                          Cisco Systems, Inc.
                   Cisco Intrusion Prevention System
                         IPS 7.0(5a)E4 SERVICE PACK
                             May 24, 2011

Copyright (C) 2011 Cisco Systems, Inc. All rights reserved.
Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo
are registered trademarks of Cisco Systems, Inc. in the U.S. and
certain other countries. All other trademarks mentioned in this document
are the property of their registered owners.

========================================================================
                           Table Of Contents
========================================================================

SERVICE PACK NOTE

7.0(5a)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS
  - MINIMUM REQUIREMENTS
  - FILE LIST
  - SUPPORTED PLATFORMS
  - INSTALLATION USING THE CLI
  - INSTALLATION CAVEATS
  - RESOLVED ISSUES
  - NEW FEATURES
  - RESTRICTIONS
  - CSM UPDATE INSTRUCTIONS
  - CSM, AIM IPS, and NME IPS UPDATE INSTRUCTIONS

========================================================================

SERVICE PACK NOTE

This SERVICE PACK addresses the issues described in the RESOLVED ISSUES
section of this document and addresses a problem with the signature level 
shipped with 7.0(5).

This service pack is being used as a release vehicle to repair critical
sensor failures.

This service pack contains the S549 signature level, but preserves any
more recent signature levels installed on your sensor.

========================================================================

7.0(5a)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS

NOTE: You must have a valid maintenance contract per sensor to
receive and use software upgrades including signature updates from
Cisco.com.

MINIMUM REQUIREMENTS

To install the IPS-K9-7.0-5a-E4.pkg, IPS-NME-K9-7.0-5a-E4.pkg, or
IPS-AIM-K9-7.0-5a-E4.pkg service pack version upgrade file, you must be
running IPS version 5.1(6)E3 or later on your sensor.  This upgrade may 
not be applied to sensors currently running version 7.0(5).

NOTE: The IPS-AIM-K9-7.0-5a-E4.pkg upgrade file can only be used to
upgrade AIM-IPS sensors. The IPS-NME-K9-7.0-5a-E4.pkg upgrade file can
only be used to upgrade NME-IPS sensors.  For all other supported sensors,
use the IPS-K9-7.0-5a-E4.pkg upgrade file.

To see what version the sensor is currently running, log in to the CLI
and execute the 'show version' command.

For detailed instructions on installing the service pack upgrade file,
refer to "Upgrading, Downgrading, and Installing System Images," in
Configuring the Cisco Intrusion Prevention System Sensor Using
the Command Line Interface 7.0 available at this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/
products_installation_and_configuration_guides_list.html


FILE LIST

The following files are included as part of this release:
Readme
 - IPS-7_0-5a-E4_readme.txt

Service Pack Upgrade Files
 - IPS-AIM-K9-7.0-5a-E4.pkg
 - IPS-K9-7.0-5a-E4.pkg
 - IPS-NME-K9-7.0-5a-E4.pkg

7.0(5a) System Image Files
 - IPS-4240-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-4255-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-4260-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-4270_20-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-IDSM2-K9-sys-1.1-a-7.0-5a-E4.bin.gz
 - IPS-SSM_10-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-SSM_20-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-SSM_40-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-AIM-K9-sys-1.1-a-7.0-5a-E4.img
 - IPS-NME-K9-sys-1.1-a-7.0-5a-E4.img

7.0(5a) Recovery Image Files
 - IPS-K9-r-1.1-a-7.0-5a-E4.pkg
 - IPS-AIM-K9-r-1.1-a-7.0-5a-E4.pkg
 - IPS-NME-K9-r-1.1-a-7.0-5a-E4.pkg

CSM Package Service Pack Upgrade Files
 - IPS-CS-MGR-AIM-K9-7.0-5a-E4.zip
 - IPS-CS-MGR-K9-7.0-5a-E4.zip
 - IPS-CS-MGR-NME-K9-7.0-5a-E4.zip


SUPPORTED PLATFORMS

The following IPS/IDS platforms are supported:
 - IPS 4240 Series Appliance Sensor
 - IPS 4255 Series Appliance Sensor
 - IPS 4260 Series Appliance Sensor
 - IPS 4270 Series Appliance Sensor
 - IDSM2 for Catalyst 6500
 - AIP SSM-10 for ASA 5500
 - AIP SSM-20 for ASA 5500
 - AIP SSM-40 for ASA 5500
 - AIM IPS for ISR Router
 - NME IPS for ISR Router

The following platforms are no longer supported:
 - IDS-4210 Series Appliance Sensor
 - IDS-4215 Series Appliance Sensor
 - IDS-4235 Series Appliance Sensor
 - IDS-4250 Series Appliance Sensor
 - NM-CIDS for Cisco 26xx, 3660, and 37xx Router Families

The following platforms are not yet supported in Cisco IPS 7.0:
 - AIP SSC-5 for ASA 5500 series adaptive security appliances

NOTE: The IPS-SSC 5 is currently only supported in Cisco IPS 6.2.

INSTALLATION USING THE CLI

NOTE: You must be logged on to Cisco.com using an account with
cryptographic privileges to access the download site, and you must have
a SMARTnet maintenance contract number to request software upgrades from
Cisco.com.

NOTE: This service pack requires an automatic reboot of the sensor to
apply the changes. Inline network traffic will be disrupted during the
reboot.

To install the 7.0(5a)E4 service pack using the CLI, follow these steps:

1.  Download the file IPS-K9-7.0-5a-E4.pkg to a local server.

    AIM IPS requires the platform-specific package IPS-AIM-K9-7.0-5a-E4.pkg,
    and NME IPS requires the platform-specific package
    IPS-NME-K9-7.0-5a-E4.pkg

2.  Log in to the CLI using an account with administrator privileges.

3.  Type the following command to enter configuration mode:

    configure terminal

4.  Type the following command to upgrade the sensor:

    sensor(config)# upgrade [URL]/IPS-K9-7.0-5a-E4.pkg

    where the [URL] is a uniform resource locator pointing to where
    the package is located. For example, to retrieve the update via
    FTP, type the following:

    sensor(config)# upgrade ftp://<username>@<ip-address>//<directory>/
    IPS-K9-7.0-5a-E4.pkg

    The available transport methods are SCP, FTP, HTTP, or HTTPS.

5.  Enter the appropriate password when prompted.

6.  To complete the upgrade, type yes when prompted.

7.  The sensor reboots to finish applying the changes.

To determine whether the 7.0(5a)E4 service pack has successfully been
installed on a sensor, log in to the CLI and type 'show version' at the
command prompt. The sensor will report the version as 7.0(5a)E4, and the
Upgrade History should include IPS-K9-7.0-5a-E4.pkg.


INSTALLATION CAVEATS

The 7.0(5a)E4 service pack cannot be uninstalled. You must re-image the
sensor using a system image file, which causes all configuration settings
to be lost. The install behavior of this service pack is that all
executables,libraries, and so forth are replaced but user configuration
is preserved. The reason for this upgrade behavior change is that this
service pack contains changes to libraries and drivers.


RESOLVED ISSUES

The following known issues have been resolved in the 7.0(5a)E4 service pack
release. Release notes can be viewed in Bug Navigator at the following
url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Identifier  Headline
----------  -------------------------------------------------------------
CSCsz20563  SMB Advanced STL vector out of range error message
CSCsz39460  Improve error messages for global correlation DNS failure
CSCtb62757  Fix RADIUS AAA handling of SSH keys
CSCtc83085  Create Log Zone for Control Transactions
CSCtd34035  IDS: sensorApp (AnalysisEngine) NotRunning, crashed on AIM-IPS / NME-IPS
CSCtd34213  Sensor "show tech-support" should include textual configuration
CSCte19210  sensorApp seg Fault on AIM due to bencode fault
CSCtf00039  ASA:SSM cplane/E CP Message Header Content errors in SSM show tech.
CSCtf15367  IDS: Global Correlation health metric shows unrealistically-high value
CSCtf42699  IPS: Enabling NTP bypasses access control lists
CSCtf46297  IPS: crash in CollaborationApp Rb_tree_increment
CSCtg09264  Context buffer does not correctly handle < 256 bytes in the stream
CSCti33651  coreSigHandler should not call functions that malloc
CSCti43137  IPS AAA PAM module sends incorrect NAS IP in radius packet
CSCti49271  inline IPS4270 stops traffic after reset in redundant environment
CSCti64172  IDS 7.x pkg storage space errors during upgrade
CSCti86165  Service HTTP URI Processing Abnormality
CSCti99266  IPS: The AIM module is timing out packets when under load.
CSCtj04994  IDS: service aaa creates local user accounts with invalid characters
CSCtj25806  rbcpd stops running on NME/AIM
CSCtj25898  memory leak in a time stamp loop in case platform validation fails
CSCtj67834  inline-mode asym on promiscuous int prevents TCP stream reassembly
CSCtj85152  dlmallinfo (getMemoryCap) is not thread safe
CSCtk55233  improve GRE frag/tunnel workaround
CSCtl45521  IME connection to IPS going down due to CT control transaction issue
CSCtn23051  sequential allocator miscalculates space and causes memory corruption failed
CSCto32025  IPv6: Incorrect decoding of packets containing an ESP header
CSCto53262  collaborationApp core when generating client manifest
CSCto62559  RADIUS sends an empty calling-station-id for HTTP/HTTPS authentication
CSCtq49828  Upgrade to 7.0(5) may fail if signature 23899.0 has been modified

This service pack replaces S558, distributed with 7.0(5), with S549 in order to fix 
signature update problems experienced with S558.  Customers should revert signature 
23899.0 to its default settings and update to S567 after applying this update.

Important Note
 
Signature Update version S550 introduced a bad value for one of the signature 23899.0 
parameters in addition to retiring and disabling it.  This bad parameter was included 
in signature updates 500-553, 555-559 and 7.0(5).
 
Because this signature was retired and disabled, the bad parameter does not affect the 
functionality of the sensor.
 
Updating to S567 will resolve the problem. Signature 23899.0 has been retired, disabled 
and obsoleted. 
 
After installing S567, verify that the sensor is seeing traffic by viewing the virtual 
sensor statistics. There is one condition when the sensor requires a reboot after the 
update is applied.  (If you have modified 23899.0 prior to upgrading to S550 and 
upgraded to 7.0(5) when at signature update level S557 or less, you must reset the sensor 
after installing S567.)
 
If you installed one of the affected updates listed above and then modified 23899.0, you 
must restore 23899.0 to its default settings before updating to S567.  (Note: if you 
attempt to install 567 prior to resetting 23899.0 to its defaults, the update will fail.  
If you are using CSM, you must revert the update on the sensor where the update failed 
prior to resetting 23899.0 to its defaults and then you can install S567.)
 
NEW FEATURES

Version 7.0(5a) is primary focused on reliability and serviceability. This
release includes a serviceability enhancement to provide zone-based control for
logging control transaction related messages to the debug log.

Prior to version 7.0(5a), control transaction messages could consume a
significant portion of the debug log. These messages were often responsible for
overwriting other significant log messages. The addition of this feature allows
users to selectively disable the logging of control transaction messages when
debug logging is enabled.

Zone-based control for logging control transactions can be enabled using the
CLI’s "service logger" command mode. From within the "service logger" mode,
enter the "master-control" mode, and set "individual-zone-control" to true. This
will enable zone-based debug logging. By default, logging for the control
transaction zone is disabled. Logging zones can be enabled/disable using the
"zone-control" command from within the "service logger" mode. For more
information, see the "service" command in the Cisco Intrusion Prevention System
Command Reference 7.0 at the URL:
http://www.cisco.com/en/US/docs/security/ips/7.0/command/reference/cmdref.html


CSM UPDATE INSTRUCTIONS

To apply the 7.0(5a)E4 service pack to sensor(s) using CSM 3.x or 4.x, follow
these steps:

1. Download the service pack ZIP file, IPS-CS-MGR-K9-7.0-5a-E4.zip, to
   the <CSM-install-dir>/MDC/ips/updates directory.

2. Launch IPS Update Wizard from Tools-->Apply IPS Update.
   Select Sensor Updates from the drop down menu, and select the
   IPS-CS-MGR-K9-7.0-5a-E4.zip file.

3. Click Next to go to next screen.

4. Select the device(s) to apply the service pack, then click Finish.

5. Create a deployment job and deploy to sensor(s) using Deployment
   Manager. Deployment Manager can be launched from Tools-->Deployment Manager.
   Click Deploy in the popup and follow instructions.


CSM, AIM IPS, and NME IPS UPDATE INSTRUCTIONS

AIM IPS and NME IPS require the following platform-specific packages:
IPS-CS-MGR-AIM-K9-7.0-5a-E4.pkg for AIM IPS and IPS-CS-MGR-NME-K9-7.0-5a-E4.pkg
for NME IPS.

To update AIM IPS and NME IPS from CSM, select IPS-CS-MGR-K9-7.0-5a-E4.zip
in the Update File list box and click Next. The AIM IPS and NME IPS
platform-specific upgrade packages do not appear in the list; however,
CSM automatically applies the correct platform package to them.

=========================================================================