I don't agree.

This is from Ask the Expert - IDS discussion about the AutoUpdate feature, but explains exactly which updates are necessary (see answer#4 on http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=bookmarks&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.eea3f13/11#selected_message for the whole discussion):

"The easiest approach is to look on CCO for the list of updates in the Latest Software page.

When you look on CCO you will generally see 2 or more links. One of these links is for "Latest software", another link is for "Archives". The additional links are for re-imaging and are only needed when re-imaging of the sensor is necessary.

All of the "Latest" updates needed by a sensor are placed in the "Latest software" page. When an update is no longer needed because it has been included inside a later update, the update is moved from "Latest software" to "Archives".

Sometimes we are a little behind in doing this cleanup, for example S53 to S57 are still in "Latest Software", but are included in S58 so shoudl be moved to "Archives".

However, you will also notice that IDS-K9-min-4.1-1-S47.rpm.pkg is included in this "Latest Software" page and will not be moved to "Archives". This is because it is a minor version file and contains features that are not included as part of the Signature Updates.

You will see that the file has "-min-" in the name instead of the usual "-sig-".

So in general the easiest method is to copy all of the updates from the "Latest Software" link on CCO to you FTP server's directory. The sensor will determine which updates need to be loaded and in what order."

So not all updates are cummulative, the latest one might not be enough.

Regrads,

Milan

Even easier is reading the accompanying "README" file that accompanies any Signature / Service Pack update.

Any dependencies are always clearly indicated. Here's an excerpt from the “README” for IDS-sig-4.1-3-S76 (WARNING - Large post):

4.1 SENSOR SIGNATURE UPDATE INSTRUCTIONS

- TARGET PLATFORMS AND REQUIRED VERSIONS

- INSTALLATION

- UNINSTALLATION

- CAVEATS

4.1 SENSOR SIGNATURE UPDATE INSTRUCTIONS

TARGET PLATFORMS AND REQUIRED VERSIONS

The IDS-sig-4.1-3-S76.rpm.pkg signature update can be applied to version

4.1(3) sensors as follows:

You can only apply this signature update to IDS-42xx Cisco Intrusion

Detection System (IDS) sensors, the WS-SVC-IDSM2 series Intrusion

Detection System Module (IDSM2), and the NM-CIDS series Intrusion

Detection Network Module.

It is not compatible with the NRS-xx series Intrusion Detection System

(IDS) sensors or the WS-X6381-IDS series Intrusion Detection System

Module (IDSM).

The sensor must report the version of sensor as 4.1(3)S61 or later

before you can apply this signature update. To determine the current

sensor version, log in to CLI and type the following command at the

prompt:

show version

Version 4.1(1)S47 to 4.1(2)S60 sensors must first be updated with the

4.1(3)S61 Service Pack before applying the 4.1(3)S76 Signature Update.

Install the following binary:

IDS-K9-sp-4.1-3-S61.rpm.pkg

Version 3.x and earlier sensors must first be upgraded to 4.1(1)S47

using the IDS Version 4.1 Recovery/Upgrade CD or the 4.0 Recover/Upgrade

CD and the IDS-K9-min-4.1-1-S47.rpm.pkg minor update package and then

upgraded with the 4.1(3)S61 Service Pack before applying the 4.1(3)S76

Signature Update. The Recovery/Upgrade CD and minor upgrade packages

are available free to customers with active SMARTnet maintenance

contracts at the following urls:

Recovery CD: http://tools.cisco.com/gct/Upgrade/jsp/index.jsp

Minor Update Package: http://www.cisco.com/cgi-bin/tablebuild.pl/ids4

Refer to the Quick Start Guide for the Cisco Intrusion Detection System

Version 4.0 for instructions on upgrading version 3.x IDS-42xx sensors:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/15282_01.htm

IMHO, this covers all probably upgrade scenarios and tells you exactly what files you’ll need and where to get them should your sensor not be at the required minimum for the update.

My two cents...

Alex

I think the wording is throwing everyone off. I still say that all signature updates are cumulative. The -min updates are generally Service packs that change the application itself and not usually the signatures. If you tried to apply the lastest sig without the proper service pack the unit will report back that you need IDS-xxx-min.xxx or whatever in order to apply this signature. Even if there was a signature update in the service pack it will be included in the next actual signature update to come out after the service pack update.

Am I mistaken in my posistion?

I would agree with you Travis.

The wording is the reason I first posted it, since the README did not explicitly say "contains all previous sigs since S61".

I figure it is cummulative since the file size seems to grow a little bit with each release.

What we need is someone from Cisco to answer, and to have them include a line in the README.

Thanks Chad,

That's what I wanted to hear :)

Response is broken over 2 posts because of length of the response.

-------------------

I guess the confusion is with the word "cumulative".

The Signature Updates are cumulative, BUT they DO require the prior Service Pack and/or Minor Release.

It is easiest to explain with an example and some rules.

The following files are available on CCO:

IDS-K9-min-4.1-1-S47.rpm.pkg

IDS-sig-4.1-1-S49.rpm.pkg

IDS-K9-sp-4.1-2-S58.rpm.pkg

IDS-sig-4.1-2-S60.rpm.pkg

IDS-K9-sp-4.1-3-S61.rpm.pkg

IDS-sig-4.1-3-S74.rpm.pkg

IDS-sig-4.1-3-S76.rpm.pkg

(Along with several others in either the Latest link or the Archives link for 4.x sensors)

So how does a user running an old version 4.0(2)S42 version know what to install to get to the latest version?

Follow these steps:

-----------------------------

1) find the most recent update (the one with the highest S level):

As of 3/5/04 that would be IDS-sig-4.1-3-S76.rpm.pkg with an S level of 76.

------------------------------

2) Check the file type to determine if it is a Minor Update, a Service Pack, or a Signature Update.

NOTE: Even Minor Updates, and Service Packs contain within them a new signature update level so check the file type.

IDS-sig-4.1-3-S76.rpm.pkg is a Signature Update.

How do you know? Because of the "-sig-" in the name.

If the name had a "-sp-" in the name then it would have been a Service Pack.

If the name had a "-min-" in the name then it would have been a Minor Update.

NOTE: Occasionally you will also see the following filename conventions:

"-r-" for re-imaging of the recovery partition on appliance sensors.

"-a-" for re-imaging of the application partition on IDS modules.

"-m-" or "-mp-" for re-imaging of the maintenance partition on the IDSM-2.

"-helper-" for re-imaging on the NM-CIDS.

-------------------------------

3) Now you need to determine whether or not you can install this latest file or if you need another update first.

The sensor version is composed of 4 levels:

.()S

If the update type is "-sig-" (a Signature Update) then the rule is that the in the update must be higher than the currently on your sensor, AND the .() in the update must match EXACTLY the .() already on your sensor.

If it doesn't then look for the previous Service Pack if in the update is 2 or higher, or look for the previous Minor Version if it equals 1.

If the update type is "-sp-" (a Service Pack) then the rule is that the in the update must be higher than the currently on your sensor, AND the . in the update must match EXACTLY the . already on your sensor.

If it doesn't then look for the previous Minor Version update.

If the update type is "-min-" (a Minor Version) then the rule is that the in the update must be higher than the currently on your sensor, AND the in the update must match EXACTLY the already on your sensor.

If it doesn't then look for the previous Major Version update.

(NOTE: in the case of a 4.1 Minor update, it would require 4.0 which requires a system re-image rather than a simple update. But future Major Version updates may be available as "-maj-" files.)