06-28-2010 07:33 AM - edited 03-10-2019 05:02 AM
1. How can I see what software versoin the sensor is running.
2. How can I manually update the sensors image.
3. How can I see through the cli when the signatures were last updated.
4. How can I unblock traffic that is being blocked by the Sensor.
06-28-2010 09:55 AM
Carlos;
1) From the CLI, you can check current version by issuing 'sh ver', you will want to key on the line:
Cisco Intrusion Prevention System, Version x.x(x)Ey
2) Manual sensor updates are outlined here:
3) The output of 'sh ver' will indicate when the last update was applied (either signature or system). If you are running release 6.2 or higher, you can see the last signature update by issuing 'sh stat host'.
4) If the blocked traffic is via inline, you can clear the denied host from the CLI by issuing "clear denied-attackers
For inline denies:
Monitoring>Time-Based Actions>Denied Attackers
For external device blocks:
Monitoring>Time-Based Actions>Host Blocks
Monitoring>Time-Based Actions>Network Blocks
Scott
06-29-2010 08:20 AM
Few more questions:
What command would I issue in order to declare a subnet as safe traffic and how would I do the same inside of the GUI.
The reason that I ask is because for some reason the sensor is picking up internal network traffic from print spoolers, remote VPN users, and domain controllers as an attack.
How can I edit the behavior of a signature through the CLI and through the GUI.
06-29-2010 08:27 AM
As both questions have very involved answers, I will provide links to the supporting documentation.
To instruct the IPS sensor not to take action on a specific IP address or range of IP addresses you would implement an event action filter (EAF).
For the GUI, EAFs are outlined here:
For the CLI, EAFs are outlined here:
I would recommend reviewing the full section on event actions of which the above links are a subset. Event actions are very powerful components of the IPS configuration.
Signature tuning from the GUI is outlined here:
Signature tuning from the CLI is outlined here:
Scott
06-29-2010 08:24 AM
Also how can I verify that the signatures are up to date ?
The reason that I ask is because when I do a sh ver this is what I get
! Current configuration last modified Sun Mar 07 14:11:01 2010
! ------------------------------
! Version 6.0(5)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S339.0 2008-06-11
! Virus Update V1.4 2007-03-02
! ------------------------------
Does this mean I have had any signature updates from a couple of years.
06-29-2010 08:33 AM
One method for keeping up to date on current signature releases is to subscribe to Cisco's IPS Threat Defense Bulletin. It is an email bulletin that is released with each signature update. You can subscribe here:
http://www.cisco.com/offer/newsletter/123668_4/
With a valid CCO ID, you can also check the software download page for the latest signature update:
From the output provided, your sensor has not had a signature update since 11 June 2008. The version of software you have installed (6.0(5)) is no longer receiving signature updates, as it is not able to run the E4 analysis engine which is necessary for signature updates S480 and above. You will need to update your IPS sensor software to at least release 6.0(6)E4 and also have a valid IPS license installed to install current signature updates.
Scott
06-29-2010 08:42 AM
Currently I am running Version 6.0(5)
Do I have to stay with Version 6.0.(5) or can I upgrade to version 6.2
06-29-2010 08:44 AM
What model sensor are you currently using?
Scott
06-29-2010 09:00 AM
AIP-SSM-20
06-29-2010 09:02 AM
Carlos;
Yes, you may upgrade the AIP-SSM-20 to any of the current releases of
IPS software:
6.0(6)E4
6.2(2)E4
7.0(3)E4
Scott
06-29-2010 09:15 AM
What command would I need to issue in order to find out if my customer has a valid IPS license installed to install current signature.
06-29-2010 09:17 AM
The output of 'sh ver' should report the current license state.
06-29-2010 09:32 AM
.
I want you to know that I really appreciate your help and you have gone way above and beyond in this matter.
Cisco Intrusion Prevention System, Version 6.0(5)E2
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S339.0 2008-06-11
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: ASA-SSM-20
Serial Number: JAF1310APGT
Licensed, expires: 29-May-2012 UTC
Sensor up-time is 114 days.
Using 1036771328 out of 2093600768 bytes of available memory (49% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61%
usage)
application-data is using 43.6M out of 166.8M bytes of available disk
space (28% usage)
boot is using 38.6M out of 68.6M bytes of available disk space (59%
usage)
MainApp N-2008_JUN_06_02_35 (Release)
2008-06-06T03:23:18-0500 Running
AnalysisEngine N-2008_JUN_06_02_35 (Release)
2008-06-06T03:23:18-0500 Running
CLI N-2008_JUN_06_02_35 (Release)
2008-06-06T03:23:18-0500
Upgrade History:
IPS-K9-6.0-5-E2 17:30:49 UTC Tue Jun 29 2010
Recovery Partition Version 1.1 - 6.0(5)E2
06-29-2010 09:33 AM
Based on the Show Ver are we licensed
06-29-2010 09:35 AM
Yes, the customer will be able to update IPS signatures through 29-May-2012
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide