Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Does signature update have to be incremental?

Fact: I have a 4230 Sensor: v3.0.3.eng2-beta (given to me from TAC to fix packetd daemon failure problem) and a Unix director: 2.2.3(s9).

1) I have not updated any signature or service packs since S9. Is it possible to apply the S12 service pack and then jump to signature update IDSk9-sig-3.0-3-S13, bypassing S11 update?

2) Also, I have created custom signature for SSH CRC32 Buffer Overflow Vulnerability, Goner worm, etc. Will updating signature over-write these and other custom signature setting (i.e. tcp resets settings).

Thanks for any input.

Damien Dinh

Security Specialist

KU Medical center

Cisco Employee

Re: Does signature update have to be incremental?

The first thing that you will have to do is uninstall the engineering build. None of the official releases will install over it. The uninstall instructions should have been included with the engineering build. (I believe it is also mentioned in the 3.0(3)S12 Service Pack readme as well).

As to question 1), yes this can be done since the service packs and signature updates are cumulative for their respective packages. Once the engineering build has been uninstalled, install the 3.0(3)S12 service pack and then the 3.0(3)S13 signature update. (In that order)

Neither of these packages should change any of your custom signatures or tunings. If you wish to be safe, make a copy of /usr/nr/etc/SigSettings.conf and the /usr/nr/etc/SigUser.conf files before running the packages. TCP resets for anything other than custom signatures would be in the packetd.conf file. After you install the service pack, you should be able to push your current configurations from the CSPM or Unix Director (which everone you are using) back to the sensor and then install the signature update.

Cisco Employee

Re: Does signature update have to be incremental?

You will need to do the following:

1) Uninstall the 3.0.3.eng2-beta (the engineering release should have some unistallation instructions to return you to an official release version)

2) Install the released 3.0(3)S12 Service Pack for the appliance (can be installed on any release version between 3.0(1)S4 and 3.0(3)S12)

3) Install the latest signature update for the sensor (I think it is 3.0(3)S13, but check CCO to be sure, if S14 is out then you can go from 3.0(3)S12 to S14 and skip S13 install) (can only be installed on a sensor upgraded to at least the 3.0(3)S12 Service Pack).

The customizations you've made should be preserved when upgrading using released versions.

Since the engineering version was not an official released version I can not gurarntee that it won't cause a problem with the customizations during uninstall (but I don't think it would). Just in case you can copy the SigUser.conf, SigSettings.conf and packetd.conf files to a backup directory before uninstalling the engineering version, and compare them after you've uninstalled the engineering version to make sure nothing changed.

New Member

Re: Does signature update have to be incremental?

Perfect, a thank you to both of you for you prompt response.

CreatePlease to create content