02-26-2004 02:12 PM - edited 03-09-2019 06:34 AM
Are the signatures cumulative?
Does S74 contain all the previous sigs, or do I need to install them all?
Thanks,
Dan
Solved! Go to Solution.
03-05-2004 11:40 AM
Sig updates are cumulative, but may only be applied to sensors with matching major, minor and service pack versions.
4.1(3)S76
4 - major version
.1 - minor version
(3) - service pack version
S76 - Sig version
So, a 4.1(3)S76 sig update package may be directly applied to 4.1(3)S61 sensor without any other updates.
Hope this helps.
I will pass on the suggestion for the readme.
Regards,
Chad
03-05-2004 11:45 AM
So back to our example:
The update is IDS-sig-4.1-3-S76.rpm.pkg. Since it is a "-sig-" update then I look at the other 3 numbers in the version: "4.1-3-" With the "-" converted to either "(" or ")" this winds up being 4.1(3).
I check it against my sensor and 4.1(3) does not match the 4.0(2) on my sensor.
So I have to go look for a "-sp-" file for 4.1(3).
I find:
IDS-K9-sp-4.1-3-S61.rpm.pkg
Now this one is a "-sp-" file so I need to check the first 2 numbers against my current version.
I find that 4.1 in the update does not match the 4.0 on my sensor so I still need another update.
So I go and look for a "-min-" file that has 4.1.
I find:
IDS-K9-min-4.1-1-S47.rpm.pkg
Since it is a "-min-" I need to check only the first number against my current version.
And finally I find a match 4=4.
-----------------------
4) Step 4 is to install the update now that you know which update to install.
So the IDS-K9-min-4.1-1-S47.rpm.pkg file can be installed directly on top of my 4.0(2)S42 sensor.
When done my sensor is version 4.1(1)S47.
The question is why didn't I have to install the S43, S44, S45, and S46?
This is because a "-min-" file is cumulative of All Minor Updates, Service Packs, and Signature Updates since the last Major Version release.
So a 4.1 "-min-" is cumulative of all the 4.0 updates.
------------------
5) Step 5 is to repeat the process again and again until you finally load the latest file.
Working my way back up I come back to the Service Pack:
IDS-K9-sp-4.1-3-S61.rpm.pkg
Since it is a Service Pack I check to make sure that the 4.1 listed in the update is equal to the 4.1 on my sensor. And it is since my sensor is now at 4.1(1)S47.
So I install IDS-K9-sp-4.1-3-S61.rpm.pkg and my senor is now at version 4.1(3)S61.
Why didn't I have to install the 4.1(2) Service Pack or the other Signature Updates between S47 and S61.
This is because the Service Pack is cumulative of all Other Service Packs and Signature Updates since the Minor Version update.
I go through the steps again:
Now I get back to the latest update:
IDS-sig-4.1-3-S76.rpm.pkg
Since it is a "-sig-" I have to check that 4.1(3) from the update matches my sensor.
And since my sensor is at 4.1(3)S61 we have a match and I can install the file.
I install IDS-sig-4.1-3-S76.rpm.pkg and my sensor is now at the latest version: 4.1(3)S76.
Why didn't I have to install S62-S75. This is because a Signature Update is cumulative of all Signature Updates since the last Service Pack.
Technically the Signature Updates file itself contains all signatures from S1 and even before.
(As do the Minor Version, and Service Pack updates as well).
BUT since it relies on the Service Pack to be installed first, we say that it is cumulative of all signature updates since the last Service Pack.
So IDS-sig-4.1-3-S76.rpm.pkg does contain S61 and earlier signatures. But because it relies on IDS-K9-sp-4.1-3-S61.rpm.pkg having been installed it will only ever add the S62-S76 signatures because S61 and earlier were already on the sensor.
So both statements:
"The Signature Update is cumulative of all Signature Updates since the last Service Pack or Minor Version."
and
"The Signature Update is cumulative of all Signatures"
are both technically correct, but the first is really more descriptive of what the user needs to understand.
02-26-2004 05:39 PM
All signature updates are cumlative. You only need to apply the latest one but remember that you will still have to enable the older signatures.
Hope this helps.
Please remember to rate all replies
02-27-2004 02:12 AM
I don't agree.
This is from Ask the Expert - IDS discussion about the AutoUpdate feature, but explains exactly which updates are necessary (see answer#4 on http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=bookmarks&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.eea3f13/11#selected_message for the whole discussion):
"The easiest approach is to look on CCO for the list of updates in the Latest Software page.
When you look on CCO you will generally see 2 or more links. One of these links is for "Latest software", another link is for "Archives". The additional links are for re-imaging and are only needed when re-imaging of the sensor is necessary.
All of the "Latest" updates needed by a sensor are placed in the "Latest software" page. When an update is no longer needed because it has been included inside a later update, the update is moved from "Latest software" to "Archives".
Sometimes we are a little behind in doing this cleanup, for example S53 to S57 are still in "Latest Software", but are included in S58 so shoudl be moved to "Archives".
However, you will also notice that IDS-K9-min-4.1-1-S47.rpm.pkg is included in this "Latest Software" page and will not be moved to "Archives". This is because it is a minor version file and contains features that are not included as part of the Signature Updates.
You will see that the file has "-min-" in the name instead of the usual "-sig-".
So in general the easiest method is to copy all of the updates from the "Latest Software" link on CCO to you FTP server's directory. The sensor will determine which updates need to be loaded and in what order."
So not all updates are cummulative, the latest one might not be enough.
Regrads,
Milan
03-05-2004 07:13 AM
Even easier is reading the accompanying "README" file that accompanies any Signature / Service Pack update.
Any dependencies are always clearly indicated. Here's an excerpt from the README for IDS-sig-4.1-3-S76 (WARNING - Large post):
03-05-2004 08:30 AM
I think the wording is throwing everyone off. I still say that all signature updates are cumulative. The -min updates are generally Service packs that change the application itself and not usually the signatures. If you tried to apply the lastest sig without the proper service pack the unit will report back that you need IDS-xxx-min.xxx or whatever in order to apply this signature. Even if there was a signature update in the service pack it will be included in the next actual signature update to come out after the service pack update.
Am I mistaken in my posistion?
03-05-2004 09:24 AM
I would agree with you Travis.
The wording is the reason I first posted it, since the README did not explicitly say "contains all previous sigs since S61".
I figure it is cummulative since the file size seems to grow a little bit with each release.
What we need is someone from Cisco to answer, and to have them include a line in the README.
03-05-2004 11:40 AM
Sig updates are cumulative, but may only be applied to sensors with matching major, minor and service pack versions.
4.1(3)S76
4 - major version
.1 - minor version
(3) - service pack version
S76 - Sig version
So, a 4.1(3)S76 sig update package may be directly applied to 4.1(3)S61 sensor without any other updates.
Hope this helps.
I will pass on the suggestion for the readme.
Regards,
Chad
03-05-2004 12:49 PM
Thanks Chad,
That's what I wanted to hear :)
03-05-2004 11:44 AM
Response is broken over 2 posts because of length of the response.
-------------------
I guess the confusion is with the word "cumulative".
The Signature Updates are cumulative, BUT they DO require the prior Service Pack and/or Minor Release.
It is easiest to explain with an example and some rules.
The following files are available on CCO:
IDS-K9-min-4.1-1-S47.rpm.pkg
IDS-sig-4.1-1-S49.rpm.pkg
IDS-K9-sp-4.1-2-S58.rpm.pkg
IDS-sig-4.1-2-S60.rpm.pkg
IDS-K9-sp-4.1-3-S61.rpm.pkg
IDS-sig-4.1-3-S74.rpm.pkg
IDS-sig-4.1-3-S76.rpm.pkg
(Along with several others in either the Latest link or the Archives link for 4.x sensors)
So how does a user running an old version 4.0(2)S42 version know what to install to get to the latest version?
Follow these steps:
-----------------------------
1) find the most recent update (the one with the highest S level):
As of 3/5/04 that would be IDS-sig-4.1-3-S76.rpm.pkg with an S level of 76.
------------------------------
2) Check the file type to determine if it is a Minor Update, a Service Pack, or a Signature Update.
NOTE: Even Minor Updates, and Service Packs contain within them a new signature update level so check the file type.
IDS-sig-4.1-3-S76.rpm.pkg is a Signature Update.
How do you know? Because of the "-sig-" in the name.
If the name had a "-sp-" in the name then it would have been a Service Pack.
If the name had a "-min-" in the name then it would have been a Minor Update.
NOTE: Occasionally you will also see the following filename conventions:
"-r-" for re-imaging of the recovery partition on appliance sensors.
"-a-" for re-imaging of the application partition on IDS modules.
"-m-" or "-mp-" for re-imaging of the maintenance partition on the IDSM-2.
"-helper-" for re-imaging on the NM-CIDS.
-------------------------------
3) Now you need to determine whether or not you can install this latest file or if you need another update first.
The sensor version is composed of 4 levels:
If the update type is "-sig-" (a Signature Update) then the rule is that the
If it doesn't then look for the previous Service Pack if
If the update type is "-sp-" (a Service Pack) then the rule is that the
If it doesn't then look for the previous Minor Version update.
If the update type is "-min-" (a Minor Version) then the rule is that the
If it doesn't then look for the previous Major Version update.
(NOTE: in the case of a 4.1 Minor update, it would require 4.0 which requires a system re-image rather than a simple update. But future Major Version updates may be available as "-maj-" files.)
03-05-2004 11:45 AM
So back to our example:
The update is IDS-sig-4.1-3-S76.rpm.pkg. Since it is a "-sig-" update then I look at the other 3 numbers in the version: "4.1-3-" With the "-" converted to either "(" or ")" this winds up being 4.1(3).
I check it against my sensor and 4.1(3) does not match the 4.0(2) on my sensor.
So I have to go look for a "-sp-" file for 4.1(3).
I find:
IDS-K9-sp-4.1-3-S61.rpm.pkg
Now this one is a "-sp-" file so I need to check the first 2 numbers against my current version.
I find that 4.1 in the update does not match the 4.0 on my sensor so I still need another update.
So I go and look for a "-min-" file that has 4.1.
I find:
IDS-K9-min-4.1-1-S47.rpm.pkg
Since it is a "-min-" I need to check only the first number against my current version.
And finally I find a match 4=4.
-----------------------
4) Step 4 is to install the update now that you know which update to install.
So the IDS-K9-min-4.1-1-S47.rpm.pkg file can be installed directly on top of my 4.0(2)S42 sensor.
When done my sensor is version 4.1(1)S47.
The question is why didn't I have to install the S43, S44, S45, and S46?
This is because a "-min-" file is cumulative of All Minor Updates, Service Packs, and Signature Updates since the last Major Version release.
So a 4.1 "-min-" is cumulative of all the 4.0 updates.
------------------
5) Step 5 is to repeat the process again and again until you finally load the latest file.
Working my way back up I come back to the Service Pack:
IDS-K9-sp-4.1-3-S61.rpm.pkg
Since it is a Service Pack I check to make sure that the 4.1 listed in the update is equal to the 4.1 on my sensor. And it is since my sensor is now at 4.1(1)S47.
So I install IDS-K9-sp-4.1-3-S61.rpm.pkg and my senor is now at version 4.1(3)S61.
Why didn't I have to install the 4.1(2) Service Pack or the other Signature Updates between S47 and S61.
This is because the Service Pack is cumulative of all Other Service Packs and Signature Updates since the Minor Version update.
I go through the steps again:
Now I get back to the latest update:
IDS-sig-4.1-3-S76.rpm.pkg
Since it is a "-sig-" I have to check that 4.1(3) from the update matches my sensor.
And since my sensor is at 4.1(3)S61 we have a match and I can install the file.
I install IDS-sig-4.1-3-S76.rpm.pkg and my sensor is now at the latest version: 4.1(3)S76.
Why didn't I have to install S62-S75. This is because a Signature Update is cumulative of all Signature Updates since the last Service Pack.
Technically the Signature Updates file itself contains all signatures from S1 and even before.
(As do the Minor Version, and Service Pack updates as well).
BUT since it relies on the Service Pack to be installed first, we say that it is cumulative of all signature updates since the last Service Pack.
So IDS-sig-4.1-3-S76.rpm.pkg does contain S61 and earlier signatures. But because it relies on IDS-K9-sp-4.1-3-S61.rpm.pkg having been installed it will only ever add the S62-S76 signatures because S61 and earlier were already on the sensor.
So both statements:
"The Signature Update is cumulative of all Signature Updates since the last Service Pack or Minor Version."
and
"The Signature Update is cumulative of all Signatures"
are both technically correct, but the first is really more descriptive of what the user needs to understand.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: