Problem updating IDS signatures

Unanswered Question
Sep 9th, 2008

I have a IDS-4215 sensor with version 5.1(5)E1S333V1.2

I tried several times updating signatures with next version on it but it doesnot get updated and only the local MC gets upgraded. I have other IDS sensors also but I dont have any problem updating signatures with them.

Why are the signatures not getting updated on this Sensor.

Help me with a solution. All helpful posts will be rated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Tue, 09/09/2008 - 14:53

New Signatures Updates are no longer being created for E1. You must be at E2 in order to get the latest Signature Updates.

To get to E2 load this file:

IPS-K9-5.1-8-E2.pkg

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

(Note: E2 is not available for 5.1(5) or 5.1(6), so it is best to go ahead and upgrade to 5.1(8) which comes with E2)

It will require a reboot of the sensor so you may need to schedule a network down time if your sensor is running in inline mode.

Once you've upgraded to 5.1(8)E2, then execute "show version" on the sensor and check to see if your license is up to date.

If it is not, then use IDM to try and get a new license from cisco.com.

If your Cisco Service for IPS contract is up to date, then it should automatically pull down a new license.

If it responds with an error, then more than likely your contract is not up to date, and you may need to purchase a new service contract.

Once your license is up to date, then you can download and install the latest signature update:

IPS-sig-S355-req-E2.pkg

http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup

I recommend installing this signature update directly to the sensor yourself to ensure that it installs OK without any errors.

After this signature update installs, then you can sync your MC backup with the sensor and install future signature updates through the MC.

jagadishbabu_thota Tue, 09/09/2008 - 15:59

Hi marcabal

Thanks for the reply. I already have IPS-K9-5.1-8-E2.pkg loaded. The problem is when I try to upgrade the sensor, the sensor accepts the signature but doesnot get updated. Only MC gets upgraded. I repeated multiple times but no use.

I have updated my other 4 sensors to E2 and with the latest signature update S355 which is released today. I had no problem with these sensors but the problem is with the one sensor mentioned above.

marcabal Wed, 09/10/2008 - 06:30

Did you try applying S355 directly to the sensor using the CLI or IDM rather than the MC?

Sometimes you don't get good error messages when trying to apply through the MC.

If you apply through CLI or IDM did you get any messages back from the sensor?

Did you get a success messgae? If doing it from the CLI did it come back to a CLI prompt?

If no error messages come back when trying the upgrade, then it will require looking at a "show tech" from your sensor to try and see what is going on.

You would not want to copy that output to this forum, so your best bet would be to open up a TAC case and provide them the output from when you tried applying the update through the CLI or IDM, as well as the output from the "show tech" taken immediately after the failed upgrade attempt.

I am not currently aware of any situation where the upgrade would fail without some type of error message being returned.

Here, however, are some common errors that should return an error message (I don't remember the exact wording of the error messages):

1) sensorApp/analysis engine is Not Running

(you can check "show version" before doing the upgrade to make sure it is Running).

2) sensorApp/analysis engine is not responding (you can do a "show stat vi" before trying the upgrade to ensure it is responding to statistic requests before trying the upgrade)

3) license has expired (you can do a "show ver" and make sure the license has not expired)

4) Signature Update already installed - This is a tricky one. This can happen when a previous attempt to update at that same signature level failed, but left some remnants around. The second attempt to install the same update detects the remains of the previous failure and incorrectly thinks that the update is already installed. There are 2 ways to recover from this. Save off the config, and do a recover-application command to re-image the sensor, then re-apply the config. Or wait till the next signature update S356 comes out and try it with the newer sig update. I haven't seen this problem in a long time, and I am not sure if it can happen anymore. Steps were taken to try and prevent this from happening.

5) sensorApp/analysis engine could stop During the signature update - This can happen on lower end sensors like the IDS-4215 especially when tunings have been made to the signatures or custom signatures have been created. The low end sensors have limited memory. When a new signature update is applied the sensor has to compile the new signatures. If using the standard set of signatures with no user tunings, then the signature update should apply fine. But if the customer has made tunings and/or added custom signatures, then this compiling of the new signatures could push the sensor above it's allowed memory limits. The kernel will then kill sensorApp/analysis engine. The signature update will never complete (never get an error OR a success message). And the sensor has to be rebooted to get it working again. If you are running into this issue you might need to remove some of your tunings and custom signatures, apply the signature update, and then re-apply your tunings.

Actions

This Discussion