06-09-2010 06:00 AM - edited 03-10-2019 05:01 AM
Hello people,
we have some Cisco IDS 4215 and would like to know if upgrading the signatures we can remove those released previously or if the previous ones should not be eliminated.
Following system information from one of these devices.
***
TAC Contact Information
URL:http://www.cisco.com/public/support/tac/home.shtml/
Phone:1 (800) 553-2447
Sensor up-time is 110 days.
Platform: IDS-4215-4FE-K9
Booted Partition: application
Partition: application
Build Version: 6.0(6)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S439.0 2009-09-30
Virus Update V1.4 2007-03-02
Os Version: 2.4.30-IDS-smp-bigphys
Applications
MainApp
N-NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15T01:15:08-0500 ipsbuild
Execution State: running
AnalysisEngine
N-NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15T01:15:08-0500 ipsbuild
Execution State: running
Installed Upgrades
Upgrade name: IPS-K9-6.0-6-E3
Time Installed: 15 Luglio 2009 18.48.06
Upgrade name: IPS-sig-S439-req-E3.pkg
Time Installed: 6 Ottobre 2009 13.07.55
Next Downgrade:
Partition: recovery
Build Version: 1.1 - 6.0(6)E3
PEP Udi Chassis
description IPS 4215 Appliance Sensor
pid IDS-4215-4FE-K9
vid V01
sn 88808513168
Memory usage
usedBytes=377655296
freeBytes=132685824
totalBytes=510341120
Disk usage
application-data is using 33.2M out of 166.8M bytes of available disk space (21% usage)
boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
application-log is using 529.5M out of 2.8G bytes of available disk space (20% usage)
***
Many Thanks in advance,
Luca
Solved! Go to Solution.
06-09-2010 07:57 AM
Luca;
Signature updates are cumulative, so you can simply apply the S493 update. A caveat though, if you need to make a large move in signature release (say S470 to S493) it is usually more effective to make smaller updates (especially on a low-memory platform like the IDS-4215).
Scott
06-09-2010 06:24 AM
Luca;
You will need to upgrade to the E4 analysis engine to continue updateing signatures on your sensor. You will also need a valid IPS license installed.
As you are running 6.0(6)E3, you can apply an engine-only update which will not require a reboot of the sensor. You can find the engine-only upodate here:
The filename is: IPS-engine-E4-req-6.0-6.pkg
You do not need to remove any previous signature updates. The signature development team will retire older signatures as necessary, and you can also retire any signatures that are not necessary in your environment.
Scott
06-09-2010 07:50 AM
Hi Scott,
many thanks for your answer.
We have upgradated the IPS to IPS-engine-E4-req-6.0-6.pkg (upgrade needs to reboot the sensor) and the recovery image to the same version.
I wonder if all signatures should be updated (one currently used) or just apply the last available (S493).
Many Thanks in advance,
Luca
06-09-2010 07:57 AM
Luca;
Signature updates are cumulative, so you can simply apply the S493 update. A caveat though, if you need to make a large move in signature release (say S470 to S493) it is usually more effective to make smaller updates (especially on a low-memory platform like the IDS-4215).
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide