of the sensor is a collection of individual Signature Engines.

E1 was the collection of signatures that existed back at the end of 2006/ beginning of 2007.


Since then we have created New Signature Engines, as well as updates to the Engines from E1.

The E1 engines that have not changed, the E1 engines that did get changed, as well as the New Engines are all collected together and will now be released as E2.


So E2 is just a version designator for the next collection of Signature Engines.



Kevin Melton Tue, 06/17/2008 - 08:04
User Badges:

Thanks for the explanation. It did help. Much clearer now.

Kevin Melton Tue, 06/17/2008 - 08:10
User Badges:

Farrukh and Marcabal


Can either of you answer the following? This was in my original post in the last paragraph and i think it may have been overlooked :) thx...


"Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??"




marcabal Tue, 06/17/2008 - 08:48
User Badges:
  • Cisco Employee,

IME = Intrusion Prevention Manager Express

- IME is fairly new (released only a month or 2 ago) IME is a next generation of IEV. It does the event monitoring of IEV, but is also able to do configuration similar to IDM. So it is IEV and IDM in one tool. The configuration screens of IME will only work IPS 6.1, but the event monitoring screens will work with 5.1, 6.0, and 6.1.


IPS MC = Intrusion Prevention System Management Center

IPS MC was a part of VMS (VPN and Security Management System). IPS MC was configuration of a large number of sensors.

IPS MC and VMS are both End Of Saled and were replaced with CSM


CSM = Cisco Security Manager

CSM is a multi-security device configuration management system. It is targeted at Enterprise customers with more than 5 sensors.


ICS = Intrusion Containment System

ICS was a product produced by Trend Micro Systems. Trend could create signatures for Viruses and Worms and then send an update to ICS and ICS would then create the signatures on the sensors. These signatures were known as the V signatures.

ICS has been End of Saled


So from your perspective you need not be concerned with IPS MC (VMS) or ICS.


IME should be of interest to you as an upgrade from IEV (IME like IEV is available as part of your existing sensor support contracts and is not an additional charge).

As you upgrade sensors to IPS v6.1 you might consider upgrading IEV to IME.


CSM (and also MARS) would be of interest if you are going to manage more than 5 sensors. (IME and IEV are limited to 5 sensors).

Farrukh Haroon Tue, 06/17/2008 - 08:59
User Badges:
  • Red, 2250 points or more

IME is the replacement for IEV for newer IPS versions, it has more features of course. ICS was a collaboration between Cisco and Trend Micro to come up with quick signature/policy updates for upcoming threats, its EOS now, have a look at:


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps6542/prod_end-of-life_notice0900aecd806d9cdb.html


marcabal did a nice comparison between IEV and IME here:


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc0bca0/5#selected_message


Regards


Farrukh


Kevin Melton Thu, 06/19/2008 - 05:42
User Badges:

I want to ask you guys a question about IEV which I am currently using...

When the views Tab is selected, i can see Alarms that have crossed the Sensor. When I right click a selected View "Type" in the Views Pane on the left, i then can proceed to properties and click next. It then will give me the option to select columns I can choose to show in the alarm detail table. One of the column names is "Actions". I have this selected for some of my Views.

the issue is this. When I right click on a specific alarm which is in one of the views and proceed to "Expand Whole Details", and then right click and select "View Alarms", it gives me all the detail. I then can reference the "Action" column. Alot of the Alarms I am getting in IEV show an action of "Present"...what does this mean??

I tried to find this in the help files for the IEV but it is not there...


Thanks

Farrukh Haroon Thu, 06/19/2008 - 05:54
User Badges:
  • Red, 2250 points or more

Perhaps "Present" means an action was taken and therefore can be viewed by right clicking the Alert?. This 'action' I guess would be something besides 'Produce Alert' because if Product Alert was not there, the action would have never reach ed IEV in the first place.


Regards


Farrukh

Kevin Melton Thu, 06/19/2008 - 06:46
User Badges:

Farrukh


I need to be able to generate reports out of IEV. It has canned reports for Top alerts, Top Attackes, and Top Victims. But these cannot be broken down by the date that they occured.

I need to be able to report on the Alarm Type and Volume per day. Is there a way to do that within IEV? Outside of IEV?


thanks mucho!

Farrukh Haroon Thu, 06/19/2008 - 11:13
User Badges:
  • Red, 2250 points or more

I'm sorry I don't have access to an IEV at the moment, I will try t look it up somewhere. Most probably this is supported on the NEW IEV replacement called IME (IPS Manager Express), but that only works with 6.x and 6.1.x, I think.


Regards


farrukh

Kevin Melton Thu, 06/19/2008 - 11:41
User Badges:

Actually i was going to download the IME, but it is only available for IPS version 6.1.1.


We are not upgrading to that until next week.

Farrukh Haroon Thu, 06/19/2008 - 11:53
User Badges:
  • Red, 2250 points or more

You can gather events even for 6.x. But for most of the 'real' new features, like health monitoring, configuration etc. you need 6.1.x.


But I should say it looks really cool :)


Regards


Farrukh

Kevin Melton Tue, 07/01/2008 - 07:38
User Badges:

I need some help in tuning signatures. I have a high volume of about 5 different signature types that are coming thru the sensor. Right now they are set to "Product Alerts" only. Should these be adjusted to "Deny Attacker Inline" or some other more restrictive setting?

Thanks

Kevin Melton Tue, 07/08/2008 - 06:30
User Badges:

Farrukh


They are as follows:

Sig ID=4703 Signature Name=MSSQL Resolution Service Stack Overflow


Sig ID=3102 Signature Name=Sendmail Invalid Sender


Sig ID=1300 Signature Name=TCP Segment Overwrite


Sig ID=2152 Signature Name=ICMP Flood


I am getting Alarms from these Signatures as they are tripped on the IPS. The "Signature Actions" indicates Produce Alert, but what I have noticed is that the Sensor will start IP logging when each on of these is seen. I also think that he is taking the following actions:

Deny Connection inline

Deny Packet Inline

Log Attacker Packets

Deny Attacker Inline


The reason I am thinking this is these are what are listed in my Signature 0 "Actions to Add" in Event Action Rules.

Is is correct that these actions Override what is configured directly on the Signature, and that is why these additional actions are occuring? I am not sure how the Signatures interact with the Event Action Rules?

Any data you could provide would be helpful...


Thanks

Kevin


Actions

This Discussion