Reinitializing the Sensor
Reinitializing the sensor is an important process to understand. The OS of the sensor can become corrupt simply from shutting down incorrectly. The sensor is an Intel-based Solaris platform and proper procedures must be followed. Also, if the sensor is used, or the password and configuration is unknown, you may want to reinitialize to get a fresh build. There is basically three ways to reinitialize the sensor or recover the image. You can download the image from Cisco.com, use the recovery CD supplied with the sensor, or uninstall/roll back to a previous version. Regardless of the method you use, make sure you have documented the configuration thoroughly. This will expedite the recovery or reinitialization process.
Downloading the Image
To download the appropriate image, follow these steps:
-
Download the binary file from Cisco.com at the following address: www.cisco.com/cgi-bin/tablebuild.pl/ids-appsens.
-
Copy the binary file to the /tmp directory on the target sensor. Make sure you maintain the same filename shown on the Web site.
-
Log on to the sensor as root.
-
Make sure the file attributes allow the file to be executed. Use the command chmod +x
. -
Execute the command by typing the filename with the –I (install) switch, like this: ./filename –I.
-
Review /usr/nr/sp-update/output.log to ensure the installation was successful.
Using the CD
Using the recovery/upgrade CD is the preferred method for recovering or reinitializing a sensor. Make sure you have it on hand, and then perform the following:
-
Insert the upgrade/recovery CD into the CD-ROM drive.
-
Attach a keyboard and monitor directly to the sensor or connect with a workstation via a null-modem cable to the COM port.
-
Log into the sensor as root.
-
Reboot the sensor. Type init 6.
-
During the reboot, break out of the process by pressing F2 to enter the Setup menu. Here, you are verifying that the boot sequence is floppy drive, CD-ROM, and hard drive. You want to make sure the sensor boots from the CD. If this has been done previously, it should not need to be done again but it is good to check.
-
Save any changes and exit the menu.
-
Once the sensor boots completely, the first prompt asks if you will install from the console (option c) or from a remote/serial terminal connection (option t). Depending on how you are connected, console (keyboard and monitor), or remote/serial terminal connection (COM port) select the appropriate option. The CD defaults to option t after ten seconds if no selection is made.
-
After the re-imaging is complete login as root. All previous configurations have been overwritten at this time, so the password is once again 'attack'.
-
The next command is sysconfig-sensor at the prompt.
-
If you had previously configured the sensor you should have documented the configuration before re-imaging. Enter the appropriate settings, save, and exit.
Using the Recovery Partition
In version 4.0 of the IDS sensor software, administrators have the option of re-imaging the sensor from a recovery partition. This procedure works for all versions of the 4200 series sensors, provided you have the correct image file with your sensor model. Image file IDS-42XX-K9-r-1.2-a-4.1-1-S47.tar.pkg is for all 4200 series models except model IDS-4215. Image file IDS-4215-K9-r-1.1-a-4.1-1-S47.tar.pkg is specifically for the model IDS-4215 sensor. Neither image file will work for the Catalyst 6000 IDS Module. The sensor must also be version 4.0(1)S37 or later. This process cannot be used to upgrade a 3.x or earlier sensor.
If you need to upgrade the recovery partition, follow steps 1–6. To recover the application partition using the recovery partition, skip down to steps 7–9. Once the recovery process has been completed, you will need to initialize the sensor by following steps 10–32.
-
Download the Recovery Partition Image File to your Secure Copy Protocol (SCP) Network Server or your FTP Server from Cisco's Software Center at www.cisco.com/kobayashi/sw-center/sw-ciscosecure.shtml. You need a CCO account to access these downloads.
-
Log on to the sensor's CLI via the console port or Telnet session.
-
Type configuration terminal to enter config mode.
-
Type upgrade scp://user@server_ipaddress//upgrade_path/image_filename.
-
Enter the password for the SCP or FTP server. Once the image has been downloaded, you are prompted whether to continue with the upgrade:
Warning: Executing this command will re-image the recovery partition.
The system may be rebooted to complete the upgrade.
Continue with upgrade? -
Type yes to continue. The recovery partition has now been re-imaged with the latest image.
-
From the CLI, type configuration terminal to enter config mode.
-
Type recover application-partition. You are prompted whether to continue with the recovery and warned that all changes except the network settings will be reset to the default settings.
-
Type yes to continue. After the partition has been recovered, the sensor has to be initialized using the setup command.
Note Version 4.0 adds the look and feel of the Cisco CLI to its configuration. If you are familiar with configuring routers and firewalls, these commands and syntax should be comfortable to use.
-
Type setup to initialize the sensor. The System Configuration Dialog screen, shown next, is displayed. Press the Spacebar to continue.
—-System Configuration Dialog—-
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default Settings are in square brackets '[]'.
Current Configuration:
networkParams
ipAddress
netmask
defaultGateway
hostname
telnetOption
accessList 10.0.0.0 255.0.0.0
exit
timeParams
summerTimeParams
active-selection
exit
exit
service webServer
general
ports
exit
exit -
You are prompted whether to continue with the configuration dialog. Type yes or press Enter. Any default answers are in the square "[]" brackets.
-
Type the hostname of the sensor.
-
Type the IP address.
-
Type the IP netmask.
-
Enter the Telnet Server status. The server is disabled by default
-
Enter the Web server port. The port is 443 by default.
-
Save the configuration by typing yes or no to reconfigure.
-
Do not reboot at this point. Type no when asked to continue the reboot.
-
Enter configuration terminal mode. Type configure terminal.
-
Enter host configuration mode. Type service host.
-
Enter network parameters configuration mode. Type networkParams.
-
To show the current settings, type show settings. The expected output should be similar to the following:
networkParams
-----------------------------------------------
ipAddress: 10.0.0.8
netmask: 255.255.255.0 default: 255.255.255.0
defaultGateway: 10.0.0.10
hostname: sensor1
telnetOption: disabled default: disabled
accessList (min: 0, max: 512, current: 1)
-----------------------------------------------
ipAddress: 10.0.0.0
netmask: 255.0.0.0 default: 255.255.255.255 -
Remove the 10. network from having complete access. The command syntax is as follows:
no accessList ipAddress 10.0.0.0 netmask 255.0.0.0
-
Enter the IP addresses of hosts or networks that will have access to the sensor. If you can afford to do it, only specify individual host addresses that will have access. Do not give entire networks access unless absolutely necessary.
The syntax for a single host is as follows:
accessList ipAddress 10.0.0.4
The syntax for an entire network is as follows:
accessList ipAddress 10.0.0.0 netmask 255.255.255.0
Repeat the command as necessary depending on the number hosts or networks being added.
-
Exit the parameters configuration mode. Type exit.
-
Set the System clock settings. Type timeParams. When done, exit back to configure terminal mode.
-
Type yes to apply settings. Type no to keep the system from rebooting, then exit configure terminal mode. Type exit.
-
Set the clock. Type clock set hh:mm month day year.
-
At this point, you need to generate the X.509 by typing tls generate key. Record the results. You will need to verify the authenticity of the certificate when you connect via a Web browser.
-
Once you have rebooted, you will need to upgrade to the latest signature updates and set the interfaces.
-
Reboot the sensor. Type reset, then yes.
Uninstalling an Image
Uninstalling is fairly easy. The uninstall uses the –U parameter, which should be familiar to most Unix people. The –U means uninstall a binary that has previously been installed. If you remember earlier, the downloaded image was installed using the –I parameter. The command would resemble this:
./filename –I
It is fairly straightforward and should roll the sensor back to the version previous to the one being uninstalled. This is not very common though. In most cases, the sensor is reloaded completely and not rolled back to earlier versions unless you are troubleshooting