Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Need help with a couple of issues concerning an AIP-SSM

1. How can I see what software versoin the sensor is running.

2. How can I manually update the sensors image.

3. How can I see through the cli when the signatures were last updated.

4. How can I unblock traffic that is being blocked by the Sensor.

34 REPLIES
Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

Carlos;

1) From the CLI, you can check current version by issuing 'sh ver', you will want to key on the line:

Cisco Intrusion Prevention System, Version x.x(x)Ey

2) Manual sensor updates are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_system_images.html#wp1142504

3) The output of 'sh ver' will indicate when the last update was applied (either signature or system).  If you are running release 6.2 or higher, you can see the last signature update by issuing 'sh stat host'.

4) If the blocked traffic is via inline, you can clear the denied host from the CLI by issuing "clear denied-attackers ".  Or you can clear them through the IDM GUI:

For inline denies:

Monitoring>Time-Based Actions>Denied Attackers

For external device blocks:

Monitoring>Time-Based Actions>Host Blocks

Monitoring>Time-Based Actions>Network Blocks

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Few more questions:

What command would I issue in order to declare a subnet as safe traffic and how would I do the same inside of the GUI.

The reason that I ask is because for some reason the sensor is picking up internal network traffic from print spoolers, remote VPN users, and domain controllers as an attack. 

How can I edit the behavior of a signature through the CLI and through the GUI.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

As both questions have very involved answers, I will provide links to the supporting documentation.

To instruct the IPS sensor not to take action on a specific IP address or range of IP addresses you would implement an event action filter (EAF).

For the GUI, EAFs are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2034816

For the CLI, EAFs are outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1030749

  I would recommend reviewing the full section on event actions of which the above links are a subset.  Event actions are very powerful components of the IPS configuration.

Signature tuning from the GUI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_signature_definitions.html

Signature tuning from the CLI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_signature_definitions.html

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Also how can I verify that the signatures are up to date ?

The reason that I ask is because when I do a sh ver this is what I get

! Current configuration last modified Sun Mar 07 14:11:01 2010

! ------------------------------

! Version 6.0(5)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S339.0   2008-06-11  

!     Virus Update        V1.4     2007-03-02  

! ------------------------------

Does this mean I have had any signature updates from a couple of years.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

One method for keeping up to date on current signature releases is to subscribe to Cisco's IPS Threat Defense Bulletin.  It is an email bulletin that is released with each signature update.  You can subscribe here:

http://www.cisco.com/offer/newsletter/123668_4/

With a valid CCO ID, you can also check the software download page for the latest signature update:

http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=282539245&treeName=Security&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco+IPS+Sensor+Software+Version+6.0&i...

  From the output provided, your sensor has not had a signature update since 11 June 2008.  The version of software you have installed (6.0(5)) is no longer receiving signature updates, as it is not able to run the E4 analysis engine which is necessary for signature updates S480 and above.  You will need to update your IPS sensor software to at least release 6.0(6)E4 and also have a valid IPS license installed to install current signature updates.

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Currently I am running Version 6.0(5)

Do I have to stay with Version 6.0.(5) or can I upgrade to version 6.2

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

What model sensor are you currently using?

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

AIP-SSM-20

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

Carlos;

Yes, you may upgrade the AIP-SSM-20 to any of the current releases of

IPS software:

6.0(6)E4

6.2(2)E4

7.0(3)E4

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

What command would I need to issue in order to find out if my customer has a  valid IPS license installed to install current signature.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

The output of 'sh ver' should report the current license state.

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

.

I want you to know that I really appreciate your help and you have gone way above and beyond in this matter.

Cisco Intrusion Prevention System, Version 6.0(5)E2

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S339.0                   2008-06-11  

    Virus Update        V1.4                     2007-03-02  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               ASA-SSM-20                           

Serial Number:          JAF1310APGT                          

Licensed, expires:      29-May-2012 UTC                      

Sensor up-time is 114 days.

Using 1036771328 out of 2093600768 bytes of available memory (49% usage)

system is using 17.7M out of 29.0M bytes of available disk space (61%

usage)

application-data is using 43.6M out of 166.8M bytes of available disk

space (28% usage)

boot is using 38.6M out of 68.6M bytes of available disk space (59%

usage)

MainApp          N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500   Running  

AnalysisEngine   N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500   Running  

CLI              N-2008_JUN_06_02_35   (Release)

2008-06-06T03:23:18-0500            

Upgrade History:

  IPS-K9-6.0-5-E2   17:30:49 UTC Tue Jun 29 2010  

       

Recovery Partition Version 1.1 - 6.0(5)E2

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Based on the Show Ver are we licensed

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

Yes, the customer will be able to update IPS signatures through 29-May-2012

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

When I do the upgrade of the sensor software, is there any other files that i need to upgrade in the process ?

Since my customer has an AIP-SSM-20 is this the only piece of software that I need to upgrade IPS-SSM_20-K9-sys-1.1-a-6.2-2-E4.img and can I run the auto-updates after I upgrade the sensor.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

The file you have listed is used for re-imaging the device to factory

defaults (.img).

You will want to use an upgrade package (.pkg). This will maintain

existing configuration details. To move to release 6.2(2)E4 you would

want the file:

IPS-K9-6.2-2-E4.pkg

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

is this the files that I need in order to do the upgrade

IPS-K9-6.2-2-E4.pkg

IPS-engine-E4-req-6.2-2.pkg

When I do the upgrade what is the procedure to do so.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

You will only need to use the file:

IPS-K9-6.2-2-E4.pkg

The process to upgrade the sensor via the IDM GUI is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAdmin.html#wp1030217

This process will reboot the AIP-SSM-20 to complete.

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

And to do the sensor upgrade from the command line.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

The CLI option requires you have a supported server available to host

the upgrade package; whereas the IDM GUI can perform the upgrade

directly from your workstation.

The CLI process is outlined here:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1243115

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Does auto upgrade mean I still need to download the files and upload the updates ?

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

Auto-updates will only update signatures (S496 to S497, etc) and the

analysis engine (E3 to E4, etc); these updates do not require a reboot

of the sensor. Auto updates will not update version (7.0(2) to 7.0(3),

etc) as these updates require a reboot of the sensor.

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Do you have any sample configuration on how to configure the AIP-SSM-20 to get those signature updates from Cisco automatically.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

You should simply need to enable the feature in the IDM GUI:

Configuration>Sensor Management>Auto/Cisco.com Update

Check the box "Enable Signature and Engine Updates from Cisco.com"

Provide valid CCO credentials and select a schedule for checking the

updates. The default URL is the correct URL and syntax.

The AIP-SSM's management IP address will need HTTP and HTTPS access to

the Internet.

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

I have two ASA5520 with AIP-SSM-20 in high availability mode:

What commands would I issue, in order to do the sensor upgrade to both AIP-SSM-20

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

You will need to upgrade each AIP-SSM independently, there is no

communication between the two AIP-SSMs.

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

When I upgraded the sensor to version 6.2(2) everything went well but I realized that I needed to get to version 7.2(2).

I downloaded the software for version 7.2(2) and it made a comment that i need to update the signature engine before I could upgrade to 7.2(2). So I downloaded the engine and the error that I got was

Warning: Executing this command will apply a signature engine update to

the application partition. The system may be rebooted to complete the

upgrade.

Continue with upgrade? []: yes

Error: execUpgradeSoftware : The current signature level is  S480.  The

current

So what is the proper upgrade path to go from 6.2(2) to 7.2(2) and what am I missing that it wont let me upgrade to 7.2(2). Please let me know if you need for me to perform any additional commands that may assist in getting this issue resolved.

Cisco Employee

Re: Need help with a couple of issues concerning an AIP-SSM

Carlos;

There is not a 7.2(2) release for Cisco IPS sensors. There is

currently 6.2(2)E4 and 7.0(3)E4. If you are wanting to upgrade to

7.0(3)E4 from 6.2(2)E4 you should only need to download the upgrade

package with the filename: IPS-K9-7.0-3-E4.pkg

Scott

Community Member

Re: Need help with a couple of issues concerning an AIP-SSM

Sorry its version 7.02

766
Views
0
Helpful
34
Replies
CreatePlease to create content