Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Auto-update queries

Hi,

I'm trying to set up autoupdate, and want to use SCP for security reasons. However, what I don't understand is how does the sensor know the name of the file to download from the SCP server? I didn't think SCP allowed providing a file listing?

Regards,

Matt

14 REPLIES
New Member

Re: Auto-update queries

I assume you are trying to update a sensor, but there is no "auto-update" feature on 42xx sensors.

Cisco Employee

Re: Auto-update queries

The IDS-42xx sensors do support an Auto Update feature:

For version 4.x:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#2432

For version 3.x:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid64

NOTE1: This Auto Update does not contact Cisco to pull down updates. Instead the user must manually pull the update from Cisco and place it in their own FTP or SCP server. The sensor can then automatically pull the updates from the user's FTP or SCP server.

This provides the user the ability to determine when the sensors should be updated, and can test the update in the lab before having it loaded on the deployed sensors.

NOTE2: If using the IDS MC (part of VMS) for configuration of the sensors, then it is suggested that the update functionality in IDS MC be used instead of the Auto Update feature of the sensor. The IDS MC can be used to push the new updates to the sensors.

New Member

Re: Auto-update queries

How do you troubleshoot the IDS MC update? When I try to push a sig update I get the following messages in the MC report:

A sensor update for version 4.1(3)S78 has started.

Update of sensor XXX1-dc-sensor-1 started.

The update was transferred to the sensor named XXX1-dc-sensor-1.

An error occurred while running the update script on the sensor named XXX1-dc-sensor-1. Detail = The system exec did not complete within the given watchdog time(2400 seconds)

Sensor update for XXX1-dc-sensor-1 failed.The current version 4.1(3)S66 did not match the applied version 4.1(3)S78 after update.

On the sensor logs I do not see any error logs nor does the file ever arrive.

We have never been able to push updates with the MC and have been forced to manually update each sensor.

Cisco Employee

Re: Auto-update queries

Most SSH/SCP servers do support getting a list of files in a specific directory.

The Auto Update feature on the sensor relies on this capability in your SSH/SCP server.

It will pull the list of files and check the file names to determine what files to download and install.

If for some reasn your SSH/SCP server does not support getting a file listing from the directory then it won't work with Auto Update feature of the sensor.

Cisco Employee

Re: Auto-update queries

The sensor sends the "ls -l

" command to the ssh server to get the list of package files.

New Member

Re: Auto-update queries

For the IDS AutoUpdate, I have to run OpenSSH 3.7.1p1-1 server on Win32 (don't ask why), and SCP AutoUpdate fails. In the OpenSSH log I do see IDS connecting and issuing "ls -l IDSSignatureUpdate/" command, but nothing happens then.

Have anybody successfully (or unsuccessfully) used IDS with OpenSSH [on Win32] ? I wonder if it supports file listing command with SCP.

Cisco Employee

Re: Auto-update queries

I was not aware that the IDS was using the Unix style "ls -l" command.

Most standard Window boxes do not support the "ls -l" command (instead they use the "dir" command).

However, multiple different groups have created utilities on Windows that will run many of the standard Unix commands. (Some for free, and some for a price, even Microsoft offers "Windows Services for Unix" that contains most standard unix commands).

Try searching with your favorite search engine for tool supporting running unix commands on windows.

I did a quick search and saw at least 3 or 4 within the first 6 search results alone.

You will want to find and install one where a user can SSH into your windows box and immediately run the "ls -l" command without having to run anything prior (some utilities may require you run ksh or another shell before being able to execute the unix style commmand).

New Member

Re: Auto-update queries

The IDS's use of "ls -l" to get a list of available update files was confirmed both by Cisco rep (jamesand) and by looking at SSH server logs.

As I mentioned in my initial post, I use OpenSSH port for Win32, which comes bundled with Cygwin. It does include most of the popular Unix utilities, including ls. I did comfirm it by issuing the command right after SSHing to the box.

Is it possible that the IDS is not recognizing Windows style of ls output ?

C:\>vsh ids@updateserver

ids@updateserver's password:

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

d:\Logs>ls -l IDSSignatureUpdate

total 28628

-rwx------+ 1 ???????? Domain U 13280279 Jan 14 13:59 IDS-K9-min-4.1-1-S47.rpm.pkg

-rwx------+ 1 ???????? Domain U 12243162 Jan 9 10:39 IDS-K9-sp-4.1-3-S61.rpm.pkg

-rwx------+ 1 ???????? Domain U 3789055 Mar 26 14:13 IDS-sig-4.1-3-S81.rpm.pkg

d:\Logs>

Cisco Employee

Re: Auto-update queries

Yes, I think the sensor code is having trouble with your "ls -l" listing. It looks like the group name is "Domain U" (the space may be throwing of the parse code). Try, changing the group owner of the files to be a name without a space.

NOTE: the version 5.0 sensor auto file parse code will be rewritten to handle this

New Member

Re: Auto-update queries

The problem was solved - thanks to James for pointing out an extra space in the group name.

I had to change the "Domain Users" group name to "DomainUsers" in Cygwin's group definitions file; that fixed the "ls -l" output (see below). As a result the IDS is now capable of properly parsing the file listing and getting updates via SCP.

Note that the NTFS permissions are displayed incorrectly by Cygwin's ls - in reality it is -r-x------.

D:\Logs>ls -l IDSSignatureUpdate

total 28636

-rwx------+ 1 ???????? DomainUs 13280279 Jan 14 13:59 IDS-K9-min-4.1-1-S47.rpm.pkg

-rwx------+ 1 ???????? DomainUs 12243162 Jan 9 10:39 IDS-K9-sp-4.1-3-S61.rpm.pkg

-rwx------+ 1 ???????? DomainUs 3797867 Mar 30 17:11 IDS-sig-4.1-3-S82.rpm.pkg

New Member

Re: Auto-update queries

Hi all, and thanks for your comments. I'm hoping to deploy this later in the week, so will let you know how I get on.

WRT using the update functionality in IDS-MC - I'd prefer to use this method; however, the IDS-MC is deployed with a private IP address, and the sensors have public IP addresses (they're in different networks behind a firewall) - so when the update request is issued, the sensors cannot access the private IP address. If you know of a way around this I'd much appreciate your thoughts.

Many thanks,

Matt

New Member

Re: Auto-update queries

Have you received any update regarding MC behind the firewall?

Cisco indicated that signature deployment will not work on IDS 4x if VMS MC 1.2 is sitting behind the firewall. The next release MC2,2 may become available in Summer 2004

New Member

Re: Auto-update queries

Sorry - I haven't heard anything on this, but will update this thread if I find anything out. If you could do the same that would be much appreciated.

Many thanks,

Matt

New Member

Re: Auto-update queries

Hi,

Try looking at this CSCeb21533

The MC won't work with deploying sensor updates if there is a intermediate NAT. You can fix this by using the solution in here. It works.

Also note that this will not be fixed until the next version out this summer.

204
Views
5
Helpful
14
Replies
CreatePlease login to create content