Updating the Cisco IDSM Sensor

Updating the Cisco IDSM Sensor

Updating the IDSM sensor might result from a need to move to newer code, or because the current image has been corrupted. A different reason for updating (or more appropriately: to recover the IDSM sensor) is that the password has been forgotten. In any case, the image of the IDSM sensor OS needs to be replaced. The IDSM sensor has two partitions on the internal hard drive. The first is the application partition or hdd:1. The second is the maintenance partition or hdd:2. Both of these partitions contain a complete operating system and therefore the IDSM sensor can be booted from either partition. The partition that the IDSM sensor booted from is called the active partition. Any updates to the IDSM sensor operating system must be done to an offline partition so the production partition would need to be offline by booting to the maintenance partition.

Be aware that when updating the IDSM sensor, the process must be done at the command line. To update the IDSM requires administrative privileges to the maintenance partition. This is why we reboot to the maintenance partition and log in as ciscoids, using the password attack. If no upgrade has been done before, we need to set the network settings for the IDSM sensor to communicate with the network—in particular, to communicate with the FTP server that holds the new CAB files for the update. This setting of the network parameters in the maintenance mode is accomplished by using the ids-installer command. The update file that the ids-installer will use must reside on an FTP server or the IDS Director. In the following examples, we used an FTP server called "Cerberus FTP Server," which is free for personal and non-profit use and can be found at www.cerberusftp.com.

Booting the IDSM Sensor from Partition 2

In order to boot from a particular partition, we can set the default partition by using the command set boot device, as shown in the following example:

switch> (enable) set boot device hdd:2 4
Device BOOT variable = hdd:2
Warning: Device list is not verified but still set in the boot string.
switch> (enable)

Alternatively, we can have the IDSM boot from a given partition temporally, as shown in the following example.

Switch> (enable) reset 4 hdd:2

This command will reset module 4 and have it boot off the boot device: hdd number 2, which is the maintenance partition. We can see this in Figure 6.6.

Start Figure
switch> (enable) reset 4 hdd:2
This command will reset module 4.
Unsaved configuration on module 4 will be lost
Do you want to continue (y/n) [n]? y
Module 4 shut down in progress, please don't remove module until shutdown
   completed.
2003 Jun 15 07:29:44 PDT -07:00 %PAGP-5-PORTFROMSTP:Port 4/1 left bridge
   port 4/1
2003 Jun 15 07:29:44 PDT -07:00 %DTP-5-NONTRUNKPORTON:Port 4/1 has become
   non-trunk
2003 Jun 15 07:32:01 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:Starting IDSM
   Diagnostics
2003 Jun 15 07:32:41 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM diagnostics
   completed successfully.
2003 Jun 15 07:32:50 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online
2003 Jun 15 07:32:51 PDT -07:00 %SYS-3-MOD_PORTINTFINSYNC:Port Interface
   in sync for Module 4
2003 Jun 15 07:32:51 PDT -07:00 %DTP-5-TRUNKPORTON:Port 4/1 has become
   dot1q trunk
2003 Jun 15 07:32:51 PDT -07:00 %PAGP-5-PORTTOSTP:Port 4/1 joined bridge
   port 4/1
2003 Jun 15 07:32:51 PDT -07:00 %PAGP-5-PORTTOSTP:Port 4/2 joined bridge
   port 4/2
2003 Jun 15 07:33:21 PDT -07:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch
    detected on port 3/5
switch2> (enable)
End Figure

Figure 6.6: Booting IDSM Module 4 off Partition 2

As we saw in Figure 6.6, there are several messages that tell us module 4 is being reset and that diagnostics are being run. We can see the bridge port messages of ports 1 and 2 leaving the switch and coming back into the switch.

In Figure 6.7, we are logging into the IDSM after the reset to partition 2. We can see that the hostname of the IDSM is now shown as maintenance.

Start Figure
switch> (enable) session 4
Trying IDS-4...
Connected to IDS-4.
Escape character is '^]'
login: ciscoids
Password: attack
maintenance# show
configure       Enter configuration mode
diagnostics     Enter diagnostic command menu
exit            Exit from Telnet session
show            Show system parameters
shutdown        Shutdown the system
maintenance#
End Figure

Figure 6.7: Logging in to the Maintenance Partition of the IDSM

We can also see that there are very limited commands from this version of the IDSM sensor operating system to work with. No IDS commands are available from the maintenance partition. To get back to our production IDSM operating system, all we need to do is log out of the IDSM sensor and use the reset module command but leave the boot device off.

Now that we have learned about how to boot the IDSM sensor into the maintenance mode using the second partition, we are ready to upgrade the OS of the IDSM. In the following example, we will upgrade the IDSM V1sensor from version 2.5 to 3.0 of the OS. The first step is to boot to the second partition just as we did before using the reset command, as shown in Figure 6.8.

Start Figure
Switch>(enable) #reset  4 hdd:2
This command will reset module 4.
Unsaved configuration on module 4 will be lost
Do you want to continue (y/n) [n]? y
Module 4 shut down in progress, please don't remove module until shutdown
   completed.
Switch> (enable) 2003 Jun 15 07:29:44 PDT -07:00 %PAGP-5-PORTFROMSTP:Port
   4/1 left bridge port 4/1
2003 Jun 15 07:29:44 PDT -07:00 %DTP-5-NONTRUNKPORTON:Port 4/1 has become
   non-trunk
2003 Jun 15 07:32:01 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:Starting IDSM
  Diagnostics
2003 Jun 15 07:32:41 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM diagnostics
   completed successfully.
2003 Jun 15 07:32:50 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online
::text truncated for clarity::
End Figure

Figure 6.8: Using the reset Command to Boot to the Maintenance Partition