cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
875
Views
0
Helpful
2
Replies

Incremental IPS signatures maintenance

HQuest
Level 1
Level 1

Hello.

What is the recommended way to maintain all incremental IPS signature files created from periodic signature updates? I noticed my small 880 series routers (yeah, I use the cheap IOS IPS) restarts IPS engine for each and every incremental file available; since each restart takes close to a minute, it takes forever to return a router to its working state after any extended power outage, when you have, let's say, a couple months worth of signature updates (from S638 to S725).

Should I clear the IPS and restart it from scratch using the latest pkg/zip combo as found on SDM, just use the pkg file via CLI, or is there any command I could use to maybe merge all those incremental files?

Any suggestions are welcome.

Thanks and regards,

Alex

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Alexandre,

I would actually recommend always stay on the latest version for that you could get the package manually as u said or go ahead and configure auto-signature update

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio.

The problem is not staying on the latest version - which is what I do. The problem, actually, is I am avoiding a "reinstall" of IPS feature. As said, there are 50+ "iosips-sig-default-SXXX.xmz" incremental files on my flash:ips/ folder. Since last year updating via SDM was the only available option; by S648 Cisco stopped publishing new .pkgs and at that time I had plenty of dead routers, literally out of any recovery, because of the combo IOS 15.0M and auto-updates (please read http://tools.cisco.com/security/center/viewBulletin.x?bId=464&year=2012). I have recently open a new TAC and, after some internal testing, they resumed publishing .pkg files again.

Auto signature update is not an option since then, so the only way to be back on track was using SDM. That and a manual change control process helped, but again, it is a freakin' time consuming process, not only to deploy signatures but also to recover routers back after power loss. Hence my latest TAC.

Having said that, I was wondering if, by applying the latest .pkg via CLI ("copy IOS-SXXX-CLI.pkg idconf") I could get rid of all those "iosips-sig-default-SXXX.xmz" files and reduce my effective reload times back to less than an hour. If there is no other way to reuse currently deployed sig files, I guess I should plan to clear and reapply IPS feature from the current .pkg file. That will be fun... *sigh*

Thanks,

Alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: