Need help with a couple of issues concerning an AIP-SSM

Unanswered Question
Scott Fringer Mon, 06/28/2010 - 09:55
User Badges:
  • Cisco Employee,

Carlos;


1) From the CLI, you can check current version by issuing 'sh ver', you will want to key on the line:


Cisco Intrusion Prevention System, Version x.x(x)Ey


2) Manual sensor updates are outlined here:


http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_system_images.html#wp1142504


3) The output of 'sh ver' will indicate when the last update was applied (either signature or system).  If you are running release 6.2 or higher, you can see the last signature update by issuing 'sh stat host'.


4) If the blocked traffic is via inline, you can clear the denied host from the CLI by issuing "clear denied-attackers ".  Or you can clear them through the IDM GUI:


For inline denies:

Monitoring>Time-Based Actions>Denied Attackers


For external device blocks:

Monitoring>Time-Based Actions>Host Blocks

Monitoring>Time-Based Actions>Network Blocks


Scott

Few more questions:


What command would I issue in order to declare a subnet as safe traffic and how would I do the same inside of the GUI.


The reason that I ask is because for some reason the sensor is picking up internal network traffic from print spoolers, remote VPN users, and domain controllers as an attack. 


How can I edit the behavior of a signature through the CLI and through the GUI.

Scott Fringer Tue, 06/29/2010 - 08:27
User Badges:
  • Cisco Employee,

As both questions have very involved answers, I will provide links to the supporting documentation.


To instruct the IPS sensor not to take action on a specific IP address or range of IP addresses you would implement an event action filter (EAF).


For the GUI, EAFs are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2034816


For the CLI, EAFs are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1030749


  I would recommend reviewing the full section on event actions of which the above links are a subset.  Event actions are very powerful components of the IPS configuration.


Signature tuning from the GUI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_signature_definitions.html


Signature tuning from the CLI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_signature_definitions.html


Scott

Also how can I verify that the signatures are up to date ?

The reason that I ask is because when I do a sh ver this is what I get


! Current configuration last modified Sun Mar 07 14:11:01 2010

! ------------------------------

! Version 6.0(5)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S339.0   2008-06-11  

!     Virus Update        V1.4     2007-03-02  

! ------------------------------


Does this mean I have had any signature updates from a couple of years.

Scott Fringer Tue, 06/29/2010 - 08:33
User Badges:
  • Cisco Employee,

One method for keeping up to date on current signature releases is to subscribe to Cisco's IPS Threat Defense Bulletin.  It is an email bulletin that is released with each signature update.  You can subscribe here:


http://www.cisco.com/offer/newsletter/123668_4/


With a valid CCO ID, you can also check the software download page for the latest signature update:


http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=282539245&treeName=Security&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco+IPS+Sensor+Software+Version+6.0&isPlatform=N&treeMdfId=268438162&modifmdfid=null&imname=&hybrid=Y&imst=N


  From the output provided, your sensor has not had a signature update since 11 June 2008.  The version of software you have installed (6.0(5)) is no longer receiving signature updates, as it is not able to run the E4 analysis engine which is necessary for signature updates S480 and above.  You will need to update your IPS sensor software to at least release 6.0(6)E4 and also have a valid IPS license installed to install current signature updates.


Scott

Scott Fringer Tue, 06/29/2010 - 08:44
User Badges:
  • Cisco Employee,

What model sensor are you currently using?


Scott

Scott Fringer Tue, 06/29/2010 - 09:02
User Badges:
  • Cisco Employee,

Carlos;


Yes, you may upgrade the AIP-SSM-20 to any of the current releases of

IPS software:


6.0(6)E4

6.2(2)E4

7.0(3)E4


Scott

Scott Fringer Tue, 06/29/2010 - 09:17
User Badges:
  • Cisco Employee,

The output of 'sh ver' should report the current license state.

.

I want you to know that I really appreciate your help and you have gone way above and beyond in this matter.


Cisco Intrusion Prevention System, Version 6.0(5)E2

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S339.0                   2008-06-11  

    Virus Update        V1.4                     2007-03-02  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               ASA-SSM-20                           

Serial Number:          JAF1310APGT                          

Licensed, expires:      29-May-2012 UTC                      

Sensor up-time is 114 days.

Using 1036771328 out of 2093600768 bytes of available memory (49% usage)

system is using 17.7M out of 29.0M bytes of available disk space (61%

usage)

application-data is using 43.6M out of 166.8M bytes of available disk

space (28% usage)

boot is using 38.6M out of 68.6M bytes of available disk space (59%

usage)

MainApp          N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500   Running  

AnalysisEngine   N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500   Running  

CLI              N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500            

Upgrade History:

  IPS-K9-6.0-5-E2   17:30:49 UTC Tue Jun 29 2010  

       

Recovery Partition Version 1.1 - 6.0(5)E2

Scott Fringer Tue, 06/29/2010 - 09:35
User Badges:
  • Cisco Employee,

Yes, the customer will be able to update IPS signatures through 29-May-2012


Scott

Scott Fringer Tue, 06/29/2010 - 10:40
User Badges:
  • Cisco Employee,

The file you have listed is used for re-imaging the device to factory

defaults (.img).


You will want to use an upgrade package (.pkg). This will maintain

existing configuration details. To move to release 6.2(2)E4 you would

want the file:


IPS-K9-6.2-2-E4.pkg


Scott

Scott Fringer Wed, 06/30/2010 - 09:12
User Badges:
  • Cisco Employee,

Auto-updates will only update signatures (S496 to S497, etc) and the

analysis engine (E3 to E4, etc); these updates do not require a reboot

of the sensor. Auto updates will not update version (7.0(2) to 7.0(3),

etc) as these updates require a reboot of the sensor.


Scott

Scott Fringer Wed, 06/30/2010 - 09:21
User Badges:
  • Cisco Employee,

You should simply need to enable the feature in the IDM GUI:


Configuration>Sensor Management>Auto/Cisco.com Update


Check the box "Enable Signature and Engine Updates from Cisco.com"


Provide valid CCO credentials and select a schedule for checking the

updates. The default URL is the correct URL and syntax.


The AIP-SSM's management IP address will need HTTP and HTTPS access to

the Internet.


Scott

Scott Fringer Wed, 06/30/2010 - 10:22
User Badges:
  • Cisco Employee,

You will need to upgrade each AIP-SSM independently, there is no

communication between the two AIP-SSMs.


Scott

When I upgraded the sensor to version 6.2(2) everything went well but I realized that I needed to get to version 7.2(2).

I downloaded the software for version 7.2(2) and it made a comment that i need to update the signature engine before I could upgrade to 7.2(2). So I downloaded the engine and the error that I got was


Warning: Executing this command will apply a signature engine update to

the application partition. The system may be rebooted to complete the

upgrade.

Continue with upgrade? []: yes

Error: execUpgradeSoftware : The current signature level is  S480.  The

current


So what is the proper upgrade path to go from 6.2(2) to 7.2(2) and what am I missing that it wont let me upgrade to 7.2(2). Please let me know if you need for me to perform any additional commands that may assist in getting this issue resolved.

Scott Fringer Mon, 07/12/2010 - 06:26
User Badges:
  • Cisco Employee,

Carlos;


There is not a 7.2(2) release for Cisco IPS sensors. There is

currently 6.2(2)E4 and 7.0(3)E4. If you are wanting to upgrade to

7.0(3)E4 from 6.2(2)E4 you should only need to download the upgrade

package with the filename: IPS-K9-7.0-3-E4.pkg


Scott

Scott Fringer Mon, 07/12/2010 - 06:33
User Badges:
  • Cisco Employee,

Carlos;


You will want to upgrade to 7.0(3)E4 using the file I mentioned

previously.


Scott

This is what is currently in the IPS sensors, will that file that you recommended upgraded both to the same level for the system image.




Host Certificate Valid from: 23-Jan-2010 to 24-Jan-2012

PRIMARY

fpk-asa-ss5520# sh ver    

Application Partition:

Cisco Intrusion Prevention System, Version 6.2(2)E4

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S480.0                   2010-03-24  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               ASA-SSM-20                           

Serial Number:          JAF1310APGT                          

Licensed, expires:      28-May-2012 UTC                      

Sensor up-time is 20:55.

Using 1030475776 out of 2093604864 bytes of available memory (49% usage)

application-data is using 43.0M out of 166.8M bytes of available disk space (27% usage)

boot is using 40.2M out of 68.6M bytes of available disk space (62% usage)

MainApp          E-ECLIPSE_2009_SEP_14_13_21_6_2_1_119   (Ipsbuild)   2009-09-14T13:22:32-0500   Running  

AnalysisEngine   EE-ECLIPSE_E4_2010_MAR_25_00_44_6_2_2   (Ipsbuild)   2010-03-25T00:46:02-0500   Running  

CLI              E-ECLIPSE_2009_SEP_14_13_21_6_2_1_119   (Ipsbuild)   2009-09-14T13:22:32-0500            

Upgrade History:

  IPS-K9-6.2-2-E4   03:18:06 UTC Thu Mar 25 2010  

Recovery Partition Version 1.1 - 6.2(2)E4

Host Certificate Valid from: 23-Jan-2010 to 24-Jan-2012



SECONDARY

fpk-asa-ss5520-s# sh ver 

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(2)E3

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S478.0                   2010-03-15  

    Virus Update        V1.4                     2007-03-02  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               ASA-SSM-20                           

Serial Number:          JAF1350BAGJ                          

Licensed, expires:      19-Apr-2013 UTC                      

Sensor up-time is 33 days.

Using 1044209664 out of 2093600768 bytes of available memory (49% usage)

system is using 17.4M out of 38.5M bytes of available disk space (45% usage)

application-data is using 45.3M out of 166.8M bytes of available disk space (29% usage)

boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)

application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)

MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            

Upgrade History:

* IPS-K9-7.0-2-E3           19:43:07 UTC Thu Oct 15 2009  

  IPS-sig-S478-req-E3.pkg   17:50:18 UTC Mon Mar 22 2010  

Recovery Partition Version 1.1 - 7.0(2)E3

Host Certificate Valid from: 20-Mar-2010 to 20-Mar-2012

fpk-asa-ss5520-s# 

Scott Fringer Mon, 07/12/2010 - 06:50
User Badges:
  • Cisco Employee,

Yes, that file should successfully upgrade both AIP-SSMs to release

7.0(3)E4.


Scott

Scott Fringer Mon, 07/12/2010 - 10:33
User Badges:
  • Cisco Employee,

That is the correct file - you are upgrading an AIP-SSM not an AIM-IPS

(this module is for Cisco Integrated Services Routers).


Scott

Actions

This Discussion