Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IPS 4200 Series Sensors

Release Notes for Cisco Intrusion Prevention System 6.0(4)

Downloads

Table Of Contents

Release Notes for Cisco Intrusion Prevention System 6.0(4)

Contents

IPS 6.0(4) File List

Supported Platforms

Supported Servers

IPS Management and Event Viewers

Cisco IPS Active Update Bulletins

New and Changed Information

Before Upgrading to Cisco IPS 6.0(4)

Perform These Tasks

Copying and Restoring the Configuration File Using a Remote Server

Upgrading the IDS-4215 BIOS

Upgrading to Cisco IPS 6.0(4)

Upgrading from 5.x to 6.0(4)

Obtaining Software on Cisco.com

Applying for a Cisco.com Account with Cryptographic Access

IPS Software Versioning

IPS Software Image Naming Conventions

6.x Software Release Examples

Upgrading to 6.0(4)

SNMP Error Messages

Upgrading the Sensor With the 6.0(4) Service Pack

After Upgrading to Cisco IPS 6.0(4)

Comparing Configurations

SSL Certificate

Logging In to IDM

Licensing the Sensor

Understanding the License

Service Programs for IPS Products

Obtaining and Installing the License Key

Restrictions and Limitations

Password Recovery

Understanding Password Recovery

Password Recovery for Appliances

Using the GRUB Menu

Using ROMMON

Password Recovery for IDSM-2

Password Recovery for NM-CIDS

Password Recovery for AIP-SSM

Password Recovery for AIM-IPS

Disabling Password Recovery

Verifying the State of Password Recovery

Troubleshooting Password Recovery

Caveats

Resolved Caveats

Known Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco Intrusion Prevention System 6.0(4)

May 7, 2008

Contents

IPS 6.0(4) File List

Supported Platforms

Supported Servers

IPS Management and Event Viewers

Cisco IPS Active Update Bulletins

New and Changed Information

Before Upgrading to Cisco IPS 6.0(4)

Upgrading to Cisco IPS 6.0(4)

After Upgrading to Cisco IPS 6.0(4)

Restrictions and Limitations

Password Recovery

Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Caution The BIOS on Cisco IDS/IPS sensors is specific to Cisco IDS/IPS sensors and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on Cisco IDS/IPS sensors voids the warranty. For more information on how to obtain instructions and BIOS files from the Cisco website, see Obtaining Software on Cisco.com.

IPS 6.0(4) File List

The following files are part of Cisco IPS 6.0(4):

Service Pack Files

IPS-K9-6.0-4-E1.pkg

IPS-CS-MGR-K9-6.0-4-E1.zip

System Image Files

IPS-4215-K9-sys-1.1-a-6.0-4-E1.img

IPS-4240-K9-sys-1.1-a-6.0-4-E1.img

IPS-4255-K9-sys-1.1-a-6.0-4-E1.img

IPS-4260-K9-sys-1.1-a-6.0-4-E1.img

IPS-4270_20-K9-sys-1.1-a-6.0-4-E1.img

IPS-SSM-K9-sys-1.1-a-6.0-4-E1.img

IPS-SSM_40-K9-sys-1.1-a-6.0-4-E1.img

IPS-AIM-K9-sys-1.1-a-6.0-4-E1.img

IPS-NM_CIDS-K9-sys-1.1-a-6.0-4-E1.img

WS-IDSM2-K9-sys-1.1-a-6.0-4-E1.bin.gz

Recovery Image Files

IPS-K9-r-1.1-a-6.0-4-E1.pkg

IPS-AIM-K9-r-1.1-a-6.0-4-E1.pkg

ISO Image File

IPS-K9-cd-1.1-a-6.0-4-E1.iso

Note The ISO Image is for IDS-4235 and IDS-4250 series sensors only. Refer to the ISO_Image_FAQ1.htm for instructions on how to use this file. You can download the ISO image file and ISO_Image_FAQ1.htm from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ips6-system

Readme File

IPS-6.0-4-E1.readme.txt

For the procedure for obtaining these files on Cisco.com, see Obtaining Software on Cisco.com.

Supported Platforms

Cisco IPS 6.0(4) is supported on the following platforms:

IDS-4215 Series Sensor Appliances

IDS-4235 Series Sensor Appliances

IPS-4240 Series Sensor Appliances

IDS-4250 Series Sensor Appliances

IPS-4255 Series Sensor Appliances

IPS-4260 Series Sensor Appliances

IPS 4270-20 Series Sensor Appliances

WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM-2)

Intrusion Detection System Network Module (NM-CIDS)

ASA-SSM-AIP-10 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM-10)

ASA-SSM-AIP-20 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM-20)

ASA-SSM-AIP-40 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM-40)

Intrusion Prevention System Advanced Integration Module (AIM-IPS)

Supported Servers

The following FTP servers are supported for IPS software updates:

WU-FTPD 2.6.2 (Linux)

Solaris 2.8.

Sambar 6.0 (Windows 2000)

Serv-U 5.0 (Windows 2000)

MS IIS 5.0 (Windows 2000)

The following HTTP/HTTPS servers are supported for IPS software updates:

VMS - Apache Server (Tomcat)

VMS - Apache Server (JRun)

Note The sensor cannot download software updates from Cisco.com. You must download the software updates from Cisco.com to your FTP server, and then configure the sensor to download them from your FTP server. For the procedure for downloading IPS software updates from Cisco.com, see Obtaining Software on Cisco.com. For the procedure for configuring automatic updates, refer to Configuring Automatic Upgrades.

ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such as latency or error recovery. It does implement a limited packet integrity check so that packets arriving in sequence with the correct integrity value have an extremely low probability of error. But TFTP does not offer pipelining so the total transfer time is equal to the number of packets to be transferred times the network average RTT. Because of this limitation, we recommend that the TFTP server be located on the same LAN segment as the sensor. Any network with an RTT less than a 100 milliseconds should provide reliable delivery of the image.

Some TFTP servers limit the maximum file size that can be transferred to ~32 MB. Therefore, we recommend the following TFTP servers:

For Windows:

Tftpd32 version 2.0, available at:

http://tftpd32.jounin.net/

For UNIX:

Tftp-hpa series, available at:

http://www.kernel.org/pub/software/network/tftp/

IPS Management and Event Viewers

Use the following tools for configuring IPS 6.0(4) sensors:

IDM 6.0

IPS CLI 6.0

ASDM 5.2

CSM 3.1

Use the following tools for monitoring 6.0(4) sensors:

MARS 4.2 and 4.3(1)

IEV 5.2

CWSIMS v3.3.1.v3.4 mad v3.4.1

CIC Security Monitor 3.6

Note Viewers that are already configured to monitor the 5.x sensors may need to be configured to accept a new SSL certificate for the 6.0(4) sensors.

Cisco IPS Active Update Bulletins

You can subscribe to Cisco IPS Active Update Bulletins on Cisco.com to receive e-mails when signature updates and service pack updates occur.

To receive bulletins about updates, follow these steps:

Step 1 Log in to Cisco.com.

Step 2 Under Quick Links, choose Security Center.

Step 3 Under Products and Services Updates, choose Cisco IPS Active Update Bulletins.

Step 4 Under Cisco IPS Active Update Bulletins, choose one of the Cisco IPS Active Update Bulletins.

Step 5 Under In this Issue, choose Subscription Information.

Step 6 Under Subscription Information, choose subscribe now.

Step 7 Fill out the required information, as follows:

a. Would you like to receive IDS Active Update Bulletin? Select Yes or No from the drop-down list.

b. In the First Name field, enter your first name.

c. In the Last Name field, enter your last name.

d. In the Company field, enter the name of your company.

e. Choose your country from the drop-down menu.

f. In the E-mail field, enter your e-mail address.

Step 8 Check the check box if you want to receive further information about Cisco products and offerings by e-mail.

Step 9 Fill in the optional information if desired.

a. Choose your job function from the drop-down list.

b. Choose your job level from the drop-down list.

c. Choose your industry or business type from the drop-down list.

d. Choose how many people your organization employs worldwide from the drop-down list.

e. Choose your company or organization type from the drop-down list.

Step 10 Click Submit.

You receive e-mail notifications of updates when they occur and instructions on how to obtain them.

New and Changed Information

Cisco IPS 6.0(4) includes the following new features and hardware platforms:

S317 signature update

ASA-SSM-AIP-40 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM)

Intrusion Prevention System Advanced Integration Module (AIM-IPS)

Inline asymmetric traffic

AnalysisEngine now allows asymmetric traffic to be tracked and analyzed using a relaxed normalization process rather than the standard normalization process. For more information on the Normalizer engine, refer to Normalizer Engine.

You can now configure inline interface mode in situations where the Normalizer engine normally blocks or delays traffic because of the strict nature of stream processing, and where normalization is achieved by not doing any protocol checking or packet reordering. You can relax the Normalizer process by adding a flag to the sensorApp.conf file, which requires using the service account. It also requires a sensor reboot.

To enable Asymmetric mode processing, log in to the sensor service account, and edit the /usr/cids/idsRoot/etc/sensorApp.conf file by adding the AsymmetricFlows=true flag to the file: 


  [NormalizerSettings]

  QueuedTimeout=4

  AsymmetricFlows=true

After you add the Asymmetric flag, reboot the sensor.

To verify that the Asymmetric mode processing has been enabled, run traffic through the inline sensor and verify that TCP packets pass through the system unaltered and not reordered. You can also verify Asymmetric mode processing in the TCP Normalizer stage statistics. Verify that the number of Current Streams is increasing, but the number of Closed, Closing, Embryonic, and Established streams are all 0: 


  Current Streams = 1630

  Current Streams Closed = 0

  Current Streams Closing = 0

  Current Streams Embryonic = 0

  Current Streams Established = 0

Ability to enable and disable CDP forwarding

Log in to the service account and in the /usr/cids/idsRoot/etc/interface.conf file, change cdp-mode=block to cdp-mode=forward.

Save your changes to the interface.conf file, and reboot the sensor.

Before Upgrading to Cisco IPS 6.0(4)

This section describes the actions you should take before upgrading to Cisco IPS 6.0(4). It contains the following topics:

Perform These Tasks

Copying and Restoring the Configuration File Using a Remote Server

Upgrading the IDS-4215 BIOS

Perform These Tasks

Before you upgrade your sensors to Cisco IPS 6.0(4), make sure you perform the following tasks:

Upgrade all version 4.x or earlier sensors to IPS 5.0(1) before applying the IPS 6.0(4) service pack.

Make sure you have a valid Cisco Service for IPS service contract per sensor so that you can apply software upgrades.

For more information, see Service Programs for IPS Products.

Created a backup copy of your configuration.

For the procedure, see Copying and Restoring the Configuration File Using a Remote Server.

Saved the output of the show version command.

If you need to downgrade a signature update, you will know what version you had, and you can then apply the configuration you saved when you backed up your configuration. For the procedure, refer to Displaying Version Information. For the procedure for downgrading signature updates on your sensor, refer to Upgrading, Downgrading, and Installing System Images.

Upgraded the IDS-4215 BIOS to the most recent version.

For the procedure, see Upgrading the IDS-4215 BIOS.

If you are using SNMP set and/or get features, you must configure the read-only-community and read-write-community parameters before upgrading to IPS 6.0(4).

In IPS 5.x, the read-only-community was set to public by default, and the read-write-community was set to private by default. In IPS 6.0(4) these two options do not have default values. If you were not using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to false), there is no problem upgrading to IPS 6.0(4). If you were using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to true), you must configure the read-only-community and read-write-community parameters to specific values or the IPS 6.0(4) upgrade fails. You receive the following error message: 

Error: execUpgradeSoftware : Notification Application "enable-set-get" value set to 
true, but "read-only-community" and/or "read-write-community" are set to null. Upgrade 
may not continue with null values in these fields.

For more information on configuring SNMP in the CLI, refer to Configuring SNMP. For more information on configuring SNMP in IDM, refer to Configuring SNMP.

Copying and Restoring the Configuration File Using a Remote Server

Use the copy [/erase] source_url destination_url keyword command to copy the configuration file to a remote server. You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first.

Note We recommend copying the current configuration file to a remote server before upgrading.

The following options apply:

/erase—Erases the destination file before copying.

This keyword only applies to the current-config; the backup-config is always overwritten. If this keyword is specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for the destination current-config, the source configuration is merged with the current-config.

source_url—The location of the source file to be copied. It can be a URL or keyword.

destination_url—The location of the destination file to be copied. It can be a URL or a keyword.

The exact format of the source and destination URLs varies according to the file. Here are the valid types:

ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

Note If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol, you must also add the remote host to the SSH known hosts list. For the CLI procedure, refer to Adding Hosts to the SSH Known Hosts List. For the IDM procedure, refer to Defining Known Host Keys.

http:—Source URL for the web server. The syntax for this prefix is:

http:[[/[username@]location]/directory]/filename

https:—Source URL for the web server. The syntax for this prefix is:

https:[[/[username@]location]/directory]/filename

Note HTTP and HTTPS prompt for a password if a username is required to access the website. If you use HTTPS protocol, the remote host must be a TLS trusted host. For the CLI procedure, refer to Adding TLS Trusted Hosts. For the IDM procedure, refer to Adding Trusted Hosts.

The following keywords are used to designate the file location on the sensor:

current-config—The current running configuration. The configuration becomes persistent as the commands are entered.

backup-config—The storage location for the configuration backup.

Caution Copying a configuration file from another sensor may result in errors if the sensing interfaces and virtual sensors are not configured the same.

To back up and restore your current configuration, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 To back up the current configuration to the remote server: 

sensor# copy current-config ftp://user@10.1.1.1//configs/sensor89.cfg

Password: ********

Step 3 To restore the configuration file that you copied to the remote server: 

sensor# copy ftp://user@10.1.1.1//configs/sensor89.cfg current-config 

Password: ********

Warning: Copying over the current configuration may leave the box in an unstable state.

Would you like to copy current-config to backup-config before proceeding? [yes]:

Step 4 Press Enter to copy the configuration file or enter no to stop.

Upgrading the IDS-4215 BIOS

The BIOS/ROMMON upgrade utility (IDS-4215-bios-5.1.7-rom-1.4.bin) upgrades the BIOS of IDS-4215 to version 5.1.7 and the ROMMON to version 1.4.

Note For a list of supported TFTP servers, see Supported Servers.

To upgrade the BIOS and ROMMON on IDS-4215, follow these steps:

Step 1 Download the BIOS ROMMON upgrade utility (IDS-4215-bios-5.1.7-rom-1.4.bin) to the TFTP root directory of a TFTP server that is accessible from IDS-4215.

For the procedure for locating software on Cisco.com, see Obtaining Software on Cisco.com.

Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of IDS-4215.

Step 2 Boot IDS-4215.

While rebooting, IDS-4215 runs the BIOS POST. After the completion of POST, the console displays the message: Evaluating Run Options ...for about 5 seconds.

Step 3 Press Ctrl-R while this message is displayed to display the ROMMON menu.

The console display resembles the following: 

CISCO SYSTEMS IDS-4215

Embedded BIOS Version 5.1.3 05/12/03 10:18:14.84

Compiled by ciscouser

Evaluating Run Options ...

Cisco ROMMON (1.2) #0: Mon May 12 10:21:46 MDT 2003

Platform IDS-4215

0: i8255X @ PCI(bus:0 dev:13 irq:11)

1: i8255X @ PCI(bus:0 dev:14 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:14 irq:11), MAC: 0000.c0ff.ee01

Use ? for help.

rommon>

Step 4 If necessary, change the port number used for the TFTP download: 

rommon> interface port_number

The port in use is listed just before the rommon prompt. Port 1 (default port) is being used as indicated by the text, Using 1: i82557 @ PCI(bus:0 dev:14 irq:11), MAC: 0000.c0ff.ee01.

Note Ports 0 (monitoring port) and 1 (command and control port) are labeled on the back of the chassis.

Step 5 Specify an IP address for the local port on IDS-4215: 

rommon> address ip_address

Note Use the same IP address that is assigned to IDS-4215.

Step 6 Specify the TFTP server IP address: 

rommon> server ip_address

Step 7 Specify the gateway IP address: 

rommon> gateway ip_address

Step 8 Verify that you have access to the TFTP server by pinging it from the local Ethernet port: 

rommon> ping server_ip_address

rommon> ping server

Step 9 Specify the filename on the TFTP file server from which you are downloading the image: 

rommon> file filename

Example: 

rommon> file IDS-4215-bios-5.1.7-rom-1.4.bin

Note The syntax of the file location depends on the type of TFTP server used. Contact your system or network administrator for the appropriate syntax if the above format does not work.

Step 10 Download and run the update utility: 

rommon> tftp

Step 11 Enter y at the upgrade prompt and the update is executed.

IDS-4215 reboots when the update is complete.

Caution Do not remove power to IDS-4215 during the update process, otherwise the upgrade can get corrupted. If this occurs, IDS-4215 will be unusable and require an RMA.

Upgrading to Cisco IPS 6.0(4)

This section provides information on upgrading to IPS 6.0(4), and contains the following topics:

Upgrading from 5.x to 6.0(4)

Obtaining Software on Cisco.com

Applying for a Cisco.com Account with Cryptographic Access

IPS Software Versioning

Upgrading to 6.0(4)

Upgrading from 5.x to 6.0(4)

The following caveats apply to upgrading from 5.x to 6.0(4):

If you have 4.x installed on your sensor, you must upgrade to 5.0(1), then upgrade to 6.0(4).

You can upgrade all 5.0 or 5.1 sensors directly to 6.0(4).

Note 5.1(3) and earlier sensors may display an error message that the upgrade file is not a recognized type. You can ignore this error and continue with the upgrade.

If you try to upgrade an IPS 5.x sensor to 6.0(4), you may receive an error that AnalysisEngine is not running:

sensor# upgrade scp://user@10.1.1.1/upgrades/IPS-K9-6.0-4-E1.pkg

Password: ********

Warning: Executing this command will apply a major version upgrade to the application partition. The system may be rebooted to complete the upgrade.

Continue with upgrade?: yes

Error: AnalysisEngine is not running. Please reset box and attempt upgrade again.


If you receive this error, you must get AnalysisEngine running before trying to upgrade again. This error is often caused by a defect in the currently running version. Try rebooting the sensor, and after reboot, run setup and remove the interfaces from the virtual sensor vs0. When it is not monitoring traffic, AnalysisEngine usually stays up and running. You can upgrade to 6.0(4) at this time. After the upgrade to IPS 6.0(4), add the interfaces back to the virtual sensor vs0 using the setup command. For more information on running the setup command, refer to Initializing the Sensor.

Or you can use the recovery CD (if your sensor has a CD-ROM) or the system image file to reimage directly to IPS 6.0(4). You can reimage a 5.x sensor to 6.0(4) because the reimage process does not check to see AnalysisEngine is running. For more information, refer to Upgrading, Downgrading, and Installing System Images.

Caution Reimaging using the CD or system image file restores all configuration defaults.

In 6.0(4), you will receive messages indicating the you need to install a license. The sensor functions properly without a license, but you will need a license to install signature updates. For the procedure, see Licensing the Sensor.

Although upgrading from 5.x to 6.0(4) preserves sensor configuration settings, all data written to the Event Store as well as any unsupported customizations are lost.

The upgrade may stop if it comes across a value that it cannot translate. If this occurs, the resulting error message provides enough information to adjust the parameter to an acceptable value. After editing the configuration, try the upgrade again.

Note For information about SNMP values that must be configured before upgrading from 5.x to 6.0(4), see Before Upgrading to Cisco IPS 6.0(4).

After you upgrade from 5.x to 6.0(4), you cannot downgrade using the downgrade command. If you want to return to the previous version, you must reimage (refer to Upgrading, Downgrading, and Installing System Images) and then copy the backup configuration from a remote server to the reimaged sensor. For the procedure, see Copying and Restoring the Configuration File Using a Remote Server.

Obtaining Software on Cisco.com

You can find major and minor updates, service packs, signature and signature engine updates, system and recovery files, firmware upgrades, and readmes at Software Downloads on Cisco.com.

Note You must be logged in to Cisco.com to access Software Downloads.

Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com as needed. Major and minor updates are also posted periodically.

You must have an active IPS maintenance contract and a Cisco.com password to download software. For information on obtaining a Cisco.com account with cryptographic access, see Applying for a Cisco.com Account with Cryptographic Access.

Check Cisco.com regularly for the latest IPS software.

Note Beginning with 5.x, you must have a license to apply signature updates. For more information, see Obtaining and Installing the License Key.

To access Software Downloads on Cisco.com, follow these steps:

Step 1 Go to Cisco.com.

Step 2 Log in to Cisco.com.

Step 3 Choose Support > Software Downloads.

Step 4 Under Select a Software Product Category, choose Cisco Secure Software.

Step 5 Under Cisco Secure Software, choose Cisco Intrusion Detection System (IDS).

Step 6 On the Software Center (Downloads) page, under Network IPS/IDS Sensors - All Supported Platforms (Except IOS IPS), locate your version and choose the applicable software link:

Latest Signature Update—Lets you download the most recent signature updates.

Latest Upgrades (Major, Minor, Service Pack, Engine)—Lets you download the most recent major and minor updates, service packs and engine updates.

System and Recovery Images—Lets you download the images you need to reimage your sensor.

Note You must have an IPS subscription service license to download software. For more information, see Obtaining and Installing the License Key.

Step 7 On the Software Download page, choose the file you need.

To sort by Filename, Release, Date, or Size, choose the option from the drop-down menu and click Go.

Note For an explanation of the IPS file versioning scheme, see IPS Software Image Naming Conventions.

Step 8 Verify that this is the software you want and click Next.

Step 9 Click Agree to accept the software download rules.

Step 10 Enter your Cisco.com username and password.

Note The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software. For more information, see Applying for a Cisco.com Account with Cryptographic Access.

The Download File dialog box appears.

Step 11 Open the file or save it to your computer.

Step 12 Follow the instructions in the Readme to install the update.

Note Major and minor updates, service packs, recovery files, signature and signature engine updates are the same for all sensors. System image files are unique per platform.

Applying for a Cisco.com Account with Cryptographic Access

To download software updates, you must have a Cisco.com account with cryptographic access.

To apply for cryptographic access, follow these steps:

Step 1 If you have a Cisco.com account, skip to Step 2. If you do not have a Cisco.com account, register for one at this URL: http://tools.cisco.com/RPF/register/register.do.

Step 2 Go to this URL: http://www.cisco.com/pcgi-bin/Software/Crypto/crypto_main.pl.

The Enter Network Password dialog box appears.

Step 3 Log in with your Cisco.com account.

The Encryption Software Export Distribution Authorization page appears.

Step 4 Enter your first name in the First Name field

Step 5 Enter your last name in the Last Name field.

Step 6 Enter your company name in the Company field.

Step 7 Enter your address in the Address 1 field.

Step 8 Choose your country from the drop-down list.

Step 9 Enter your city in the City field.

Step 10 Choose your state from the drop-down list.

Step 11 Enter your province if you are not from the US in the Province/State field.

Step 12 (Optional) Enter your postal code in the Postal Code field.

Step 13 Enter your e-mail address in the E-Mail Address field.

Step 14 (Optional) Enter your work phone number in the Desk Phone field.

Step 15 (Optional) Enter your cell phone number in the Cellular Phone field.

Step 16 (Optional) Enter your fax number in the Fax field.

Step 17 Respond to the nine conditions by checking the check box next to each condition.

Step 18 Enter your first and last name as it appears in your Cisco profile in the Final Signature field.

Step 19 Review and complete the Encryption Software Export Distribution Authorization form and click Submit.

IPS Software Versioning

This section describes how to interpret IPS software versioning, and contains the following topics:

IPS Software Image Naming Conventions

6.x Software Release Examples

IPS Software Image Naming Conventions

This section describes the various IPS software files, and contains the following sections:

Major and Minor Updates, Service Packs, and Patch Releases

Signature/Virus Updates and Signature Engine Updates

Recovery and System Image Filenames

Major and Minor Updates, Service Packs, and Patch Releases

Figure 1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases.

Figure 1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases

Major update

Contains new functionality or an architectural change in the product. For example, the IPS 6.0 base version includes everything (except deprecated features) since the previous major release (the minor update features, service pack fixes, and signature updates) plus any new changes. Major update 6.0(1) requires 5.x. With each major update there are corresponding system and recovery packages.

Note The 6.0(1) major update is only used to upgrade 5.x sensors to 6.0(1). If you are reinstalling 6.0(1) on a sensor that already has 6.0(1) installed, use the system image or recovery procedures rather than the major update.

Minor update

Incremental to the major version. Minor updates are also base versions for service packs. The first minor update for 6.0 is 6.1(1). Minor updates are released for minor enhancements to the product. Minor updates contain all previous minor features (except deprecated features), service pack fixes, signature updates since the last major version, and the new minor features being released. You can install the minor updates on the previous major or minor version (and often even on earlier versions). The minimum supported version needed to upgrade to the newest minor version is listed in the Readme that accompanies the minor update. With each minor update there are corresponding system and recovery packages.

Service packs

Cumulative following a base version release (minor or major). Service packs are used for the release of defect fixes with no new enhancements. Service packs contain all service pack fixes since the last base version (minor or major) and the new defect fixes being released. Service packs require the minor version. The minimum supported version needed to upgrade to the newest service pack is listed in the Readme that accompanies the service pack. Service packs also include the latest engine update. For example, if service pack 6.0(3) is released, and E3 is the latest engine level, the service pack is released as 6.0(3)E3.

Patch release

Used to address defects that are identified in the upgrade binaries after a software release. Rather than waiting until the next major or minor update, or service pack to address these defects, a patch can be posted. Patches include all prior patch releases within the associated service pack level. The patches roll into the next official major or minor update, or service pack.

Before you can install a patch release, the most recent major or minor update, or service pack must be installed. For example, patch release 5.0(1p1) requires 5.0(1).

Note Upgrading to a newer patch does not require you to uninstall the old patch. For example, you can upgrade from patch 5.0(1p1) to 5.0(1p2) without first uninstalling 5.0(1p1).

For a table listing the types of files with examples of filenames and corresponding software releases, see 6.x Software Release Examples.

Signature/Virus Updates and Signature Engine Updates

Figure 2 illustrates what each part of the IPS software file represents for signature/virus updates.

Figure 2 IPS Software File Name for Signature/Virus Updates,

Signature/virus updates

Executable file containing a set of rules designed to recognize malicious network activities. Signature updates are released independently from other software updates. Each time a major or minor update is released, you can install signature updates on the new version and the next oldest version for a period of at least six months. Signature updates are dependent on a required signature engine version. Because of this, a req designator lists the signature engine required to support a particular signature update.

A virus component for the signature updates is packaged with the signature update. Virus updates are generated by Trend Microsystems for use by the Cisco Intrusion Containment System (Cisco ICS). Once created for use by Cisco ICS, they are later be incorporated into standard Cisco signature updates.

Figure 3 illustrates what each part of the IPS software file represents for signature engine updates.

Figure 3 IPS Software File Name for Signature Engine Updates

Signature engine updates

Executable files containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator.

Recovery and System Image Filenames

Figure 4 illustrates what each part of the IPS software file represents for recovery and system image filenames.

Figure 4 IPS Software File Name for Recovery and System Image Filenames

Recovery and system images contain separate versions for the installer and the underlying application. The installer version contains a major and minor version field.

Installer major version

The major version is incremented by one of any major changes to the image installer, for example, switching from .tar to rpm or changing kernels.

Installer minor version

The minor version can be incremented by any one of the following:

Minor change to the installer, for example, a user prompt added.

Repackages require the installer minor version to be incremented by one if the image file must be repackaged to address a defect or problem with the installer.

6.x Software Release Examples

Table 1 lists platform-independent IDS 6.x software release examples. Refer to the Readmes that accompany the software files for detailed instructions on how to install the files. For instructions on how to access these files on Cisco.com, see .

Table 1 Platform-Independent Release Examples 

Release
Target Frequency
Identifier
Example Version
Example Filename

Signature update1

Weekly

sig

S700

IPS-sig-S700-req-E1.pkg

Signature engine update2

As needed

engine

E1

IPS-engine-E1-req-6.1-3.pkg

Service packs3

Semi-annually
or as needed

6.1(3)

IPS-K9-6.1-3-E1.pkg

Minor version update4

Annually

6.1(1)

IPS-K9-6.1-1-E1.pkg

Major version update5

Annually

6.0(1)

IPS-K9-6.0-1-E1.pkg

Patch release6

As needed

patch

6.0(1p1)

IPS-K9-patch-6.0-1pl-E1.pkg

Recovery package7

Annually or as needed

r

1.1-6.0(1)

IPS-K9-r-1.1-a-6.0-1-E1.pkg

1 Signature updates include the latest cumulative IPS signatures.

2 Signature engine updates add new engines or engine parameters that are used by new signatures in later signature updates.

3 Service packs include defect fixes.

4 Minor versions include new minor version features and/or minor version functionality.

5 Major versions include new major version functionality or new architecture.

6 Patch releases are for interim fixes.

7 The r 1.1 can be revised to r 1.2 if it is necessary to release a new recovery package that contains the same underlying application image. If there are defect fixes for the installer, for example, the underlying application version may still be 6.0(1), but the recovery partition image will be r 1.2.


Table 2 describes platform-dependent software release examples.

Table 2 Platform-Dependent Release Examples 

Release
Target Frequency
Identifier
Supported Platform
Example Filename

System image1

Annually

sys

Separate file for each sensor platform

IPS-4240-K9-sys-1.1-a-6.0-1-E1.img

Maintenance partition image2

Annually

mp

IDSM-2

c6svc-mp.2-1-2.bin.gz

Bootloader

As needed

bl

NM-CIDS
AIM-IPS

servicesengine-boot-1.0-4.bin
pse_aim_x.y.z.bin (where x, y, z is the release number)

Mini-kernel

As needed

mini-kernel

AIM-IPS

pse_mini_kernel_1.1.10.64.bz2

1 The system image includes the combined recovery and application image used to reimage an entire sensor.

2 The maintenance partition image includes the full image for the IDSM-2 maintenance partition. The file is installed from but does not affect the IDSM-2 application partition.


Table 3 describes the platform identifiers used in platform-specific names.

Note IDS-4235 and IDS-4250 do not use platform-specific image files.

Table 3 Platform Identifiers

Sensor Family
Identifier

IDS-4215 series

4215

IPS-4240 series

4240

IPS-4255 series

4255

IPS-4260 series

4260

IPS 4270-20 series

4270_20

IDS module for Catalyst 6K

IDSM2

IDS network module

NM_CIDS

IPS network module

AIM

AIP-SSM

SSM_10
SSM_20
SSM_40


Upgrading to 6.0(4)

This section describes how to upgrade your sensor to IPS 6.0(4), and contains the following topics:

SNMP Error Messages

Upgrading the Sensor With the 6.0(4) Service Pack

SNMP Error Messages

You receive SNMP error messages if you do not have the read-only-community and read-write-community parameters configured before upgrading to IPS 6.0(4). If you are using SNMP set and/or get features, you must configure the read-only-community and read-write-community parameters before upgrading to IPS 6.0(4). In IPS 5.x, the read-only-community was set to public by default, and the read-write-community was set to private by default. In IPS 6.0(4) these two options do not have default values. If you were not using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to false), there is no problem upgrading to IPS 6.0(4). If you were using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to true), you must configure the read-only-community and read-write-community parameters to specific values or the IPS 6.0(4) upgrade fails. You receive the following error message: 

Error: execUpgradeSoftware : Notification Application "enable-set-get" value set to true, 
but "read-only-community" and/or "read-write-community" are set to null. Upgrade may not 
continue with null values in these fields.

For more information on configuring SNMP in the CLI, refer to Configuring SNMP. For more information on configuring SNMP in IDM, refer to Configuring SNMP.

Caution IPS 6.0(4) denies high risk events by default. This is a change from 5.x. To change the default, edit the event action override for the deny packet inline action and configure it to be disabled. For more information on configuring event action overrides in the CLI, refer to Adding, Editing, Enabling, and Disabling Event Action Overrides. For more information on configuring event action overrides in IDM, refer to Adding, Editing, Deleting, Enabling, and Disabling Event Action Overrides.

Upgrading the Sensor With the 6.0(4) Service Pack

Caution You must have a valid Cisco Service for IPS Maintenance contract per sensor to receive and use software upgrades from Cisco.com. For more information, see Service Programs for IPS Products.

To upgrade the sensor with the 6.0(4) service pack, follow these steps:

Step 1 Download the service pack update file (IPS-K9-6.0-4-E1.pkg) to an FTP, SCP, HTTP, or HTTPS server that is accessible from your sensor.

For the procedure for locating software on Cisco.com, see Obtaining Software on Cisco.com.

Note You must log in to Cisco.com using an account with cryptographic privileges to download the file. Do not change the filename. You must preserve the original filename for the sensor to accept the update. For the procedure for obtaining an account with cryptographic privilege, see Applying for a Cisco.com Account with Cryptographic Access.

Step 2 Log in to the CLI using an account with administrator privileges.

Step 3 Determine the sensor version: 

sensor# show version

Note To install IPS 6.0(4), the sensor must be at 5.0(1) or later. You must upgrade 4.x and earlier sensors to 5.1(1) before applying the 6.0(4) service pack.

Step 4 Enter configuration mode: 

sensor# configure terminal

Step 5 Upgrade the sensor: 

sensor(config)# upgrade scp://tester@10.1.1.1//upgrade/IPS-K9-6.0-4-E1.pkg

Step 6 Enter the password when prompted: 

Enter password: ********

Step 7 Enter yes to complete the upgrade.

Note The sensor reboots after installing the service pack.

Note 5.1(3) and earlier sensors may display an error message that the upgrade file is not a recognized type. You can ignore this error and continue with the upgrade.

Step 8 Verify your new sensor version: 

sensor# show version

Application Partition:


Cisco Intrusion Prevention System, Version 6.0(4)E.1


Host:

    Realm Keys          key1.0

Signature Definition:

    Signature Update    S291.0                   2007-06-18

    Virus Update        V1.2                     2005-11-24

OS Version:             2.4.30-IDS-smp-bigphys

Platform:               ASA-SSM-20

Serial Number:          P300000220

No license present

Sensor up-time is 13 days.

Using 1039052800 out of 2093682688 bytes of available memory (49% usage)

system is using 17.8M out of 29.0M bytes of available disk space (61% usage)

application-data is using 49.9M out of 166.6M bytes of available disk space (32% usage)

boot is using 37.8M out of 68.5M bytes of available disk space (58% usage)



MainApp          N-2007_JUN_19_16_45   (Release)   2007-06-19T17:10:20-0500   Running

AnalysisEngine   N-2007_JUN_19_16_45   (Release)   2007-06-19T17:10:20-0500   Running

CLI              N-2007_JUN_19_16_45   (Release)   2007-06-19T17:10:20-0500



Upgrade History:


  IPS-K9-6.0-4-E.1 15:31:13 UTC Mon Sep 10 2007


Recovery Partition Version 1.1 - 6.0(4)E.1


sensor#

Note For 5.x, you receive a message saying the upgrade is of unknown type. You can ignore this message.

Note The operating system is reimaged and all files that have been placed on the sensor through the service account are removed.

After Upgrading to Cisco IPS 6.0(4)

This section provides information about what to do after you install IPS 6.0(4). It contains the following topics:

Comparing Configurations

SSL Certificate

Logging In to IDM

Licensing the Sensor

Comparing Configurations

Compare your backed up and saved 5.1 configuration with the output of the show configuration command after upgrading to 6.0(4) to verify that all the configuration has been properly converted.

Caution If the configuration is not properly converted, see Caveats, or check Cisco.com for any upgrade issues that have been found. Contact the TAC if no DDTS refers to your situation.

SSL Certificate

If necessary, import the new SSL certificate for the upgraded sensor in to each tool being used to monitor the sensor.

For the CLI procedure, refer to Configuring TLS. For the IDM procedure, refer to Configuring Certificates.

Logging In to IDM

IDM is a web-based, Java Start application that enables you to configure and manage your sensor. The web server for IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.