cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2128
Views
0
Helpful
34
Replies

Need help with a couple of issues concerning an AIP-SSM

cdetirado
Level 1
Level 1

1. How can I see what software versoin the sensor is running.

2. How can I manually update the sensors image.

3. How can I see through the cli when the signatures were last updated.

4. How can I unblock traffic that is being blocked by the Sensor.

34 Replies 34

Scott Fringer
Cisco Employee
Cisco Employee

Carlos;

1) From the CLI, you can check current version by issuing 'sh ver', you will want to key on the line:

Cisco Intrusion Prevention System, Version x.x(x)Ey

2) Manual sensor updates are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_system_images.html#wp1142504

3) The output of 'sh ver' will indicate when the last update was applied (either signature or system).  If you are running release 6.2 or higher, you can see the last signature update by issuing 'sh stat host'.

4) If the blocked traffic is via inline, you can clear the denied host from the CLI by issuing "clear denied-attackers ".  Or you can clear them through the IDM GUI:

For inline denies:

Monitoring>Time-Based Actions>Denied Attackers

For external device blocks:

Monitoring>Time-Based Actions>Host Blocks

Monitoring>Time-Based Actions>Network Blocks

Scott

Few more questions:

What command would I issue in order to declare a subnet as safe traffic and how would I do the same inside of the GUI.

The reason that I ask is because for some reason the sensor is picking up internal network traffic from print spoolers, remote VPN users, and domain controllers as an attack. 

How can I edit the behavior of a signature through the CLI and through the GUI.

As both questions have very involved answers, I will provide links to the supporting documentation.

To instruct the IPS sensor not to take action on a specific IP address or range of IP addresses you would implement an event action filter (EAF).

For the GUI, EAFs are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2034816

For the CLI, EAFs are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1030749

  I would recommend reviewing the full section on event actions of which the above links are a subset.  Event actions are very powerful components of the IPS configuration.

Signature tuning from the GUI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_signature_definitions.html

Signature tuning from the CLI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_signature_definitions.html

Scott

Also how can I verify that the signatures are up to date ?

The reason that I ask is because when I do a sh ver this is what I get

! Current configuration last modified Sun Mar 07 14:11:01 2010

! ------------------------------

! Version 6.0(5)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S339.0   2008-06-11  

!     Virus Update        V1.4     2007-03-02  

! ------------------------------

Does this mean I have had any signature updates from a couple of years.

One method for keeping up to date on current signature releases is to subscribe to Cisco's IPS Threat Defense Bulletin.  It is an email bulletin that is released with each signature update.  You can subscribe here:

http://www.cisco.com/offer/newsletter/123668_4/

With a valid CCO ID, you can also check the software download page for the latest signature update:

http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=282539245&treeName=Security&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco+IPS+Sensor+Software+Version+6.0&i...

  From the output provided, your sensor has not had a signature update since 11 June 2008.  The version of software you have installed (6.0(5)) is no longer receiving signature updates, as it is not able to run the E4 analysis engine which is necessary for signature updates S480 and above.  You will need to update your IPS sensor software to at least release 6.0(6)E4 and also have a valid IPS license installed to install current signature updates.

Scott

Currently I am running Version 6.0(5)

Do I have to stay with Version 6.0.(5) or can I upgrade to version 6.2

What model sensor are you currently using?

Scott

AIP-SSM-20

Carlos;

Yes, you may upgrade the AIP-SSM-20 to any of the current releases of

IPS software:

6.0(6)E4

6.2(2)E4

7.0(3)E4

Scott

What command would I need to issue in order to find out if my customer has a  valid IPS license installed to install current signature.

The output of 'sh ver' should report the current license state.

.

I want you to know that I really appreciate your help and you have gone way above and beyond in this matter.

Cisco Intrusion Prevention System, Version 6.0(5)E2

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S339.0                   2008-06-11  

    Virus Update        V1.4                     2007-03-02  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               ASA-SSM-20                           

Serial Number:          JAF1310APGT                          

Licensed, expires:      29-May-2012 UTC                      

Sensor up-time is 114 days.

Using 1036771328 out of 2093600768 bytes of available memory (49% usage)

system is using 17.7M out of 29.0M bytes of available disk space (61%

usage)

application-data is using 43.6M out of 166.8M bytes of available disk

space (28% usage)

boot is using 38.6M out of 68.6M bytes of available disk space (59%

usage)

MainApp          N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500   Running  

AnalysisEngine   N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500   Running  

CLI              N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500            

Upgrade History:

  IPS-K9-6.0-5-E2   17:30:49 UTC Tue Jun 29 2010  

       

Recovery Partition Version 1.1 - 6.0(5)E2

Based on the Show Ver are we licensed

Yes, the customer will be able to update IPS signatures through 29-May-2012

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: