I'm trying to set up autoupdate, and want to use SCP for security reasons. However, what I don't understand is how does the sensor know the name of the file to download from the SCP server? I didn't think SCP allowed providing a file listing?
The IDS-42xx sensors do support an Auto Update feature:
For version 4.x:
For version 3.x:
NOTE1: This Auto Update does not contact Cisco to pull down updates. Instead the user must manually pull the update from Cisco and place it in their own FTP or SCP server. The sensor can then automatically pull the updates from the user's FTP or SCP server.
This provides the user the ability to determine when the sensors should be updated, and can test the update in the lab before having it loaded on the deployed sensors.
NOTE2: If using the IDS MC (part of VMS) for configuration of the sensors, then it is suggested that the update functionality in IDS MC be used instead of the Auto Update feature of the sensor. The IDS MC can be used to push the new updates to the sensors.
How do you troubleshoot the IDS MC update? When I try to push a sig update I get the following messages in the MC report:
A sensor update for version 4.1(3)S78 has started.
Update of sensor XXX1-dc-sensor-1 started.
The update was transferred to the sensor named XXX1-dc-sensor-1.
An error occurred while running the update script on the sensor named XXX1-dc-sensor-1. Detail = The system exec did not complete within the given watchdog time(2400 seconds)
Sensor update for XXX1-dc-sensor-1 failed.The current version 4.1(3)S66 did not match the applied version 4.1(3)S78 after update.
On the sensor logs I do not see any error logs nor does the file ever arrive.
We have never been able to push updates with the MC and have been forced to manually update each sensor.
Most SSH/SCP servers do support getting a list of files in a specific directory.
The Auto Update feature on the sensor relies on this capability in your SSH/SCP server.
It will pull the list of files and check the file names to determine what files to download and install.
If for some reasn your SSH/SCP server does not support getting a file listing from the directory then it won't work with Auto Update feature of the sensor.
For the IDS AutoUpdate, I have to run OpenSSH 3.7.1p1-1 server on Win32 (don't ask why), and SCP AutoUpdate fails. In the OpenSSH log I do see IDS connecting and issuing "ls -l IDSSignatureUpdate/" command, but nothing happens then.
Have anybody successfully (or unsuccessfully) used IDS with OpenSSH [on Win32] ? I wonder if it supports file listing command with SCP.
I was not aware that the IDS was using the Unix style "ls -l" command.
Most standard Window boxes do not support the "ls -l" command (instead they use the "dir" command).
However, multiple different groups have created utilities on Windows that will run many of the standard Unix commands. (Some for free, and some for a price, even Microsoft offers "Windows Services for Unix" that contains most standard unix commands).
Try searching with your favorite search engine for tool supporting running unix commands on windows.
I did a quick search and saw at least 3 or 4 within the first 6 search results alone.
You will want to find and install one where a user can SSH into your windows box and immediately run the "ls -l" command without having to run anything prior (some utilities may require you run ksh or another shell before being able to execute the unix style commmand).
The IDS's use of "ls -l" to get a list of available update files was confirmed both by Cisco rep (jamesand) and by looking at SSH server logs.
As I mentioned in my initial post, I use OpenSSH port for Win32, which comes bundled with Cygwin. It does include most of the popular Unix utilities, including ls. I did comfirm it by issuing the command right after SSHing to the box.
Is it possible that the IDS is not recognizing Windows style of ls output ?
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
d:\Logs>ls -l IDSSignatureUpdate
-rwx------+ 1 ???????? Domain U 13280279 Jan 14 13:59 IDS-K9-min-4.1-1-S47.rpm.pkg
-rwx------+ 1 ???????? Domain U 12243162 Jan 9 10:39 IDS-K9-sp-4.1-3-S61.rpm.pkg
-rwx------+ 1 ???????? Domain U 3789055 Mar 26 14:13 IDS-sig-4.1-3-S81.rpm.pkg
Yes, I think the sensor code is having trouble with your "ls -l" listing. It looks like the group name is "Domain U" (the space may be throwing of the parse code). Try, changing the group owner of the files to be a name without a space.
NOTE: the version 5.0 sensor auto file parse code will be rewritten to handle this
The problem was solved - thanks to James for pointing out an extra space in the group name.
I had to change the "Domain Users" group name to "DomainUsers" in Cygwin's group definitions file; that fixed the "ls -l" output (see below). As a result the IDS is now capable of properly parsing the file listing and getting updates via SCP.
Note that the NTFS permissions are displayed incorrectly by Cygwin's ls - in reality it is -r-x------.
D:\Logs>ls -l IDSSignatureUpdate
-rwx------+ 1 ???????? DomainUs 13280279 Jan 14 13:59 IDS-K9-min-4.1-1-S47.rpm.pkg
-rwx------+ 1 ???????? DomainUs 12243162 Jan 9 10:39 IDS-K9-sp-4.1-3-S61.rpm.pkg
-rwx------+ 1 ???????? DomainUs 3797867 Mar 30 17:11 IDS-sig-4.1-3-S82.rpm.pkg
Hi all, and thanks for your comments. I'm hoping to deploy this later in the week, so will let you know how I get on.
WRT using the update functionality in IDS-MC - I'd prefer to use this method; however, the IDS-MC is deployed with a private IP address, and the sensors have public IP addresses (they're in different networks behind a firewall) - so when the update request is issued, the sensors cannot access the private IP address. If you know of a way around this I'd much appreciate your thoughts.
Have you received any update regarding MC behind the firewall?
Cisco indicated that signature deployment will not work on IDS 4x if VMS MC 1.2 is sitting behind the firewall. The next release MC2,2 may become available in Summer 2004
Sorry - I haven't heard anything on this, but will update this thread if I find anything out. If you could do the same that would be much appreciated.
Try looking at this CSCeb21533
The MC won't work with deploying sensor updates if there is a intermediate NAT. You can fix this by using the solution in here. It works.
Also note that this will not be fixed until the next version out this summer.