Cisco Systems, Inc. Cisco Intrusion Prevention System IPS E4 Engine Update March 29, 2010 Copyright (C) 2010 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ====================================================================== Table Of Contents ====================================================================== REVISION HISTORY IPS E4 ENGINE UPDATE DETAILS - FILE LIST - SUPPORTED PLATFORMS - NEW FEATURES - RESOLVED ISSUES INSTALLATION INSTRUCTIONS - ENGINE UPDATE PACKAGE - SERVICE PACK VERSION - INSTALLATION VIA CLI - INSTALLATION VIA CSM - INSTALLATION CAVEATS - SYSTEM IMAGE & RECOVERY FILE CISCO IPS DEVICE MANAGER (IDM) - NOTES CISCO IPS MANAGER EXPRESS (IME) - NOTES CISCO ADAPTIVE SECURITY DEVICE MANAGER (ASDM) - NOTES ====================================================================== REVISION HISTORY 12/18/09: Initial Version for Beta 03/24/10: Update for DDTS list 03/29/10: Update tested CSM list ====================================================================== IPS E4 ENGINE UPDATE DETAILS FILE LIST The following files are included as part of this release: Readme Files - IPS-engine-E4.readme.txt IPS 6.0-6-E4 Engine Update Files - IPS-engine-E4-req-6.0-6.pkg - IPS-CS-MGR-engine-E4-req-6.0-6.zip IPS 6.2-2-E4 Engine Update Files - IPS-engine-E4-req-6.2-2.pkg - IPS-CS-MGR-engine-E4-req-6.2-2.zip IPS 7.0-2-E4 Engine Update Files - IPS-engine-E4-req-7.0-2.pkg - IPS-CS-MGR-engine-E4-req-7.0-2.zip The Following Service Pack and Image files are being reposted with E4: 7.0(2) Service Pack Version Upgrade Files - IPS-K9-7.0-2-E4.pkg - IPS-AIM-K9-7.0-2-E4.pkg - IPS-NME-K9-7.0-2-E4.pkg 7.0(2) System Image Files - IPS-4240-K9-sys-1.1-a-7.0-2-E4.img - IPS-4255-K9-sys-1.1-a-7.0-2-E4.img - IPS-4260-K9-sys-1.1-a-7.0-2-E4.img - IPS-4270_20-K9-sys-1.1-a-7.0-2-E4.img - IPS-IDSM2-K9-sys-1.1-a-7.0-2-E4.bin.gz - IPS-SSM_10-K9-sys-1.1-a-7.0-2-E4.img - IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img - IPS-SSM_40-K9-sys-1.1-a-7.0-2-E4.img - IPS-AIM-K9-sys-1.1-a-7.0-1-E3.img - IPS-NME-K9-sys-1.1-a-7.0-1-E3.img 7.0(2) Recovery Image Files - IPS-K9-r-1.1-a-7.0-2-E4.pkgIPS - IPS-AIM-K9-r-1.1-a-7.0-2-E4.pkg - IPS-NME-K9-r-1.1-a-7.0-2-E4.pkg 7.0(2) CSM Service Package Files - IPS-CS-MGR-AIM-K9-7.0-2-E4.zip - IPS-CS-MGR-NME-K9-7.0-2-E4.zip - IPS-CS-MGR-K9-7.0-2-E4.zip 6.2(2) Service Pack Version Upgrade Files - IPS-K9-6.2-2-E4.pkg - IPS-AIM-K9-6.2-2-E4.pkg - IPS-NME-K9-6.2-2-E4.pkg - IPS-SSC_5-K9-6.2-2-E4.pkg 6.2(2) System Image Files - IPS-4240-K9-sys-1.1-a-6.2-2-E4.img - IPS-4255-K9-sys-1.1-a-6.2-2-E4.img - IPS-4260-K9-sys-1.1-a-6.2-2-E4.img - IPS-4270_20-K9-sys-1.1-a-6.2-2-E4.img - IPS-IDSM2-K9-sys-1.1-a-6.2-2-E4.bin.gz - IPS-SSM_10-K9-sys-1.1-a-6.2-2-E4.img - IPS-SSM_20-K9-sys-1.1-a-6.2-2-E4.img - IPS-SSM_40-K9-sys-1.1-a-6.2-2-E4.img - IPS-AIM-K9-sys-1.1-a-6.2-2-E4.img - IPS-NME-K9-sys-1.1-a-6.2-2-E4.img - IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img 6.2(2) Recovery Image Files - IPS-K9-r-1.1-a-6.2-2-E4.pkg - IPS-AIM-K9-r-1.1-a-6.2-2-E4.pkg - IPS-NME-K9-r-1.1-a-6.2-2-E4.pkg - IPS-SSC_5-K9-r-1.1-a-6.2-2-E4.pkg 6.2(2) CSM Service Package Files - IPS-CS-MGR-AIM-K9-6.2-2-E4.zip - IPS-CS-MGR-NME-K9-6.2-2-E4.zip - IPS-CS-MGR-SSC_5-K9-6.2-2-E4.zip - IPS-CS-MGR-K9-6.2-2-E4.zip 6.0(6) Service Pack Version Upgrade Files - IPS-K9-6.0-6-E4.pkg - IPS-AIM-K9-6.0-6-E4.pkg 6.0(6) System Image files: IPS-4215-K9-sys-1.1-a-6.0-6-E4.img IPS-4240-K9-sys-1.1-a-6.0-6-E4.img IPS-4255-K9-sys-1.1-a-6.0-6-E4.img IPS-4260-K9-sys-1.1-a-6.0-6-E4.img IPS-4270_20-K9-sys-1.1-a-6.0-6-E4.img IPS-AIM-K9-sys-1.1-a-6.0-6-E4.img IPS-SSM_10-K9-sys-1.1-a-6.0-6-E4.img IPS-SSM_20-K9-sys-1.1-a-6.0-6-E4.img IPS-SSM_40-K9-sys-1.1-a-6.0-6-E4.img IPS-NM_CIDS-K9-sys-1.1-a-6.0-6-E4.img IPS-IDSM2-K9-sys-1.1-a-6.0-6-E4.bin.gz 6.0(6) Recovery Image Files: IPS-K9-r-1.1-a-6.0-6-E4.pkg IPS-AIM-K9-r-1.1-a-6.0-6-E4.pkg 6.0(6) CSM Service Package files: IPS-CS-MGR-K9-6.0-6-E4.zip IPS-CS-MGR-AIM-K9-6.0-6-E4.zip SUPPORTED PLATFORMS The following IPS/IDS platforms are supported in Cisco IPS E4 Engine Upgrade: Version | NM-CIDS, | IPS 4240/55 | NME | AIM | SSC-5 | | IPS-4215 | IPS 4260/70 | | SSM10/20| | | | IDSM2 | | SSM40 | | --------|----------|-------------|-----|---------|-------| 6.0(6) | X | X | | X | | 6.2(2) | | X | X | X | X | 7.0(2) | | X | X | X | | ---------------------------------------------------------- NEW FEATURES + The E4 Engine Upgrade includes a Signature Update labeled S480. S480 will not be available for separate download. Refer to the archived Active Update Bulletin for S480 for more details on this signature update release. Active Update Bulletins are available at: http://tools.cisco.com/security/center/bulletin.x?i=57 + The E4 Engine Upgrade provides signature definition support for three new IOS IPS engines: Service-ftp-v2, Service-http-v2, and Service-smtp-v1. Each engine supports a protocol decode engine tuned for IOS IPS. While they are not implemented in the IPS Appliance software, equivalent decode capability already exists in the Appliance IPS. Attempting to use these engines will generate an error message. + The E4 Engine Upgrade provides signature definition support for three new IPS Appliance engines: String-ICMP-XL, String-TCP-XL, and String-UDP-XL. These engines are being developed for a future hardware and software release and will provide optimized operation on the new hardware. They are not operational in the E4 Engine Update, but are defined and thus show in the management interfaces. Attempting to use them will generate an error message. + The Service DNS engine has been enhanced to provide domain name matching. A new parameter, FQDN, has been added in a "Specify block" to enable this capability. FQDN, or Fully Qualified Domain Name, matching uses a case insensitive substring matching algorithm instead of regular expressions. Since it will match on substrings, care must be exercised in constructing the FQDN parameter. An FQDN parameter of "cisco.com" will match any domain name lookup for machines in the "cisco.com" domain, but it will also match the "sanfrancisco.com" domain as well. Including the "." as in ".cisco.com" will eliminate the obvious false positive, but keep in mind that the shorter the FQDN string, the higher the likelihood of a false positive. A simple signature can be written as a custom signature in the Service DNS engine by setting the protocol to UDP, Specify FQDN to "yes", and then setting the FQDN string to "cisco.com" (drop the quotes for all entries). Caveats: The FQDN match is performed on DNS queries for "A records" (DNS Type 1 query) only. DNS responses are not matched, nor are other types of queries, such as MX records. + The P2P inspection engine has been enhanced to detect the "Share" P2P software popular in Japan. + The META Engine has been enhanced to provide for a "NOT" clause. The NOT clause is a negative clause used to complement the existing positive clause based signatures. That is, the previous signature format was of the form: IF (A and B and C) then Alarm; alternatively, IF (A or B or C) then Alarm is also supported; where A, B, and C are meta component signatures. The addition of the negative clause allows for the following logic: IF (A and/or B) AND NOT (C and/or D) then Alarm. The (C and/or D) is the negative clause and is satisfied if (C and D) [alternatively (C or D)] do not occur before the Meta Reset Interval time expires. Caveats: A component of the positive clause must occur before the negative clause(s) in order to establish the Meta tracking state; there is no ability to track the lack of past behavior. The state of the negative clause is evaluated at timer expiry. + E4 implements a method to control the loading of signatures based on the memory model of the sensor. E4 introduces two additional settings, low-mem-retired and medium-mem-retired, for the signature's "Retired" parameter. These two additional settings allow for selective signature enabling. The action of the settings for "Retired" are now: True: retired on all platforms. medium-mem-retired: signature is retired on all medium and low memory platforms. low-mem-retired: signature is retired on low memory platforms. False: signature is not retired on any platform. Each sensor type has a maximum usable memory (this is not the same as the reported physical memory) and, based on this amount, is classified as a Low Memory Device, Medium Memory Device, or High Memory Device. The current devices categorized as low memory devices, include: IPS-4215, SSC-5, AIM, NME, SSM10, SSM20, and SSM40. The current devices classified as medium memory devices, at this time, include: IDSM2, IPS-4240, IPS-4255, IPS-4260, and IPS-4270. + A new version of IDM is deployed with the E4 Engine Update. Please see the IDM notes at the bottom of this document. RESOLVED ISSUES The following issues have been resolved in the E4 Engine Update: Identifier Headline CSCse94001 ENGINE: improve telnet option parsing as anti-evasion measure CSCsg20728 Actions do not appear in alerts when modify-packet-inline is configured CSCsm37654 Signature 1220.0 does not alarm CSCso66999 Automatic Ack limiter CSCsq92185 E2 engine upgrade causes sensor to hang CSCsr95290 Caret support for regex in atomic-ip CSCsu86596 Fixed UDP Engine does not properly handle start of packet ("^") in regex CSCsv07624 Engine service pack installs on a sensor of equal maj.min(sp) level CSCsv22395 SMB-Advanced should have a generic handler for unrecognized smb commands CSCsv98672 AIC Enforce Content Types false positive CSCsw20463 11005.2 tcp kazaa signature doesn’t fire in servicep2p CSCsw67575 SMBAdvanced slowdown on file copy CSCsw70331 Implement the IOS Lightweight Engines typedef CSCsw86555 5582 false positive CSCsx20458 Sig 1300.0 firing incorrectly CSCsy30036 Inspect HTTP traffic on all ports CSCsy30176 Meta engine enhancements for E4 CSCsy74853 Engine Flood.Host Source Ports Bug CSCsy96323 Alarm Context data is not complete in E3 CSCsz01229 Multistring Engine False Negative CSCsz15601 Create engine-p2p signatures for Share P2P Application CSCsz34935 Signature 1302.0 does not fire CSCsz65453 Add regex table split support to HTTP engine CSCsz95342 Sensors may track the direction tcp streams improperly CSCta12368 1330.12 and 1330.18 false positives with high volume traffic CSCta38577 SensorApp stops responding when adding a String signature CSCta49978 String HTTP does not calculate context buffer offset correctly for Args CSCtc18038 SensorApp mismanages buffers when TX queue full CSCtc43996 Engine P2P may not properly check boundaries CSCtc61972 Ares P2P signature does not fire CSCtd92090 idsm2 misfiring 1330 17,19,23 CSCtf31408 Engine Update installer can leave sensor in incomplete state CSCtf40209 Signature Obsoletes from "backport" engines are being processed CSCtf47008 sensorApp signatureDB corruption when processing same Src/Dst packets ====================================================================== ========================== INSTALLATION ============================== NOTE: Directions are given for installing the reposted Service Pack and System Images for the 6.2(2) software line, but are equally applicable to the 6.0(6) and 7.0(2) software as well. ENGINE UPDATE PACKAGE INSTRUCTIONS The E4 Engine update provides a unique update package for each supported software line. Each package contains all of the applicable binaries for each type of sensor hardware. To use the E4-engine-req-X-Y.Z.pkg packages, your sensor must be running the latest service pack available in its software line. Downloading and applying the package via CLI or IDM is straightforward and similar to applying a signature update. NOTE: The sensor will go into the configured Bypass Mode during the update as the inspection software is stopped, replaced, and restarted. The sensor will automatically exit Bypass Mode and resume traffic inspection upon completion of the new inspection software startup and configuration. The Engine Update procedure will normally install the update without rebooting your sensor. However, if an error is detected during the update, the installation process will attempt to reboot the sensor in order to leave the sensor in an operational state. SERVICE PACK VERSION UPGRADE FILE INSTRUCTIONS The Cisco IPS 6.2(2)E4 service pack version upgrade file upgrades a sensor to Cisco IPS 6.2(2)E4 while preserving the configuration settings of the sensor. To completely reimage a sensor and reset the sensor to its default settings, see SYSTEM IMAGE FILE INSTRUCTIONS. To see what version the sensor is currently running, log in to the CLI and execute the show version command. INSTALLATION NOTES WARNING: If you are upgrading an AIM-IPS or NME-IPS, you must disable the heartbeat-reset on the router before installing the upgrade. The heartbeat-reset can be re-enabled once the upgrade has completed. Failure to disable the router's heartbeat-reset may cause the upgrade to fail and leave the sensor in an unknown state that may require a re-image to recover. If you are upgrading an AIM-IPS or NME-IPS using auto upgrade, then disable the heartbeat-reset before placing the upgrade file on your auto update server. The heartbeat-reset can be re-enabled once the sensor has been auto updated. NOTE: If you are using user-server auto update with a mixture of AIM-IPS or NME-IPS modules and other IPS appliances or modules, then be sure to place the standard IPS-K9-6.2-2-E4.pkg, the IPS-NME-K9-6.2-2-E4.pkg and the IPS-AIM-K9-6.2-2-E4.pkg files on the auto update server so the AIM-IPS can properly detect which file needs to be auto downloaded and installed. Placing only the IPS-K9-6.2-2-E4.pkg file on the auto update server can cause the AIM-IPS or NME-IPS to download and attempt to install the incorrect file. INSTALLATION VIA CLI ------------------------------------------------------------------------ NOTE: Service packs will require a reboot of the sensor to apply the changes. Note that inline network traffic will be disrupted during the reboot. ------------------------------------------------------------------------ To install the 6.2(2)E4 service pack update, follow these steps: 1. Download the file IPS-K9-6.2-2-E4.pkg (or IPS-AIM-K9-6.2-2-E4.pkg for AIM-IPS or IPS-NME-K9-6.2-2-E4.pkg for NME-IPS sensors or IPS-SSC_5-K9-6.2-2-E4.pkg for IPS-SSC-5 sensors) to local server. ------------------------------------------------------------------------ CAUTION: You must log in to Cisco.com using an account with cryptographic privileges to download the file. Do not change the file name. You must preserve the original file name for the sensor to accept the update. Refer to Release Notes for Cisco Intrusion Prevention System 6.2 for the procedure for obtaining an account with cryptographic privileges. ------------------------------------------------------------------------- 2. Log in to the CLI using an account with administrator privileges. 3. Enter configuration mode: sensor# configure terminal 4. Upgrade the sensor: sensor(config)# upgrade [URL]/IPS-K9-6.2-2-E4.pkg where the [URL] is a uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: sensor(config)# upgrade ftp://@/// IPS-K9-6.2-2-E4.pkg The available transport methods are SCP, FTP, HTTP, or HTTPS. 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. NOTE: The Sensor will reboot after installing the service pack. ===================================================== Note: The QA Versions (designated 3.xxx) used for Beta cannot be upgraded. ===================================================== INSTALLATION VIA CSM The following are the minimum versions of CSM that have been tested and are supported with E4: IPS 6.0(6)E4 CSM 3.2.2 and later IPS 6.2(2)E4 CSM 3.3 and later IPS 7.0(2)E4 CSM 3.3 and later To install the 6.2(2)E4 service pack via CSM, follow these steps: 1. Start the CSM Client. 2. Select Tools > Apply IPS Update ... 3. Click Download Latest Updates. 4. Click the Start Button on the Downloading Sensor Updates box, Close pop-up when complete. 5. In the Drop Down box, select Sensor Updates. 6. Select IPS-CS-MGR-K9-6.2-2-E4.zip in the Update File list box and click Next. NOTE: When using CSM to update AIM or NME or SSC, the AIM or NME platform specific upgrade package will not appear as a separate update, but CSM will automatically apply the correct platform package to the AIM or NME or SSC sensor. 7. Select the sensor(s) you want to update and click Finish. 8. Click on the "Submit & Deploy Changes" Icon. 9. Click Deploy. 10. Verify the successful Deployment in the Status Details Window. INSTALLATION CAVEATS The 6.2(2)E4 service pack cannot be uninstalled. You must re-image the sensor using a system image file. All configuration settings will be lost. ====================================================================== SYSTEM IMAGE & RECOVERY FILE INSTRUCTIONS INTRODUCTION System and recovery images are intended primarily for disaster recovery. Installation of the system and recovery image files reformats the storage media and loads the Cisco IPS application image. This results in the reset of all configuration and log files to their default settings. To preserve the configuration settings of your sensor, use the service pack upgrade file to upgrade your sensor from earlier IPS versions. For details on using the upgrade file, see SERVICE PACK VERSION UPGRADE FILE. SYSTEM AND RECOVERY FILES Each IDS & IPS sensor platform has its own system image file. You can access them at this URL: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml INSTALLATION NOTES For detailed instructions on installing the system and recovery image files, refer to "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.2" Guide at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guides_list.html WARNING: If you are re-imaging an AIM-IPS or NME-IPS, you must disable the heartbeat-reset on the router before installing the system or recovery image. The heartbeat-reset can be re-enabled once the re-image has completed. Failure to disable the router's heartbeat-reset may cause the re-image to fail and leave the sensor in an unknown state. ====================================================================== CISCO IPS DEVICE MANAGER (IDM) NOTE: A new version of IDM is bundled with the E4 Engine Update. 6.0(6)E4 users will see IDM Version 6.0(2). 6.2(2)E4 and 7.0(2)E4 users will see IDM Version 7.0(3). These versions of IDM have been modified to correctly display and edit the additional values allowed in the signature's "Retired" parameter field. See above for more information about the new "Retired" parameter values. The versions of IDM included with E4, and their associated ASDM Launcher application, have also been modified to increase the upper memory limit their Java VM will be able to use. This change will allow for more signatures to be displayed/tuned in the IDM. Symptoms of this issue include the inabilty to apply signature tunings; the Java console may also display OutOfMemory errors. NOTE: After upgrading to the E4 engine level, disconnect and restart any open IDM sessions to ensure that your system downloads and uses the latest IDM application from the sensor. SYSTEM REQUIREMENTS Minimum Hardware Requirement - CPU: Pentium, AMD Athlon or equivalent running at 1 Ghz or higher Memory - 512 MB minimum Supported OS - Windows Vista Business and Ultimate, Windows XP Professional, Windows Server 2003 R2 (Note: both the English and Japanese versions of Windows are supported) - Red Hat Linux Desktop Version 4; Red Hat Enterprise Linux Server Version 4 Supported Browsers - Internet Explorer 6.0 and 7.0 - Firefox 2.0 Java Plug-in Requirement - Java SE 1.4.2, 5.0 or 6 Minimum Screen Size - 1024x768 STARTING CISCO IDM To launch IDM from a browser, enter the IP address of the target sensor in the address window as follows: https:// Alternately, you can install the ASDM Launcher application. Connect to the IDM from a browser, as above, and select the ASDM Launcher installation option. ====================================================================== CISCO IPS MANAGER EXPRESS (IME) The current versions of IME will work with the E4 Engine upgrade, but will not correctly display the new values allowed in the Retired signature parameter. An updated version of IME is in progress and will be released shortly after the E4 Engine Update. The current versions of IME also do not have the expanded memory capability for the Java VM and may experience issues when attempting to apply signature tunings. ====================================================================== CISCO ADAPTIVE SECURITY DEVICE MANAGER (ASDM) It is recommended that ASDM users update to the ASDM 6.3 or later release. The 6.3 release version has also had its Java VM memory limit increased. Using an older version of ASDM could leave too little memory available for IDM 6.0(2) and 7.0(3) to function properly.