Upgrading IDSM2 4.1 to 5.01

jpoudereux · ‎06-15-2005

I'm trying to update my IDSM2 sensor version 4.1(4)S172 to IPS 5.0. I've already downloaded the appropriate file file 5.0(1)S149 major update. But when I enter the commands to upgrade the sensor version, it says:

# upgrade ftp://<my ftp ip>/IPS-K9-maj-5.0-1-S149.rpm.pkg

User: <my user name>

Password: *****

Warning: Executing this command will apply a major version upgrade to the application partition. The system may be rebooted to complete the upgrade.

Continue with upgrade? : yes

Broadcast message from root (Wed Jun 15 17:13:44 2005):

Applying update IPS-K9-maj-5.0-1-S149.

Shutting down all CIDS processes. All connections will be terminated.

The system will be rebooted upon completion of the update.

Broadcast message from root (Wed Jun 15 17:14:03 2005):

Error converting config. Install aborted.

Error: Exception Error: -Commit current config-: Validate error for the component "signatureDefinition" and the instance "sig0"

/signatures/[sig-id=2157,subsig-id=0]/engine/ -- the union does not have a member selected

/signatures/[sig-id=2157,subsig-id=1]/engine/ -- the union does not have a member selected

/signatures/[sig-id=2157,subsig-id=2]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3137,subsig-id=3]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3180,subsig-id=0]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3180,subsig-id=1]/engine/string-tcp/regex-string/ -- the value is empty and has no default

/signatures/[sig-id=3180,subsig-id=1]/engine/string-tcp/service-ports/ -- the value is empty and has no default

/signatures/[sig-id=3314,subsig-id=2]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3328,subsig-id=2]/engine/string-tcp/regex-string/ -- the value is empty and has no default

/signatures/[sig-id=3328,subsig-id=2]/engine/string-tcp/service-ports/ -- the value is empty and has no default

/signatures/[sig-id=3334,subsig-id=1]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3338,subsig-id=1]/engine/string-tcp/regex-string/ -- the value is empty and has no default

/signatures/[sig-id=3338,subsig-id=1]/engine/string-tcp/service-ports/ -- the value is empty and has no default

/signatures/[sig-id=3345,subsig-id=0]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3346,subsig-id=0]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3347,subsig-id=0]/engine/ -- the union does not have a member selected

/signatures/[sig-id=3347,subsig-id=1]/engine/ -- the union does not have a member selected

.............

Anyone knows why this is happening?

Thank you very much.

marcabal · ‎06-15-2005

When a 4.1 signature update is installed that is higher than S149 there is a corresponding v5 signature tar file also installed on the sensor.

During the upgrade from version 4.1 to 5.0 the conversion script opens up this version 5 signature tar file to do the conversion and also install the latest v5 sig update during the 5.0 upgrade.

These are errors are typically seen when that v5 signature tar file is not properly updated during the 4.1 signature update.

Resolution:

If I have correctly diagnosed the issue, then installing a newer signature update generally resolves the issue.

Since you are currently at S172, go ahead and upgrade to S173; and then try the 5.0 upgrade.

NOTE: Be sure that S173 update installation is fully completed. Do not reboot or stop and start the sensor during installation as this can corupt the v5 signature tar file.

If you upgrade to S173 and still can not upgrade to 5.0, then please repost with the associated errors.

In addition create a service account on the sensor and do the following:

Login as the service account

cd /usr/cids/idsRoot/var/updates

ls -lR

Then paste the ls -lR output in the response as well.

jpoudereux · ‎06-16-2005

First of all, thanks for your attention.

I have updated to signature S175 (maybe I shouldn't have updated directly to that signature) and still gives me that error message. And I actually think you are right, marcabal, because with this update I get the message from more signatures than before (ex. : signature 2001 Subsignature 1 , it comes with S175). I downgrade again to S172 and get no error from signature 2001. So I think it would get solved if I could downgrade to signature S149. But I think I can't downgrade to this signature.

Here i paste the command you suggest me:

$ pwd

/usr/cids/idsRoot/var/updates

bash-2.05a$ ls -lR

.:

total 43784

drwxrwxr-x 2 cids cids 4096 Jun 16 10:49 50sig

-rwxr-x--- 1 cids cids 14107 Apr 8 10:43 IDS-K9-patch-4.1-4g.rpm.pkg

-rwxr-x--- 1 cids cids 12641 Apr 27 10:38 IDS-sig-4.1-4-S160.rpm.pkg

-rwxr-x--- 1 cids cids 12641 May 6 13:47 IDS-sig-4.1-4-S162.rpm.pkg

-rwxr-x--- 1 cids cids 12641 May 12 12:49 IDS-sig-4.1-4-S166.rpm.pkg

-rwxr-x--- 1 cids cids 12641 May 31 15:39 IDS-sig-4.1-4-S168.rpm.pkg

-rwxr-x--- 1 cids cids 12641 Jun 1 10:51 IDS-sig-4.1-4-S172.rpm.pkg

-rwxr-x--- 1 cids cids 12641 Jun 8 17:13 IDS-sig-4.1-4-S174.rpm.pkg

-rwxr-x--- 1 cids cids 12641 Jun 15 18:03 IDS-sig-4.1-4-S175.rpm.pkg

-rw-rw-rw- 1 cids cids 32139612 Jun 16 12:16 IPS-K9-maj-5.0-1-S149.rpm

drwxrwxr-x 2 cids cids 4096 Jun 16 12:10 backups

-rw-rw-rw- 1 cids cids 12484018 Jun 15 11:23 c6svc-mp.2-1-2.bin.gz

drwxrwxr-x 4 cids cids 4096 Jun 15 18:03 files

drwxrwxr-x 2 cids cids 4096 Jun 16 12:16 logs

-rwxrwxr-x 1 cids cids 108 Jun 16 12:10 package

drwxrwxr-x 2 cids cids 4096 Jun 16 12:16 scripts

./50sig:

total 0

./backups:

total 2128

-rwxrwxr-x 1 cids cids 2166957 Jun 1 10:53 defVirtualSensorConfig.xml

-rwxr-xr-x 1 cids cids 108 Jun 15 18:03 package

./files:

total 12

drwxrwxr-x 2 cids cids 4096 Jun 15 18:03 S69

drwxrwxr-x 2 cids cids 4096 Jun 16 12:09 common

-rwxrwxr-x 1 cids cids 169 Jun 11 02:14 file_list_common

./files/S69:

total 1400

-rwxrwxr-x 1 cids cids 1428974 Jun 11 02:14 virtualSensor.xml

./files/common:

total 0

./logs:

total 36

-rw-r--r-- 1 cids cids 13280 Jun 16 12:17 error.log

-rw-r--r-- 1 cids cids 5428 Jun 16 12:17 install.log

-rw-rw-r-- 1 cids cids 11284 Jun 16 12:16 sensorApp_status_check.log

./scripts:

total 148

-rwxrwxr-x 1 cids cids 14107 Feb 14 23:04 IDS-K9-patch-4.1-4g.rpm.pkg

-rwxrwxr-x 1 cids cids 12641 Apr 21 03:51 IDS-sig-4.1-4-S160.rpm.pkg

-rwxrwxr-x 1 cids cids 12641 May 2 22:33 IDS-sig-4.1-4-S162.rpm.pkg

-rwxrwxr-x 1 cids cids 12641 May 11 16:07 IDS-sig-4.1-4-S166.rpm.pkg

-rwxrwxr-x 1 cids cids 12641 May 19 06:25 IDS-sig-4.1-4-S168.rpm.pkg

-rwxrwxr-x 1 cids cids 12641 May 31 21:08 IDS-sig-4.1-4-S172.rpm.pkg

-r--r--r-- 1 cids cids 29637 Mar 4 22:33 ids_functions

-rwxrwxr-x 1 cids cids 512 Jun 11 02:14 installFunctions

-rwxrwxr-x 1 cids cids 2433 Jun 11 02:14 installer

-rwxrwxr-x 1 cids cids 10190 Jun 11 02:14 merge.pl

bash-2.05a$

I don't know what to do....

Please, could you help me?

Thank you.

marcabal · ‎06-16-2005

Here is the specific problem:

./50sig:

total 0

The 50sig is empty. For some reason the signature update is not putting the 5.0 sig files in place.

My best guess is that there may not be enough diskspace on the sensor.

Some of the files in the /usr/cids/idsRoot/var directory may need to be deleted to make room for the 5.0 sig files.

What to do:

Downgrade back to S172 (if you haven't already)

Execute "show conf" in the CLI and save off your configuration. You will need it in case something goes wrong.

Now login through the service account and switch to user root "su -" (root has the same password as the service account).

cd /usr/cids/idsRoot/var/updates

First remove the 50sig directory.

Now remove the IDS-sig-4.1-4-S files except the S172 file (leave the S172 file in place).

cd ./scripts

Now remove the same files again from the scripts directory (leaving the S172 file in place).

Once you've done that cleaning go ahead and upgrade to S173 or higher.

Make sure the 50sig directory is created (I can't remember for sure, but it may be a 50sig tar file instead of the directory. The 5.0 update may untar it to create the directory).

If the 50sig directory is created with files in it (or a 50 sig tar file is created), then you shoudl be good to try the 5.0 major update.

If the 50sig directory (or tar file) are not created, then we may need to remove other files from the /usr/cids/idsRoot/var directory.

I would need a complete list of all files in the var directory to see which ones can be removed.

Marco