Re: IDS Auto Update

emad.mohamed · ‎02-09-2004

I have IDS 4210 version 4.0, I am trying to enable the Auto updates on the device. Web browsing the IDS device (HTTPS) under Configuration > Auto Update> then I checked the check box (Enable Auto Update) then I have followed the all the other steps. Unfortunately, nothing happened, the device still running under older version.

Any idea on how I can set this up?

milan.kulik · ‎02-09-2004

I tried several times with IDS 4235 ver. 4.1. with different FTP servers (MS, #Com, Solaris).

Never worked.

Asked several people, nobody was successful with AutoUpdate.

Regards,

Milan

emad.mohamed · ‎02-09-2004

Any one from CISCO have answer to our question?

jamesand · ‎02-09-2004

If you can manually upgrade from an ftp server then auto updates will work. You can also use SCP with auto updates. I would suggest testing your ftp server with a manual upgrade. For example, from cli:

# conf t

# upgrade

example url: ftp://user@1.2.3.4//home/user/IDS-K9-sp-4.1-3-S61.rpm.pkg

Here are some known problems (these will all be fixed in 4.1(4) ):

- upgrades do not work with sambar ftp server

- do not use custom hello/goodbye prompts on windows ftp server

- upgrades do not work with anonymous user

In house, the two most tested ftp servers are solaris and microsoft IIS.

marcabal · ‎02-09-2004

If you are running 4.0(1) and using FTP for auto updates then you are running into: CSCea42072

With the initial 4.0(1) release there was a bug that would prevent the autoupdate from working for FTP.

Your choices:

1) Switch to SCP for autoupdates.

2) Manually update with either the 4.0(2) Service Pack or 4.1(1) Minor Version before configuring and using the Auto Update feature.

NOTE: The bug was only with the auto update, the manual updates using the "upgrade" command should work fine.

IF you are already running version 4.0(2) or later then you are not seeing CSCea42072.

Instead, the more problem is either configuration or the sensor doesn't recognize the FTP prompts from your FTP server.

Things to do:

1) Verify that the configuration for ip address, username, and password are correct for your FTP server.

2) Verify that the sensor is able to access your FTP server over the network.

NOTE: An easy way to tell is to do a Manual update with the CLI "upgrade" command for the same FTP server before trying to configure Auto Updates.

3) Verify that the directory is correct. The sensor will "cd" to this directory. I generally recommend trying the directory name with a no slash before the name, a single slash before the name, and even a double slash before the name: "dirname, /dirname, //dirname"

In some cases a single slash or even a double slash is necessary so try all 3.

NOTE: Trying it with Manual updates helps to ensure you have this information right.

4) Check to see if your FTP server is sending back non-standard prompts.

NOTE: To test this you can login through the service account on your sensor and manually FTP to your FTP server. Take a look at the prompts it sends back. Often companies will change the prompts to add security warnings. These types of changes can confuse the sensor.

5) Verify the type of FTP Server. The sensor has been hardcoded to match responses from a few different FTP servers:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#2509

If your FTP server is not in this list, then it is possible that the prompts differ on your FTP server and have confused the sensor.

NOTE: We have written this up as a bug against the sensor. We implementing new update code that would allow it to work with a wider set of FTP Servers. But I am not sure when or what version that new update could will be released.

If you are still not able to get the sensor to work with your FTP Server. Then consider switching to one of the supported FTP Servers in the list.

OR switch to using SCP for updates.

emad.mohamed · ‎02-09-2004

I tried all the manual steps. I telnet to the IDS sensor the from the privilege mod I ran this command [upgrade ftp//username@ipAddress/exact path]. I received this error message [Error: Error: file not received]

??

Thank you,

marcabal · ‎02-09-2004

For some reason the IDS was not able to pull the file from the FTP server and did not recognize what error the FTP server may have been giving.

Also if the FTP server is at a remote network, then the sensor may be timing out on the download of the file.

What to try next.

Login to the service account of the sensor.

Switch to user root "su - root".

Execute "ifconfig -a" to determine the name of the interface for the command and control port (it will have the ip address you assigned).

Now execute: tcpdump -i -s 1560 -w packets.pcap host and host

Example:

tcpdump -i eth0 -s 1560 -w packets.pcap host 10.1.1.1 and host 10.1.1.30

IN a seperate connection to the sensor, you will want to execute the manual upgrade in the CLI.

Once the manual upgrade fails then go back to the tcpdump that is running and type "Ctrl-C" to stop the capturing of packets.

Now you can read in the packet file with the following command and look for any errors that may have been sent from your FTP server that the sensor may not have recognized. Also look for any prompts or messages that may have been changed on the FTP server that could be confusing the sensor (the sensor has been hardcoded to look for certain prompts, and changing these can confuse the sensor):

Command to execute: tcpdump -X -r packets.pcap.

emad.mohamed · ‎02-10-2004

Okay, this should NOT be that difficult, I started two telnet sessions to the IDS device, one it the admin account and the other is the service account. On the admin account one I push the signature update file after three minute it display this message[ broadcast message from Root IDS-k9-sp-4.1-3-…] applying update Sig file name then shutting down all CIDS process.

Then it restarts the IDS sensor. Unfortunately, I haven’t seen any activity or traffic on the other Telnet Session.

I check the current version on the IDS, it still running older version.

??

marcabal · ‎02-10-2004

By the messages you've seen on the first window, it appears that the download of the file went fine, and the sensor began executing the file.

If the sensor version was not upgraded then something must have failed during the actual execution of the upgrade.

Can you paste in the following from your telnet connection:

"show version" command prior to the upgrade.

The "upgrade" command and all of the messages that resulted from the upgrade command.

"show version" command after the upgrade was completed.

Please provide all of the output for each command since there is additional information in each output that I can use to try and determine what is happening.

If you prefer not to paste that information into this forum then please open a TAC case.

milan.kulik · ‎02-16-2004

Thanks Marco,

It works fine now!!!

There were two key problems:

1) //dirname was necessary

(I even tried an empty dirname and put the .rpm.pkg filr to thr ftp root - did not work)

2) The .readme.txt file is not allowed to be in the same directory with .rpm.pkg.

I had wanted to put all the update files together but my IDS was confused by the .readme.txt file - it downloaded the .readme.txt again and again and skipped the .rpm.pkg file. So I moved the .readme.txt away and finally the AutoUpdate worked fine.

BTW, I'm using 3Com 3CDaemon ver 2.0 rev 10(my favourite freeware) running on Win2000 as a FTP server.

Thanks again,

Milan