Re: Signature Upgrades through VMS 2.2

dpatkins · ‎05-20-2004

Ever since I have upgraded to S4.1.4 service pack, I have had to do this through tftp throught the sensor instead of through VMS. I have tried 4.1.4S92 and S93 this way. I end up downloading the .rpm file. I have attempted to shutdown the sensing port thinking that maybe too much traffic was going through. Since I did the upgrade through the sensor via tftp, am I going to have to them all this way now? Is anyone else having these problems or have had these problems? What was done to resolve it?

Thank you,

Dwane

lewy1961 · ‎05-21-2004

Dwayne ,We have a new IDS sensor 4235 running at this level.It always takes ages to upgrade the signatre , and to install the last service pack s92 it was actually rebuilt as it was so slow. I know the consultant wj=ho installed it eventually upgraded the service pack through tftp.

dpatkins · ‎05-21-2004

You are right. Thank you for your input. It looks like I just had to wait overnight for it to upgrade. Thank you

dpatkins · ‎05-21-2004

When I try to "Query Sensor" using Identification, I get the following error:

Object update failed. The sensor version 4.1(4)S93 is an unrecognized version. You may need to apply a signature update to the system for support of this sensor

Should I try to reinstall the signature update or what?

npham · ‎05-21-2004

Sounds to me like the S93 sig update didn't take/happen on IDS MC.

I generate the following report through IDS MC to verify if updates applied ok.

Type: Audit Log Report

Event Severity: error, information

Applications: Shared service process

Subsystem: Common Java System Services

Task Type: Program Flow

If someone else knows a better way to check, I'd like to hear. The online help says to add a temp sensor and see what version you can set it to be as a way of verify the sig level of IDS MC. Not very informative if you ask me.

If it had a problem, reapply the sig update to IDS MC.

Did your sensor update to S93 ok? I too had to manually apply sig updates post 4.1(4)S91. I find its better to do it from the sensor's CLI instead of IDS MC, at least I know it happens.

infinitingr2 · ‎05-23-2004

I recently ordered the signature update for 4235FE NetRangers. I plan to upgrade them from 3.1 to 4.x. Since u have manualy applied signature update and I have had occassion when Cisco web site info has been less than helful, could you please share with me the steps involved in performing the update from the CLI. I mean, should I place the upgrade CD in my laptop, connect the laptop to the COM port of the IDS and then voila... I'd appreciate any assistance you could render here. I am used to snort & other IDS out there, but this NetRanger is a challenge.

p.hachmeister · ‎05-25-2004

Is this still a problem for you? We are going through the same situtaion and the TAC has yet to be much help.

Is this an issue of speed where it takes a very very long time to update or does the update not work at all?

Thanks,

Peter

intertechusa · ‎05-25-2004

This seems to be an issue that many are having. After upgrading to 4.1(4) nobody can update the IDS signatures through IDS MC. I'm opening a TAC case too.

8rpalmer · ‎05-26-2004

I'm experiencing similar problems but only when trying to push a filter change. Signature updates work OK for me (except for one sensor in particular.)

dpatkins · ‎05-26-2004

My apologies. The big issue is TIME. It seem to take forever. I have the latest signature S94 on both sensor. My test sensor seems to load real quick, but our main sensor takes FOREVER!!! I am not sure what the problem is, but I would recommend doing the update in the evening and checking it when you get in the next day or even do it on the weekend. If it gets real bad, try shutting down the sniffing port and try it again.

p.hachmeister · ‎05-27-2004

I don't know if this helps or hurts, but our problems actually started with 4.1-3-S89.

Does Cisco have any idea why this is happening?

infinitingr2 · ‎05-27-2004

I have 8 NetRanger 3250FE sensors running 3.1 signature. I need to upgrade them all to 4.x signature. I have read about so many different ways of doing the upgrade (tftp, ftp, using IDS MC etc), and I recently ordered the upgrade CD because according to Cisco, the upgrade can ONLY be done using the CD. My question is which method is the most highly recommended option. I am tempted to attach a laptop to the Sensor console, would that work? Secondly, I observed that the front of the Sensor is locked, I am yet to get the key but does the sensor have a CD / Disk drive in which case I could just attach keyboard / monitor, insert the upgrade CD and follow the other installation instructions. Pardon my naivete, but I need assistance here.

p.hachmeister · ‎06-01-2004

1 thing to check is to run an "audit log" report from the management center.

We had this problem too and it turned out that the certificate had expired on the system.

If that is the case, do a "no tls trusted host x.x.x.x," the regenerate the tls key, and add the host back on the sensor.

The VMS certificate may also be expired, and you do that on the VMS console directly.

The unfortunate thing is that Cisco does not really document this well - not just the commands - but the whole process of certificate management.

Hope this helps,

Peter