01-16-2002 02:22 PM - edited 03-08-2019 09:36 PM
Fact: I have a 4230 Sensor: v3.0.3.eng2-beta (given to me from TAC to fix packetd daemon failure problem) and a Unix director: 2.2.3(s9).
1) I have not updated any signature or service packs since S9. Is it possible to apply the S12 service pack and then jump to signature update IDSk9-sig-3.0-3-S13, bypassing S11 update?
2) Also, I have created custom signature for SSH CRC32 Buffer Overflow Vulnerability, Goner worm, etc. Will updating signature over-write these and other custom signature setting (i.e. tcp resets settings).
Thanks for any input.
Damien Dinh
Security Specialist
KU Medical center
01-16-2002 02:56 PM
The first thing that you will have to do is uninstall the engineering build. None of the official releases will install over it. The uninstall instructions should have been included with the engineering build. (I believe it is also mentioned in the 3.0(3)S12 Service Pack readme as well).
As to question 1), yes this can be done since the service packs and signature updates are cumulative for their respective packages. Once the engineering build has been uninstalled, install the 3.0(3)S12 service pack and then the 3.0(3)S13 signature update. (In that order)
Neither of these packages should change any of your custom signatures or tunings. If you wish to be safe, make a copy of /usr/nr/etc/SigSettings.conf and the /usr/nr/etc/SigUser.conf files before running the packages. TCP resets for anything other than custom signatures would be in the packetd.conf file. After you install the service pack, you should be able to push your current configurations from the CSPM or Unix Director (which everone you are using) back to the sensor and then install the signature update.
01-16-2002 02:58 PM
You will need to do the following:
1) Uninstall the 3.0.3.eng2-beta (the engineering release should have some unistallation instructions to return you to an official release version)
2) Install the released 3.0(3)S12 Service Pack for the appliance (can be installed on any release version between 3.0(1)S4 and 3.0(3)S12)
3) Install the latest signature update for the sensor (I think it is 3.0(3)S13, but check CCO to be sure, if S14 is out then you can go from 3.0(3)S12 to S14 and skip S13 install) (can only be installed on a sensor upgraded to at least the 3.0(3)S12 Service Pack).
The customizations you've made should be preserved when upgrading using released versions.
Since the engineering version was not an official released version I can not gurarntee that it won't cause a problem with the customizations during uninstall (but I don't think it would). Just in case you can copy the SigUser.conf, SigSettings.conf and packetd.conf files to a backup directory before uninstalling the engineering version, and compare them after you've uninstalled the engineering version to make sure nothing changed.
01-17-2002 06:21 AM
Perfect, a thank you to both of you for you prompt response.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide