Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Active Update: Release of S5 Signature Update

The latest signature release is S5. It is currently available at a temporary download area.

The S5 Signature Update Package, Readme file, and CSPM update may be accessed at ftp://ftp-eng.cisco.com/csids-sig-updates/S5

(Anonymous FTP).

The S5 signature update will be posted to CCO, shortly.

Thanks.

11 REPLIES
New Member

Re: Active Update: Release of S5 Signature Update

Thanks a lot!

Applied, working w/p problems.

The questions are: what about signature update to Unix director?

I haven't seen any for S4 and S5. May be I'm missing something?

I removed 8000 sig for Code Red because S5 has a new 5126 sig. Should I remove custom sig. for latest telnet created by SigWiz or it replaced by S5 automaticaly?

Dmitri

Cisco Employee

Re: Active Update: Release of S5 Signature Update

Leave the Telnetd (sigwiz) signature in place. It should be added in an upcoming release, we wanted to get S5 out ASAP to get the built-in Code Red signature(s) out there. As for Director updates, I'll have to defer, I don't know the answer. I'm sure someone will fill in the blank shortly....

Scott C.

Cisco Employee

Re: Active Update: Release of S5 Signature Update

Actually, We added the telnet signature at the last minute to the S5 release so you can remove your custom signature from the sensor.

Cisco Employee

Re: Active Update: Release of S5 Signature Update

The director SW update is soon to be released. There was more than a signature update in the works for them as they were adding new functionality to manage the new features of 3.0.

For the time being your signatures will report as signature ID's only and if the Director complains about unknown tokens in the packetd.conf file you should tell it to ignore them.

New Member

Re: Active Update: Release of S5 Signature Update

I have done the following:

1) Update CSPM with the 08022001 Signature Update, reboot

2) Update sensor with IDSk9-sig-3.0-1-S5.bin, which correctly created the new signatures in packetd.conf

3) Update the sensor version in CSPM with the Wizard, generating the updated signature information file.

The sensor version is now changed (automatically, not by me) to 3.0(1)S5 in the sensor version field of CSPM. Also, the new alarms start coming to the Event Viewer, so everything seems OK.

Now, if I modify some setting for the sensor and click Update in CSPM, generating a new policy, when this policy is pushed to the sensor I get a warning (WARNING: Actual IDS Sensor Version 3.0(1)S5 is not identical to the user specified version 3.0(1)S4.) and all the new S5 sigs are deleted from packetd.conf!

There is no way to tell CSPM that the sensor is now S5, even though CSPM itself correctly identifies the sensor in the Update Wizard.

What's up? I think that if I now delete the sensor and recreate it from scratch this will probably fix the problem, but I would lose all the customizations I've done. A similar problem occurred when upgrading to 3.0(1)S4 from 2.5.

Ciao,

Giovanni

New Member

Re: Active Update: Release of S5 Signature Update

In CSPM most of a sensor's configuration is saved in a signature template. You can delete and recreate the new sensor node in the topology without deleting the sensor template. When you create the new node you can reference the saved template that contains your customized settings.

Also, if the customized changes have already been pushed out to your sensor, you can import them using the Add Sensor Wizard. This will create a new sensor template and reference it in the node.

Unfortunatly, settings that are not stored in the signature template, such as the sensing, blocking and filtering settings will have to be recreated by hand.

Hope this helps.

New Member

Re: Active Update: Release of S5 Signature Update

Thanks, I'll try as you suggest. I'm a bit worried about what's going wrong here, though. My company manages several sensors and I wouldn't want to go through this every time there's an update.

Giovanni

New Member

Re: Active Update: Release of S5 Signature Update

this happened to me to when I updated from 2.5 to 3.0...now im going to upgrade to the new sig and see if it happens again.

Cisco Employee

Re: Active Update: Release of S5 Signature Update

This is a known bug: CSCdu86758

It is fixed by the development and a new version will be released once it has been tested by their QA team.

The bug is that changes to the sensor configuration files are sometimes not saved to the database. For example the changing of the sensor version or changes to the configuration for Device Management were not being saved to the database. It does not always happen, so you are not guaranteed to see this issue. I am not sure if there is a particular series of steps that causes it. But if you do come across it then follow the workaround from below:

The workaround:

1) Install the CSPM signature update

2) Install the sensor signature update

3) Delete the sensor from CSPM

4) Click Update to save the database in CSPM

5) Add the sensor back to CSPM (select the checkbox to pull in the exitsing configuration)

6) Verify the configuration and make any necessary changes before pressing the Update or Save buttons.

7) Once the configuration looks correct then press the Update button to save the database.

8) And Approve the configuration to push the new configuration to the sensor.

New Member

Re: Active Update: Release of S5 Signature Update

Hi,

Is there any plans for updates for the IDSM anytime soon.

I work for a large ISP and we have quite a few customers using or wanting to use the IDSM and the 4200 series Sensors.

thanks for these however.

Inti.

Cisco Employee

Re: Active Update: Release of S5 Signature Update

Yes, the 3.0 release is in QA right now (has been for awhile). I don't know what the ETA is, but it shouldn't be too long.

281
Views
0
Helpful
11
Replies