Re: RVS 4000 Email responses that need addressing - Page 3

JanJanowski · ‎08-14-2009

I have been bounced around between Cisco and Linksys for months….

I have two simple questions… One I know the answer on… the second, I haven’t a clue…

I have corresponded with 12-15 people at Linksys, and Cisco…

Their last answer is I should contact you…. So… Here goes…. The 16^th person I’m requesting this information from….. (I can’t believe that Linksys/Cisco can’t answer these simple questions!)

Seeing that I've been checking for new firmware and IPS downloads from the Cisco site for months now, and not seeing any new downloads......

And Seeing that I'm getting nagging emails that my IPS Signature is too old, Please Update it!!!!

And Seeing that I'm still getting emails that I don't understand from the RVS 4000: -IPSEC EVENT: KLIPS device ipsec0 shut down

and I can't seem to understand How or Why it is happening, and have read manual cover to cover, and all the FAQ's, and can't upgrade it because there is no current software......

I sent the following email to cs-support-us@cisco.com :

Hello. Have an RVS4000 Router, being used as a Gateway...

I have emails enabled, so that I'll be informed whenever there is greater than a set level of threats.... However...
If I check the logs, there are no threats... Yet....

I keep getting the following emails:
Your Signature Version is beyond 143 days. Please Update it!

I've also been getting the following emails:
-IPSEC EVENT: KLIPS device ipsec0 shut down

I'm using V1.40 IPS signature, and V1.2.11 firmware....

Yet I keep getting these emails...

I can't update the IPS Signature Version if you don't provide it!!! And you aren't!

Secondly, WHAT THE HECK DOES: "-IPSEC EVENT: KLIPS device ipsec0 shut down" MEAN????

May I suggest that the next version of firmware have options to disable the IPS "Nags" if you are not planning on writing any more code?

And, What the Heck does: "-IPSEC EVENT: KLIPS device ipsec0 shut down" mean?

Sincerely

Jan Janowski

JanJanowski · ‎09-16-2009

Please check on the IPS file...

Tonight I upgraded from V1.2.11 to V1.3.0.5 and re-loaded IPS V1.40...

My findings:

As with V1.2.11, I had an issue trying to move LAN IP from 192.168.1.1 Eventually it allowed a save (Had this same issue in V1.2.11).

Logs are obviously now working, and were not in V1.2.11, as I'm not getting inundated with emails with same settings... Incoming, Outgoing, and log level 0,1,2,3,4.

So I'm going to have to re-check the manual for more info on log level settings... Maybe I should ask, has there been any update to the manual, from the file that was there 3 months ago???

One thing I DIDN'T LIKE..... Whereas the new HTTP/Cisco/Vista Look is fancier to look at...... IT'S A INK CARTRIDGE DRAINER!!!!! Got no Blue Ink Left!!!

In this aspect (amount of Ink Needed to print out all pages) I like the 'old' Linksys pages a lot better... The new printouts are not as sharp or easy to read, and don't fit the page at times, also....

I did the firmware update (after reset to defaults) and loaded the same V1.40 IPS file that was dated as: 7/28/2008 in V1.2.11 IPS INFO Page (IPS file wasn't even released until February of 2009), reports as 12/31/1969 in V1.3.0.5 IPS INFO Page !! (Doublechecked clock on computer used to configuration... wasn't that!)

So.... It's up (I'm typing through it now)... and we'll just have to see how it works!!

Thanks for the new code.... It will be interesting to see if I start getting either of the old emails.... (But I obviously need to read up on the Log Levels.....)

Jan

JanJanowski · ‎09-16-2009

Here's another suggestion.... Now that logs are working.....

When you get an email of logs.... It's not clear Which Level threat you're reading....

In other words.... here's some lines from an email I just received:

Sep 16 20:58:28 - [Access Log]O TCP Packet - 192.168.12.119:49319 --> 209.123.109.175:80
Sep 16 20:58:48 - [Access Log]O TCP Packet - 192.168.12.119:49320 --> 209.123.109.175:80
Sep 16 20:58:55 - [Access Log]O TCP Packet - 192.168.12.119:49321 --> 63.111.74.129:80

If I want to eliminate this type of entry, so that it doesn't email to me..... Wouldn't it be nice if in this line it would indicate WHICH LOG LEVEL it tripped?

For example....using the above example.... Let's assume these were Log Level 4.... Therefore.....

Sep 16 20:58:28 - LOG4 [Access Log]O TCP Packet - 192.168.12.119:49319 --> 209.123.109.175:80
Sep 16 20:58:48 - LOG4 [Access Log]O TCP Packet - 192.168.12.119:49320 --> 209.123.109.175:80
Sep 16 20:58:55 - LOG4 [Access Log]O TCP Packet - 192.168.12.119:49321 --> 63.111.74.129:80

This way, I could tell which log entry belongs to which Log Level.....

Does this make sense??

JanJanowski · ‎09-17-2009

So I took my printouts from V1.3.0.5 and RVS4000 Manual to work today, to read and learn more during lunch..... and discovered another issue with new firmware...

The printouts on about half of the pages are cutoff... The data should have been on 2nd page printout, but second page is basically just a header line and blank page....

You folks should look at the way V1.2.11 printouts were done... Each page fits nicely on one piece of paper, and had a nice Logo too... and doesn't eat Ink Un-necessarily!

I see some changes in the program compared to the manual..... Is there a plan for an updated RVS4000 manual so as to more correctly match the new firmware settings?

Is there any FAQ (I haven't found one yet) that gives more In-Depth information on setting up Logs, what works, what doesn't, and information on Log Levels control, as illuded to in the above post???

Thanks

David Hornstein · ‎09-21-2009

Hi Jan.

I must admit I like the new software and haven't look at the manual, usually things within this product are pretty self explainatory. :)

I will pass on your very constructive posting and feedback to the RVS4000 product manager.

Thank you again for your post.

regards Dave

JanJanowski · ‎09-26-2009

Dave and Steve..... Please ask the RVS4000 person to check code on IPS update nags....

Now remember that I upgraded firmware and re-loaded IPS Signature a week or two ago......

A couple days ago I received the following email....

Your Signature Version is beyond 14511 days. Please Update it!

David Hornstein · ‎09-27-2009

Hi Jan,

I will forward a low priority TAC case to my level 3 technicians in Irvine in California. It's obviously not affecting operation, just saying it's been 39 years since you last performed a signature file update

.

Would you be so kind as to spare some time and paste a copy of that screen shot in reply.

Thank you for this excellent feedback.

regards Dave

JanJanowski · ‎09-27-2009

Here is how it reports.... PS.. I did check the date and time of computer that was used to config router.... It was Sept 2009 on that one....

daviddun · ‎09-28-2009

Good Morning,

I updated a RVS4000 from my lab bench to the newest firmware, did the factory reset and set it up with basic configuration. I then update the IPS Signature file to ver 1.40 and was unable to duplicate the error.

Information

I had ver 1.2.11 firmware on the router before the upgrade. I would look at the NTP server you have the router pointing to.

I use 132.163.4.107 for my time server

JanJanowski · ‎09-28-2009

If you look up a few posts, please note that when I upgraded to V1.2.11 (from 1.0.7 I believe).... It was done with a different computer than the one I used for this last upgrade, and it, too, also mis-logged the date and time.... To sometime in 2008. Note that V1.40 IPS didn't become available till Feb of 2009.

So I guess the RVS can prove the Theory of Relativity!!

Prior to any upgrade, I would reset to factory defaults, then, using a computer set for DHCP, connect to it, and upgrade firmware, and configure.

The last thing I would do is change the IP from Factory default to the planned useage IP. Then walk the unit back to where it would be used, install it,

then power cycle the Router, modem, and other swtiches..

I'm using this as a Gateway, and though 4 DHCP are alowed, all devices are Static IP.

I'll post the NTP Server I use later tonight.... But I've never had an issue with it...

Good luck.

JanJanowski · ‎09-28-2009

The Time Server I used is 192.43.244.18

kpawson · ‎09-28-2009

Hi David

Is there any news on an updated IPS file?

Perhaps I'm not understanding what the purpose of the IPS signature file is, or how Cisco/Linksys have designed it to be with this product, perhaps it's only to be updated annually?

My assumption is that the IPS signature file is similar to a Antivirus or Antimalware file that should be updated to detect known threats or abnormal traffic patterns that would indicate a worm, malware or a known traffic pattern that is malicious.

In the past I've worked on IPS systems from other manufactures and they have been designed with a IPS or IDS signature detection file to be updated to keep up with detecting and preventing the latest known threats.

As the product is emailing us about the file being out of date, I'm therefore assuming that the RVS 4000 built in IPS is designed like these others I've worked with?

Thanks

Keith

JanJanowski · ‎10-06-2009

V1.41 IPS file has been released!!!

Version: 1.41 Total Rules: 1098

In this signature, we addressed the exploits/vulnerabilities and applications
as below:

-EXPLOIT MS Video ActiveX Control Stack Buffer Overflow
A buffer overflow vulnerability exists in Microsoft DirectShow.
The flaw is due to the way Microsoft Video ActiveX Control parses image files.
An attacker can persuade the target user to open a malicious web page to exploit
this vulnerability.

-EXPLOIT Oracle Database Workspace Manager SQL Injection
Multiple SQL injection vulnerabilities exist in Oracle Database Server product.
The vulnerabilities are due to insufficient sanitization of input parameters
in the Oracle Workspace Manager component. A remote attacker with valid user
credentials may leverage these vulnerabilities to inject and execute SQL code
with escalated privilegesof SYS or WMSYS account.

Support P2P application named uTorrent up to version 1.7.2.

Signature content for 1.41
========================================================================
New Added signature(s):
1053635 EXPLOIT MS Video ActiveX Control Stack Buffer Overflow -1
1053636 EXPLOIT MS Video ActiveX Control Stack Buffer Overflow -2
1053632 EXPLOIT Oracle Database Workspace Manager SQL Injection -1
1053633 EXPLOIT Oracle Database Workspace Manager SQL Injection -2
1053634 EXPLOIT Oracle Database Workspace Manager SQL Injection -3

Modified signature(s):
1051783 P2P Gnutella Connect
1051212 P2P Gnutella Get file
1051785 P2P Gnutella UDP PING 2
1051997 P2P Gnutella Bearshare file transfer with UDP
1052039 P2P Gnutella OK
1052637 P2P Foxy Get file

Deleted signature(s):
1050521 Worm.Klez.E1 - 1
1050522 Worm.Klez.E1 - 2
1050523 Worm.Klez.E1 - 3
1050524 Worm.Klez.E2 - 1
1050525 Worm.Klez.E2 - 2
1050526 Worm.Klez.E2 ¡V 3
1050536 Worm.Blaster.B - 1
1050537 Worm.Blaster.B - 2
1050538 Worm.Blaster.B - 3
1050539 Worm.Blaster.C - 1
1050540 Worm.Blaster.C - 2
1050541 Worm.Blaster.C - 3

Number of rules in each category:
========================================================================
DoS/DDoS 51
Buffer Overflow: 241
Access Control: 92
Scan:   41
Trojan Horse: 62
Misc:   3
P2P:   40
Instant Messenger: 121
Vrus/Worm: 410
Web Attacks: 37

No Problem updating it, and the date reports Correctly!!!

THANK YOU!!!

kpawson · ‎10-06-2009

Thank you Cisco/Linksys!!!

Am I pushing it if I ask how often this is going to updated from now on