The statement that "IDS signatures are cumulative" is, as a whole, is correct. Unfortunately, there is a caveat that should be relayed.

Signature updates are only cumulative back to the last Service Pack release. For example, you can apply S142 update to any applicable Cisco IDS appliance, but only if it is has S91 installed.

From the S142 readme file:

"The IDS-sig-4.1-4-S142.rpm.pkg signature update can be applied to

version 4.1(4) sensors as follows:

You can only apply this signature update to IDS-42xx Cisco Intrusion

Detection System (IDS) sensors, the WS-SVC-IDSM2 series Intrusion

Detection System Module (IDSM2), and the NM-CIDS series Intrusion

Detection Network Module.

It is not compatible with the NRS-xx series Intrusion Detection System

(IDS) sensors or the WS-X6381-IDS series Intrusion Detection System

Module (IDSM).

The sensor must report the version of sensor as 4.1(4)S91 or later

before you can apply this signature update."

Obviously, this means that you'll have to update with the S91 service pack before applying S142 if the sensor is running something older than S91.

The last Recovery/Upgrade CD that I have from Cisco is S47, so it would be necessary for me to upgrade a sensor built with this CD to S91 first before I could apply the "cumulative" S142 signature update.

I hope this helps,

Alex Arndt

This helps very much so. Sorry, I didn't realize that there was a readme file associated but now that you said that, I checked the IDS and see that it does download the signature and a readme file each time. Thanks for the full explanation.

Justin Loucks

Always glad to help out. =)

Alex