I tried that command. It always comes back with the error:

Error: download file does not exist: /usr/cids/idsRoot/var/updates/IDS-K9-min-4.1-1-S47.rpm.pkg

This error usually ocurrs when there is a failure in the download and the sensor did not detect a specific errors from the scp client/server.

We coded our sensor to detect many of the common forms of error messages, but it doesn't detect all possible errors. So if the sensor saw an error it didn't understand as an error it assumes the file was downloaded and looks for it on the sensor. When it sees it is not on the sensor it generates the error you are seeing.

Things to try:

1) Verify what directory the file is in on your scp server. If the file is in a directory relative to the home directory of the username you are using then place only a single / between the ip address and the directory where the file exists.

If, however, the file is in a directory relative to the root directory of the system then you need to use 2 /s between the ip address and the directory where the file exists.

For example a user joeuser has a home directory /home/joeuser. Joe puts the update in the /home/joeuser/updates directory on his scp server 10.1.1.1. You see that the updates directory is a subdirectory of his own home directory.

So he issues the command:

upgrade scp://joeuser@10.1.1.1/updates/IDS-K9-sp-4.0-1-S29-.rpm.pkg

If he instead had placed the updated in the /tmp directory on his scp server then he would have needed to use 2 /s because the /tmp is not a subdirectory of his home directory.

upgrade scp://joeuser@10.1.1.1//tmp/IDS-K9-sp-4.0-1-S29-.rpm.pkg

NOTE: Notice the 2 /s between .1 and tmp

2) If the above is not the cause then try the following:

a) create a service account if you don't already have one

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwchap9.htm#587923

b) login with the username for the service account

c) Now execute an scp to copy the file to the service account's home directory and look for any errors from the scp server or scp client:

scp joeuser@10.1.1.1:/tmp/IDS-K9-sp-4.0-1-S29-.rpm.pkg .

NOTE: The scp command in service account does NOT need the / for subdirectories of the user's home directory and uses only a single / for directories relative to the root directory unlike in the upgrade command.

The commands that Ive used are correct, as you have shown me, however I am picking up another problem. I think I have an ssh authentication problem between the linux sensor and my solaris server. When I do just a regular scp from the sensor to my server (not the upgrade), I get a:

ssh_exchange_identification: Connection closed by foreign host

Im thinking that the known_hosts on the solaris server wasnt updated possible but Im not certain.

try removing the info for your server from the known_hosts file on the sensor. Log in as service. cd to /usr/cids/.ssh directory. vi the known_hosts file. Look for the line beginning with the ip of the server. Delete the line. save the file. Then log in as cisco and using the cli (conf t-> ssh known-hosts [ip address] re-establish the host.

Ok, I found that the known_hosts file on the sensor was empty, so I went into the cli and tried to add the ip address and It came back with this error:

Error: Invalid remote version string

Not sure what this error is. Im using Solaris 8 on my server so the ssh should be up to date and compatible with a 4.1 sensor.

Is your Solaris machine running TCP Wrappers?

If so you will need to Allow the sensor's IP Address to connect to your Solaris machine.

We initally installed TCP wrappers on the server however we found out that it was interfering with the event viewer, so we disabled it by commenting out the ALL:ALL in the hosts.deny file. Thus, TCP Wrappers should be totally disabled right?

Not totally, make sure the ALL:ALL line is uncommented in the /etc/hosts.allow file.

Ok, figured out the problem. There is no sshd service running on the server.

Anyone know where I can get a copy of sshd for Solaris 8? Why isnt sshd installed in the base load?

Solaris does not distribute a secure shell package in its operating system for various reasons which I won't speculate about here.

The good news is that everything you need is available for you to do this yourself. It will require a bit of determination on your part, and obviously we cannot go into every detail in this forum; however, this should get you going.

Download three open source releases:

zlib-1.1.4 -- http://www.gzip.org/zlib

openssl-0.9.7c -- http://www.openssl.org

openssh-3.7.1p2 -- http://www.openssh.com

For each release: download the source code, check its integrity, untar, read the README or INSTALL instructions, build and install.

All but the "install" step can be performed as an ordinary user on the system. The install should be performed as the root user.

Once installed, you can start the secure shell server using a script distributed in the openssh release (in the contrib/solaris directory) called opensshd. The normal way to start the server is to put the opensshd script into the /etc/init.d and create symbolic links to it from the /etc/rc2.d and/or /etc/rc3.d directories.

If the building process becomes too daunting, you might try to locate an already-compiled package for your operating system. I recommend the following site for pre-built solaris packages:

http://www.sunfreeware.com

Good luck!

Thanks for the help! I was able to install and build those programs and now I have the ssh server going well.

The daemon was sshd, not opensshd.

Appreciate the help,

Eric