Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
3
Replies

Does signature update have to be incremental?

ddinh
Level 1
Level 1

‎01-16-2002 02:22 PM - edited ‎03-08-2019 09:36 PM

Fact: I have a 4230 Sensor: v3.0.3.eng2-beta (given to me from TAC to fix packetd daemon failure problem) and a Unix director: 2.2.3(s9).

1) I have not updated any signature or service packs since S9. Is it possible to apply the S12 service pack and then jump to signature update IDSk9-sig-3.0-3-S13, bypassing S11 update?

2) Also, I have created custom signature for SSH CRC32 Buffer Overflow Vulnerability, Goner worm, etc. Will updating signature over-write these and other custom signature setting (i.e. tcp resets settings).

Thanks for any input.

Damien Dinh

Security Specialist

KU Medical center

Labels:
0 Helpful
3 Replies 3

gbrother
Level 1
Level 1

‎01-16-2002 02:56 PM

The first thing that you will have to do is uninstall the engineering build. None of the official releases will install over it. The uninstall instructions should have been included with the engineering build. (I believe it is also mentioned in the 3.0(3)S12 Service Pack readme as well).

As to question 1), yes this can be done since the service packs and signature updates are cumulative for their respective packages. Once the engineering build has been uninstalled, install the 3.0(3)S12 service pack and then the 3.0(3)S13 signature update. (In that order)

Neither of these packages should change any of your custom signatures or tunings. If you wish to be safe, make a copy of /usr/nr/etc/SigSettings.conf and the /usr/nr/etc/SigUser.conf files before running the packages. TCP resets for anything other than custom signatures would be in the packetd.conf file. After you install the service pack, you should be able to push your current configurations from the CSPM or Unix Director (which everone you are using) back to the sensor and then install the signature update.

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎01-16-2002 02:58 PM

You will need to do the following:

1) Uninstall the 3.0.3.eng2-beta (the engineering release should have some unistallation instructions to return you to an official release version)

2) Install the released 3.0(3)S12 Service Pack for the appliance (can be installed on any release version between 3.0(1)S4 and 3.0(3)S12)

3) Install the latest signature update for the sensor (I think it is 3.0(3)S13, but check CCO to be sure, if S14 is out then you can go from 3.0(3)S12 to S14 and skip S13 install) (can only be installed on a sensor upgraded to at least the 3.0(3)S12 Service Pack).

The customizations you've made should be preserved when upgrading using released versions.

Since the engineering version was not an official released version I can not gurarntee that it won't cause a problem with the customizations during uninstall (but I don't think it would). Just in case you can copy the SigUser.conf, SigSettings.conf and packetd.conf files to a backup directory before uninstalling the engineering version, and compare them after you've uninstalled the engineering version to make sure nothing changed.

0 Helpful

ddinh
Level 1
Level 1

‎01-17-2002 06:21 AM

Perfect, a thank you to both of you for you prompt response.

0 Helpful
Customers Also Viewed These Support Documents