topic Re: IOS IPS Automatic Signature Update in Network Security

IOS IPS Automatic Signature Update

iotoiotoioto — Sun, 10 Mar 2019 12:05:22 GMT

I will use cisco1941w.

I'd like to know, how to configure at CLI and where is the URL.

Is the bellow correct?

CLI

Router(config)# ip ips auto-update
Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5

Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

Router(config-ips-auto-update)# username XXX password XXX

URL

https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

Re: IOS IPS Automatic Signature Update

Siddharth Chandrachud — Thu, 12 Aug 2010 17:53:53 GMT

Hello,

a. Currently IOS-IPS does not have the functionality to have auto-signature updates from cisco.com like IPS appliances and modules do.

Hence there is no url on cisco.com for auto-signatures updates for IOS-IPS.

b. You can have your own HTTP/TFTP server where you can keep all the IPS signatures downloaded from cisco.com The IOS-IPS can grab files from this server. The configuration you are referring to this part of the configuration where you specify the HTTP/TFTP server address and login credentials.

c. Alternatively, the same configuration can be done by CCP (IOS-IPS configuration is less cumbersome via CCP). Attaching a screenshot.

Sid Chandrachud

TAC Security Solutions

Customer Support Engineer

Re: IOS IPS Automatic Signature Update

iotoiotoioto — Fri, 13 Aug 2010 11:31:26 GMT

Thank you so much, Sid.

I'd like to ask more.

How to set up IOS IPS by CCP.

Does it need signature before configuration?

I'like to configure Automatic-Update(IPS signature) by CCP at leaset. Is it possible?

or can I configure by any other soft without signature?

I can't download CSM. Becase of license.

Re: IOS IPS Automatic Signature Update

Siddharth Chandrachud — Fri, 13 Aug 2010 19:20:12 GMT

1. IOS-IPS is a software feature on IOS. It can be configured on the router via CLI or CCP.

So auto-signature update via cisco.com which is not available for IOS-IPS will not be possible even via CCP.

The screenshot in my last post shows how to setup auto-signature update for IOS-IPS from a tftp server in your network.

You will still have to manually download signatures from cisco.com and put them on the tftp server. The router will simply grab & install the signature file from the tftp server.

2. Configuring IOS-IPS via CCP:

http://tools.cisco.com/squish/c8f28

3. CCP is free. No license needed. You can download CCP as long as you have valid cisco.com username and password.

Download link for CCP:

http://tools.cisco.com/squish/a2CA0

Sid Chandrachud

TAC Security Solutions

Customer support engineer.

Re: IOS IPS Automatic Signature Update

iotoiotoioto — Sat, 14 Aug 2010 06:14:33 GMT

Thanks again.

Sorry, I made mistake you to question.

Firsttime, I already used CCP, but I couldn't configure anything IPS by CCP.

So I resarched and asked something.

Could I ask you final?

I couldn't configure IOS-IPS by CCP.

I think because of I don't have signature, right?

by the way, I couldn't understand your screenshot, because it's not clear.

best regards

Re: IOS IPS Automatic Signature Update

Siddharth Chandrachud — Sun, 15 Aug 2010 18:37:19 GMT

If you follow the link below step-by-step, then you should be able to configure IOS-IPS via CCP.

http://tools.cisco.com/squish/c8f28

I am not sure why the screenshot attached is not correctly viewable for you.

It only shows the the section on CCP where you configure auto-sig update.

Anyway, the link I mentioned has appropriate screenshots for CCP configuration of IOS-IPS.

- Sid

Re: IOS IPS Automatic Signature Update

info.kise — Tue, 17 Aug 2010 10:52:34 GMT

Hi Sid-san,

I,m sorry interrupt you. I heard from your engineer. He said "IOS-IPS is able to update IPS's signature automatically, if IOS-IPS version is 5.x or later.

http://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/Secconf1_ps10538_TSD_Products_Configuration_Guide_Chapter.html#wp1055483

Pls confirm it and advise me.

Regard,

Kise

Re: IOS IPS Automatic Signature Update

nicolas.bedard — Wed, 18 Aug 2010 13:46:05 GMT

Were experiancing the same challenges with the IOS-auto-update.

We have set up an external FTP server with the latest .PKG. We download it from cisco.com and then rename it to a generic name (ips.pkg). In our router config, we have deployed this config:

ip ips auto-update
occur-at 1 0-23 1-31 0-6
url ftp://172.22.85.29/ips.pkg
username ips password xxxxxxxxx

We have 400 branch routers (1811) that are configured to go get this update once, every hour. At our Head-office we restrict the access with time-based ACL that restrict the update to occurs only at specific time of the day/week. We are doing so because we found out that the mecanism to control the time access on the router is not working well we had to find out a other way to do it.

The big problem is that with this method, the router is downloading a 10 Meg file. When you have 400 branch routers connected centrally, it means 400 routers downloading a 10 meg file at the same time is impacting your network big time and so your FTP server.

With IOS 12.4T, the IOS IPS is creating 6 .XML files from the .PKG file. Those files are named with the hostname of the router and so unsusable for large-scale deployment.

With IOS 15.0M, the IOS IPS is creating 6 .XMZ files, without using the hostname of the router. therefore we could use directly the .XMZ file as our config. the XMZ file are quite small compared to the 10 Meg PKG files and we could use it directly on our FTP server. We could configure only one router to manage our signatures, download the big PKG file to it, update the signatures on it, manage the signatures on it and then pick the .XMZ file and copy it to our central FTP server which will feed all our other routers.

the config would look like this:

ip ips auto-update
occur-at 1 0-23 1-31 0-6
url ftp://172.22.85.29/filename.xmz
username ips password xxxxxxxxx

This could limit the seize of the tranfert and therefore greatly improves the managability of the whole process without having any impact on our WAN links.

My only question. What is the .XMZ or XML file we need to use !! they are 6 of them and the router let us use only one in the configuration ?!!?

I never found any answer on this. Can somebody help me with that !?

Re: IOS IPS Automatic Signature Update

Siddharth Chandrachud — Wed, 18 Aug 2010 16:33:45 GMT

Hello,

A. Hete is what the six files do:

• ios-ips-sigdef-default.xml: contains all the factory default signature definitions

• ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default

• ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions

• ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced

• ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters

• ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions

B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.

Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.

You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:

We do not have one single file that contains all the signatures. The signature package is installed in a certain way.

Hence we will need atleast first 4 files to copy of signature database from one router to the other.

C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.

But I am guessing it will look for a .pkg file and decompress it.

With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.

D. Hence there is no one single configuration file that you copy off the external ftp server.

I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.

It is also not necessary to check for signature updates every hour.

Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.

Sid Chandrachud

TAC Security Solutions

Customer support engineer

Re: IOS IPS Automatic Signature Update

Nicolas Meessen — Fri, 29 Oct 2010 06:40:09 GMT

The following document seems to suggest that signature auto-update from cisco.com is possible

I haven't tested this myself but it looks like the feature is there.