Solved: Re: Problems with IDS signature update S96

jodr · ‎06-11-2004

Hi,

After updating the signatures to S96, all signatures had been activated on all sensors/blades. However in the CW VMS from where we lanched the update, all signature configurations were still OK. So somehow something went wrong locally on applying this update. Moreover I'm not able anymore to restore defaults on the devices.

Anyone else having the same problems ?

Best regards,

Johan Derycke.

travis-dennis_2 · ‎06-12-2004

S97 is posted now.

Sensor http://www.cisco.com/cgi-bin/tablebuild.pl/ids4-sigup

MC http://www.cisco.com/cgi-bin/tablebuild.pl/idsmc-ids4-sigup

IEV http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev

View solution in original post

efink · ‎06-11-2004

The same happend to me. I used CLI directly on the sensor(s) and upgraded to S96. Now there's a flood of alarms. Anybody can help ?

mjuckett · ‎06-11-2004

Good grief! How quickly can y'all get a patch to fix this? VMS pushed out the S96 signature pack to our sensors and while VMS shows the correct config, the sensors turned on all alarms. Pushing out a configuration file from VMS to each sensor seems to have fixed the problem.

jodr · ‎06-11-2004

Well I just pushed all configs from the CW VMS again to all sensors, because in the VMS the signature configs were not overwritten ; only new signatures were added.

But of course you can always use the restore procedure documented in the text file also available with the update.

dblairii · ‎06-11-2004

I experienced similar issues with S96. I have 47 sensors, so the flood was debilitating. I have since performed a 'rollback' of all sensors.

For those of you who don't know how to perform a rollback:

- Log into CLI with an admin privileged account

- 'conf t'

- 'downgrade'

- 'yes'

mlhall · ‎06-11-2004

There is a problem with S96. We have pulled the package from CCO. We will release a S97 package as soon as possible. We should have the new package posted in a few hours.

Until then we recommend you downgrade back to S96 if you have installed S97.

Sorry for the problem and we are taking steps to ensure this will not occur again.

7dallen · ‎06-11-2004

Just a typographical correction.

Downgrade to S95 if you have installed S96.

Was there a package released already.. dang im way behind :)

DSmirnov · ‎06-11-2004

Michael,

can you provide more information what is wrong with S96?

Does it activate all signatures or just some of them?

Do we need to downgrade to S95 before S97 or we could apply S97 on S96?

mlhall · ‎06-11-2004

The package used for testing was inadvertently posted to CCO. This testing package has all signatures turned on by default.

Installing S97 on top of S96 will resolve the issue. Once S97 is released, you do not need to downgrade if you have already installed S96, you can simply install S97 on top of S96 and the default values for the signature will be restored.

Sorry for the trouble.

--Mike

mlhall · ‎06-11-2004

CORRECTION: If you have installed S96, you should downgrade to your previous version or wait and install S97.

mcvosi · ‎06-14-2004

Mike,

If I've downgraded my sensors, will I still need to re-import the sensors into IDS MC?

dmitrysmirnov · ‎06-11-2004

I'm flooded with alerts as well (from some sensors - not all of them). I have a feeling that S96 didn't activate all signatures but some of them finally started to work (MSN, Yahoo, ICQ related, SNMP, HTTP, etc)

travis-dennis_2 · ‎06-12-2004

S97 is posted now.

Sensor http://www.cisco.com/cgi-bin/tablebuild.pl/ids4-sigup

MC http://www.cisco.com/cgi-bin/tablebuild.pl/idsmc-ids4-sigup

IEV http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev