1. How can I see what software versoin the sensor is running.
2. How can I manually update the sensors image.
3. How can I see through the cli when the signatures were last updated.
4. How can I unblock traffic that is being blocked by the Sensor.
1) From the CLI, you can check current version by issuing 'sh ver', you will want to key on the line:
Cisco Intrusion Prevention System, Version x.x(x)Ey
2) Manual sensor updates are outlined here:
3) The output of 'sh ver' will indicate when the last update was applied (either signature or system). If you are running release 6.2 or higher, you can see the last signature update by issuing 'sh stat host'.
4) If the blocked traffic is via inline, you can clear the denied host from the CLI by issuing "clear denied-attackers
For inline denies:
Monitoring>Time-Based Actions>Denied Attackers
For external device blocks:
Monitoring>Time-Based Actions>Host Blocks
Monitoring>Time-Based Actions>Network Blocks
Few more questions:
What command would I issue in order to declare a subnet as safe traffic and how would I do the same inside of the GUI.
The reason that I ask is because for some reason the sensor is picking up internal network traffic from print spoolers, remote VPN users, and domain controllers as an attack.
How can I edit the behavior of a signature through the CLI and through the GUI.
As both questions have very involved answers, I will provide links to the supporting documentation.
To instruct the IPS sensor not to take action on a specific IP address or range of IP addresses you would implement an event action filter (EAF).
For the GUI, EAFs are outlined here:
For the CLI, EAFs are outlined here:
I would recommend reviewing the full section on event actions of which the above links are a subset. Event actions are very powerful components of the IPS configuration.
Signature tuning from the GUI is outlined here:
Signature tuning from the CLI is outlined here:
Also how can I verify that the signatures are up to date ?
The reason that I ask is because when I do a sh ver this is what I get
! Current configuration last modified Sun Mar 07 14:11:01 2010
! Version 6.0(5)
! Realm Keys key1.0
! Signature Definition:
! Signature Update S339.0 2008-06-11
! Virus Update V1.4 2007-03-02
Does this mean I have had any signature updates from a couple of years.
One method for keeping up to date on current signature releases is to subscribe to Cisco's IPS Threat Defense Bulletin. It is an email bulletin that is released with each signature update. You can subscribe here:
With a valid CCO ID, you can also check the software download page for the latest signature update:
From the output provided, your sensor has not had a signature update since 11 June 2008. The version of software you have installed (6.0(5)) is no longer receiving signature updates, as it is not able to run the E4 analysis engine which is necessary for signature updates S480 and above. You will need to update your IPS sensor software to at least release 6.0(6)E4 and also have a valid IPS license installed to install current signature updates.
Currently I am running Version 6.0(5)
Do I have to stay with Version 6.0.(5) or can I upgrade to version 6.2
Yes, you may upgrade the AIP-SSM-20 to any of the current releases of
What command would I need to issue in order to find out if my customer has a valid IPS license installed to install current signature.
I want you to know that I really appreciate your help and you have gone way above and beyond in this matter.
Cisco Intrusion Prevention System, Version 6.0(5)E2
Realm Keys key1.0
Signature Update S339.0 2008-06-11
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Serial Number: JAF1310APGT
Licensed, expires: 29-May-2012 UTC
Sensor up-time is 114 days.
Using 1036771328 out of 2093600768 bytes of available memory (49% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61%
application-data is using 43.6M out of 166.8M bytes of available disk
space (28% usage)
boot is using 38.6M out of 68.6M bytes of available disk space (59%
MainApp N-2008_JUN_06_02_35 (Release)
AnalysisEngine N-2008_JUN_06_02_35 (Release)
CLI N-2008_JUN_06_02_35 (Release)
IPS-K9-6.0-5-E2 17:30:49 UTC Tue Jun 29 2010
Recovery Partition Version 1.1 - 6.0(5)E2
When I do the upgrade of the sensor software, is there any other files that i need to upgrade in the process ?
Since my customer has an AIP-SSM-20 is this the only piece of software that I need to upgrade IPS-SSM_20-K9-sys-1.1-a-6.2-2-E4.img and can I run the auto-updates after I upgrade the sensor.
The file you have listed is used for re-imaging the device to factory
You will want to use an upgrade package (.pkg). This will maintain
existing configuration details. To move to release 6.2(2)E4 you would
want the file:
is this the files that I need in order to do the upgrade
When I do the upgrade what is the procedure to do so.
You will only need to use the file:
The process to upgrade the sensor via the IDM GUI is outlined here:
This process will reboot the AIP-SSM-20 to complete.
The CLI option requires you have a supported server available to host
the upgrade package; whereas the IDM GUI can perform the upgrade
directly from your workstation.
The CLI process is outlined here:
Auto-updates will only update signatures (S496 to S497, etc) and the
analysis engine (E3 to E4, etc); these updates do not require a reboot
of the sensor. Auto updates will not update version (7.0(2) to 7.0(3),
etc) as these updates require a reboot of the sensor.
Do you have any sample configuration on how to configure the AIP-SSM-20 to get those signature updates from Cisco automatically.
You should simply need to enable the feature in the IDM GUI:
Configuration>Sensor Management>Auto/Cisco.com Update
Check the box "Enable Signature and Engine Updates from Cisco.com"
Provide valid CCO credentials and select a schedule for checking the
updates. The default URL is the correct URL and syntax.
The AIP-SSM's management IP address will need HTTP and HTTPS access to
I have two ASA5520 with AIP-SSM-20 in high availability mode:
What commands would I issue, in order to do the sensor upgrade to both AIP-SSM-20
You will need to upgrade each AIP-SSM independently, there is no
communication between the two AIP-SSMs.
When I upgraded the sensor to version 6.2(2) everything went well but I realized that I needed to get to version 7.2(2).
I downloaded the software for version 7.2(2) and it made a comment that i need to update the signature engine before I could upgrade to 7.2(2). So I downloaded the engine and the error that I got was
Warning: Executing this command will apply a signature engine update to
the application partition. The system may be rebooted to complete the
Continue with upgrade? : yes
Error: execUpgradeSoftware : The current signature level is S480. The
So what is the proper upgrade path to go from 6.2(2) to 7.2(2) and what am I missing that it wont let me upgrade to 7.2(2). Please let me know if you need for me to perform any additional commands that may assist in getting this issue resolved.
There is not a 7.2(2) release for Cisco IPS sensors. There is
currently 6.2(2)E4 and 7.0(3)E4. If you are wanting to upgrade to
7.0(3)E4 from 6.2(2)E4 you should only need to download the upgrade
package with the filename: IPS-K9-7.0-3-E4.pkg