Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1304
Views
4
Helpful
0
Comments

How to check the changes in signature behavior after signature update is performed.

Raghunath Kulkarni
Cisco Employee
Cisco Employee

‎03-27-2014 03:03 AM - edited ‎03-08-2019 06:54 PM

Introduction

 

This document describes how to check what are changes in the signature behavior that have been made when a new signature pack has been updated on the IPS in additon to the new signatures that are introduced.

 

Problem

 

Most of the times, customers report issues with the traffic flows being impacted/specific application observing packet drops after signature update has been performed on the IPS. So the key for troubleshooting such issues would be to understand what are changes that are made to the active signature set after the signature update process completed.

 

Solution

 

Step 1 :

The first thing that we need to check is the upgrade history for the signature. This would tell us the previous signature pack that was running on IPS and the current version of signature pack.

 

This can be found out from the output of the command "show version" or from the upgrade history section of the "show tech". Snippet from the same is mentioned below:

 

Upgrade History:

 

* IPS-sig-S733-req-E4       19:59:50 UTC Fri Aug 09 2013  

  IPS-sig-S734-req-E4.pkg   19:59:49 UTC Tue Aug 13 2013

 

Now from the above we can make out that the previous signature pack that was running on the IPS was s733 and has been upgraded to s734 which is current signature pack.

 

Step 2 :

 

The second step is to understand the changes that have been made which can be checked through the IME/IDM. Screenshots of how to check the same has been shown below:

 

ScreenShot1 : Displays the active signature tab on the IME/IDM:

 

1.png

 

ScreenShot2 : Displays how to select a specific signature release:

 

2.png

 

 

 

Further using the filter option once we have obtained all the signatures from a particular release we can filter them based on engine, fidelity, severity etc. 

By this we would be able to narrow down on the changes in signature release which can be potential cause for the issue based on which we can align our troubleshooting.

 

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents