Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS sensor automatic update problem

I tried using the automatic updates feature. After running idsupdate to schedule the update job, I found that a new ids job is created but all the existing cron jobs are gone.

Does anyone has the same problem? Is there a way that I can ADD the ids automatic update job. Our sensor is at 3.0(1)S8.

Following is the output from the test. Thanks.

# pwd

/usr/nr/bin

# ls -l ids*

-rwsr-s--- 1 root netrangr 2591928 Jul 30 16:44 idsapply

lrwxrwxrwx 1 root other 9 Sep 18 2000 idsinstall -> nrInstall

-rwxr-x--- 1 netrangr netrangr 1505 Jul 30 16:44 idsreadconfig

lrwxrwxrwx 1 root other 7 Sep 18 2000 idsstart -> nrstart

lrwxrwxrwx 1 root other 8 Sep 18 2000 idsstatus -> nrstatus

lrwxrwxrwx 1 root other 6 Sep 18 2000 idsstop -> nrstop

-rwsr-s--- 1 root netrangr 146796 Jul 30 16:44 idsupdate

lrwxrwxrwx 1 root other 6 Sep 18 2000 idsvers -> nrvers

# crontab -l

10 3 * * 0,4 /etc/cron.d/logchecker

10 3 * * 0 /usr/lib/newsyslog

15 3 * * 0 /usr/lib/fs/nfs/nfsfind

1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean

# ./idsupdate userid@111.222.33.444/var/nr_patches/sensor passwd 0 23:00

Stopping any pending jobs...

All scheduled cron jobs for this user account are now stopped

Scheduling a new job [crontab /usr/nr/var/idsupdate.tab]

# crontab -l

00 23 * * 0 /usr/nr/var/idsupdate.sh#

10 REPLIES
Cisco Employee

Re: IDS sensor automatic update problem

This is a known issue.

It will be corrected in the next release.

As a wokraround you can copy the current crontab contents,

execute the idsupdate command,

then use crontab -e to add back in the original contents.

New Member

Re: IDS sensor automatic update problem

There is a bug in the 3.0 software release that causes the cron file to get wiped clean when idsupdate is run. This will be fixed in the next service pack. Until then, you can work around this problem by manually updating the cron settings using the following steps:

1) Become user root: "su - root"

2) Type "ksh" to start Korn shell

3) Execute "export EDITOR=vi"

4) Execute "crontab -e"

5) Insert the old cron entries listed in your message before the idsupdate entry (one per line)

6) Save and exit

If you need to change your idsupdate settings before the bug is fixed, you can modify the idsupdate line manually by changing the first (minutes) and second (hour) fields to meet your needs.

New Member

Re: IDS sensor automatic update problem

Hi thanks for the info. I still can't get the auto-update going. Hope you can help again. Also, is there a database for common problems that I can check into? Thanks.

1) the idsapply seems to start 1 minute (instead of 20 minutes) after the initial schedule and before the service pack is completely downloaded ?

I am getting messages:

... No end line

... tar: read error: unexpected EOF ...

2) the downloaded file is owned by root/other and has the setuid and setgid bits set. When it is executed from root, I got:

... No begin line

... /usr/nr/202-update/SENSP.tar.Z: No such file or directory

3) If the s-bits are manually replaced with x's, it executes properly.

Cisco Employee

Re: IDS sensor automatic update problem

Can't fully understand what you are saying.

When you say:

"1) the idsapply seems to start 1 minute (instead of 20 minutes) after the initial schedule and before the service pack is completely downloaded ?"

Why are you expecting the idsapply to start 20 minutes later?

The errors:

"... No end line

... tar: read error: unexpected EOF ..."

What is generating these errors? We've seen these errors when the file downloaded from CCO was corrupted (ie the download from CCO to your ftp server was incomplete). Are you saying that the download from your ftp server to the sensor by idsapply didn't complete?

I hadn't seen the situation you describe in 2 and 3. I will take a look at it tomorrow in our lab to try and recreate what you are seeing.

New Member

Re: IDS sensor automatic update problem

ok, I will try again.

The following is executed from root on the sensor. The update file is located in the ids director /usr/nr/var/nr_patches/sensor.

The idsupdate command:

./idsupdate netrangr@111.222.33.44/var/nr_patches/sensor passwd 5 18:19

1) I was expecting the idsapply to start 20 mins later because:

a) the idsupdate.txt shows that an at job was scheduled to start 20 mins later.

b) the sensor cfg example p.35 also indicates that the updater reschedules itself to run 20 mins later after the update files are downloaded.

(we have a slow connection in the lab, so the download takes 3-5 mins.)

--Cron job list:

19 18 * * 5 /usr/nr/var/idsupdate.sh#

-- Cntent of idsupdate.at (18:19)

/usr/nr//bin/idsapply netrangr 111.222.33.44 var/nr_patches/sensor passwd /usr

/nr/ 3.0-1-8 >>/usr/nr//var/idsupdate.txt 2>>/usr/nr//var/idsupdate.txt

--Content of idsupdate.txt at 18:19:

commands will be executed using /usr/bin/sh

job 1003534746.a at Fri Oct 19 18:39:06 2001

--Content of idsupdate.txt at 18:20:

commands will be executed using /usr/bin/sh

job 1003534746.a at Fri Oct 19 18:39:06 2001

Invalid character (0x0) on line 24013

No end line

tar: read error: unexpected EOF

chmod: WARNING: can't access ./SENSP/install/ids-patchinstall

/tmp/IDSk9-sp-3.0-2-S9.bin[47]: ./SENSP/install/ids-patchinstall: not found

--Download file (completed at 18:23)

-rwsrwsrwx 1 root other 6179705 Oct 19 18:23 IDSk9-sp-3.0-2-S9.bin*

2) It looks like the error was generated by the idsapply, before the download completes??

3) at 18:39, the following line was appended to the idsupdate.txt. There were no further updates (for 1 hr). The euid/egid is the id of netrangr.

Idsapply: executing as euid [100] egid [100]

Pls let me know if you need additional info. Thanks for your help.

Cisco Employee

Re: IDS sensor automatic update problem

The idsupdate will create a crontab entry for the running of the idsupdate.sh script.

When idsupdate.sh runs a new entry is created with the at command to run the file again 20 minutes later. It does this because there may be two files that need to be installed.

The first time it runs it looks for a new service pack. The second time it runs (20 minutes later) it looks for the signature update.

I agree that it looks like the script tried running the install before the file was downloaded. My best guess is that our idsapply program is timing out during the ftp download and trying to execute the file. I will pass this information on to a developer to look at. My guess is this will likely be a DDTS Issue which we will have to fix in a future service pack.

Cisco Employee

Re: IDS sensor automatic update problem

I can try to assist....

Idsupdate in schedule mode does not execute idsapply

or perform downloads; it just schedules idsapply to

run at the specified time. Check the contents of

idsupdate.sh, it should contain something like this:

/usr/nr/bin/idsapply netrangr (ip) (path) (password) /usr/nr/ >>/usr/nr/var/idsupdate.txt

2>>/usr/nr/var/idsupdate.txt

In your example, idsapply will run at 18:19. First it will try to find a valid update file on the ftp

server. If a file is found, idsapply schedules

itself to run 20 minutes later as an at job,

downloads the update file, and execs the update file.

Note: This applies to IDS Sensor appliances only;

IDSM (Catalyst 6000 IDS blades) do not reshedule to

run 20 minutes later.

Idsapply performs the file download by invoking

another NetRanger program, sapx_main. This

program should not return until the download is

complete (or fails), and should accurately report

the download status.

We can try to get more information about what is

happening when idsapply runs. I will investigate

and post later on this board, or you can email

me directly at stleary@cisco.com.

New Member

Re: IDS sensor automatic update problem

stleary,

Have you been able to track down what happens when idsapply runs?

If I try to run idsupdate without specifying a time, b/c I want the update to go right now, it ultimately fails with an error. I've included what I type below to produce this problem:

netrangr@sensor2:/

>idsupdate netrangr@172.30.4.12/upgrd emad

Executing this cmd line: [/usr/nr/bin/idsapply netrangr 172.30.4.12 upgrd emad /

usr/nr/]

commands will be executed using /bin/ksh

job 1008627845.a at Mon Dec 17 17:24:05 2001

idsapply results: [Idsapply: executing as euid [100] egid [100]

ids-prepatch: ERROR!!! This script must be run as root.

What is actually happening when it throws this error? Is there something wrong with my syntax or is there a bug in the version of code I'm using, 3.0(1)S4? Is there a solution?

Thanks.

Cisco Employee

Re: IDS sensor automatic update problem

You are running the idsupdate command as user netrangr when it needs to be run as user root.

If you look at step 3 from the Config Note you'll see it tells you to login as root to execute the command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_02.htm#xtocid1115844

New Member

Re: IDS sensor automatic update problem

marcabal,

thanks for setting me straight. i got it to run as root. i guess that's what i get for trying to use the configuration documentation from july 2001 that comes with new sensors these days instead of the correted version from august 2001.

happy holidays,

jballay

109
Views
0
Helpful
10
Replies
CreatePlease login to create content