Solved: Updating Cisco IDS 4215 signatures

avvenk · ‎06-09-2010

Hello people,
we have some Cisco IDS 4215 and would like to know if upgrading the signatures we can remove those released previously or if the previous ones should not be eliminated.

Following system information from one of these devices.

***

TAC Contact Information
URL:http://www.cisco.com/public/support/tac/home.shtml/
Phone:1 (800) 553-2447

Sensor up-time is 110 days.
Platform: IDS-4215-4FE-K9
Booted Partition: application

Partition: application
Build Version: 6.0(6)E3
Host:
    Realm Keys      key1.0
Signature Definition:
    Signature Update      S439.0    2009-09-30
    Virus Update      V1.4    2007-03-02
Os Version: 2.4.30-IDS-smp-bigphys
Applications
    MainApp
      N-NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15T01:15:08-0500 ipsbuild
      Execution State: running
    AnalysisEngine
      N-NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15T01:15:08-0500 ipsbuild
      Execution State: running
Installed Upgrades
    Upgrade name: IPS-K9-6.0-6-E3
    Time Installed: 15 Luglio 2009 18.48.06
    Upgrade name: IPS-sig-S439-req-E3.pkg
    Time Installed: 6 Ottobre 2009 13.07.55
Next Downgrade:
Partition: recovery
Build Version: 1.1 - 6.0(6)E3

PEP Udi Chassis
description IPS 4215 Appliance Sensor
pid IDS-4215-4FE-K9
vid V01
sn 88808513168

Memory usage
usedBytes=377655296
freeBytes=132685824
totalBytes=510341120

Disk usage
application-data is using 33.2M out of 166.8M bytes of available disk space (21% usage)
boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
application-log is using 529.5M out of 2.8G bytes of available disk space (20% usage)

***

Many Thanks in advance,

Luca

Scott Fringer · ‎06-09-2010

Luca;

Signature updates are cumulative, so you can simply apply the S493 update. A caveat though, if you need to make a large move in signature release (say S470 to S493) it is usually more effective to make smaller updates (especially on a low-memory platform like the IDS-4215).

Scott

View solution in original post

Scott Fringer · ‎06-09-2010

Luca;

You will need to upgrade to the E4 analysis engine to continue updateing signatures on your sensor. You will also need a valid IPS license installed.

As you are running 6.0(6)E3, you can apply an engine-only update which will not require a reboot of the sensor. You can find the engine-only upodate here:

http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.0%286%29E4&mdfid=282539245&sftType=Intrusion+Prevention+System+%28IPS%29+System+Upgrades&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+IPS+Sensor+Software+Version+6.0&treeMdfId=...

The filename is: IPS-engine-E4-req-6.0-6.pkg

You do not need to remove any previous signature updates. The signature development team will retire older signatures as necessary, and you can also retire any signatures that are not necessary in your environment.

Scott

avvenk · ‎06-09-2010

Hi Scott,

many thanks for your answer.

We have upgradated the IPS to IPS-engine-E4-req-6.0-6.pkg (upgrade needs to reboot the sensor) and the recovery image to the same version.

I wonder if all signatures should be updated (one currently used) or just apply the last available (S493).

Many Thanks in advance,

Luca

Scott Fringer · ‎06-09-2010

Luca;

Signature updates are cumulative, so you can simply apply the S493 update. A caveat though, if you need to make a large move in signature release (say S470 to S493) it is usually more effective to make smaller updates (especially on a low-memory platform like the IDS-4215).

Scott