Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Director S17 update

Can anyone tell me where I can fine the update:

nrdirUpdate-S17

Thanks,

J

4 REPLIES
Cisco Employee

Re: Director S17 update

The dircector update usually lags a day or two behind the sensor and CSPM updates in these emergency situations.

Luckily this will affect your ability to use the S17 sensor signature update in only minor ways.

1) To use S17 your sensor would have to be set for Manual signature configuration rather than Profile based configuration in the nrConfigure IDS configuration window prior to installing S17.

This way S17 will add the signature to packetd.conf, and when you double click on the sensor in nrConfigure it will pull across the new packetd.conf file with the new signature.

You could then configure the severity on the new signature just fine.

NOTE: If using Profile based the S17 signatures will not be in packetd.conf.

2) When the new signature fires it will show up as a numbered icon rather than the signature name.

So you can run S16 director update with the S17 sensor update.

S17 for the director in in development and will be shipped when testing has been completed.

New Member

Re: Director S17 update

The director can be downloaded from ftp-eng

ftp://ftp-eng.cisco.com/csids-sig-updates/S17/nrdirUpdate-S17.bin

New Member

Re: Director S17 update

Probably something I've missed in the reading but...

View: CSPM managing 2 4230's and a 4210 sensor.

I have loaded the S16 and S17 patches. The policies have been pushed. Everything seems to be working fine. However, from the CSPM GUI if I select the +Signature Sensors and select the signature file for any of the sensors I cannot see the new "4507" signature listed. It shows SNMP series through 4505 and then goes onto the remainder. However, the new 5223 and 5224 signatures DO show... When I check the NSDB it IS listed there. So the HTML files for the NSDB are present. How can I tell if the update patches for the sensors actually built the signatures that S16 and S17 were supposed to - at least for the 4507 sig?

Henry Schupp

Cisco Employee

Re: Director S17 update

Only S17 sensors will have the new signature.

You can

1) telnet to the sensor as user netrangr

2) cd /usr/nr/etc

3) grep 4507 packetd.conf

If you see a line that starts with:

SIgOfGeneral 4507 0 5 5 5 5 .....

then you have the new signature

The action should be set to zero (no action) by default.

And the severity should be 5 (High) by default.

If you do not see this on an S17 sensor, then either the CSPM update file has a bug, or something in your installation and deployment didn't work right.

As for looking in CSPM itself for the signature, be aware that the new signatures are not necessarily in numerical order. Quite often CSPM will simply add the new signatures to the bottom of the signature list.

marco

110
Views
0
Helpful
4
Replies