Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6862
Views
5
Helpful
2
Comments

How to be notified when IDS signature updates are released

TCC_2
Level 10
Level 10

‎06-18-2009 03:59 PM - edited ‎03-08-2019 06:06 PM

What is IDS and Types of IDS?

 

An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.

 

IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat.

 

TYPES OF IDS:

 

NIDS (Network Intrusion Detection System)

Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally you would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.

 

HIDS (Host based Interusion dtection system)

Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected. For eg. Symantec antivirus.

 

Signature Based

A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.

 

Anomaly Based

An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.

 

Passive IDS

A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way.

 

Reactive IDS

A reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user.

 

One of the most well known and widely used intrusion detection systems is the open source, freely available Snort. It is available for a number of platforms and operating systems including both Linux and Windows. Snort has a large and loyal following and there are many resources available on the Internet where you can acquire signatures to implement to detect the latest threats.

 

 

Resolution

The Cisco Intrusion Detection System (IDS) team constantly develops new signatures. As new signatures are released, you can choose to be notified to take proactive steps to update the signature files.

To receive notification when new Cisco IDS signatures are released (and other IDS/IPS related product news), subscribe to Cisco IPS Threat Defense Bulletins. The bulletin also includes notifications of updated system software and service packs.

Also, RSS feeds are available for the IPS Threat Defense Bulletins:

RSS 1.0: http://tools.cisco.com/security/center/activeUpdateBulletin_10.xml

RSS 2.0: http://tools.cisco.com/security/center/activeUpdateBulletin_20.xml

 

Scenario 2:

Problem:

Auto Update no longer work after 14 NOV 2014

Cisco Intrusion Prevention System, Version 6.2(5)E4 , SSC-AIP-5

Error: autoUpdate successfully selected a package (https://user@72.163.7.60//swc/esd/11/273556262/guest/IPS-sig-S838-req-E4.pkg) from the cisco.com locator service, however, package download failed: 

The host is not trusted. Add the host to the system's trusted TLS certificates.

Autoupdate have work without problem until 14 nov 2014 .

I have added host to the tls trusted hosts

#  show tls trusted-hosts
72.163.4.161
72.163.7.60

Still facing same issue

Understand How the Cisco IPS Automatic Signature Update Feature Works
http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html

The IPS uses the file transfer protocol defined in the file download data URL learned in the server manifest (currently uses HTTP (TCP 80)).

The problem I see is that earlier before 14 nov it fetch signature file with HTTP 

but now it tries with HTTPS instead .

One session against 72.163.4.161 (  always have been HTTPS )

One session against 72.163.7.60 , earlier HTTP now it uses HTTPS

 

Solution:

fixing the locator service to return HTTP instead of HTTPS URLs for the older IPS versions - its not fixed yet but should be sometime soon.

If you can't wait for this to be resolved and you are on the 7.1/7.3 train, you could upgrade to 7.1.9/7.3.2 which will use the HTTPS download correctly and which also resolve several other issues.

I'm not sure if/when 6.2.5 will be upgraded to work with https urls.

Otherwise, maybe manual updates or CSM could bridge the gap.

Problem Type

How to (General Information)

 

Product Family

IDS/IPS - 4200 series sensor

IDSM-2

 

Features & Tasks

Active update notification

Labels:
Comments
gsudaicisco
Community Member
‎07-03-2012 01:10 AM

the link to the rss is not working.

when i go to

http://tools.cisco.com/security/center/activeUpdateBulletin_20.xml i get a page with error

davidrom42
Community Member
‎04-29-2016 03:20 AM

IDS Signature is simply a security software which is termed to help user or system administrator by automatically alert or notify at any case when a user tries to compromise information system through any malicious activities or at point where violation of security policies is taken.

IDS Signature are basically prorated into two major forms.

1. IDS signature detection 2. Anomaly detection

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents