Updating IDS Signatures

Updating IDS Signatures

Every two weeks, signatures packs for the IDS sensors are updated and posted to the Cisco Web site. In order to obtain updated signature packs, a CCO login account is required. Without this account, access to software upgrades and signature pack upgrades is not possible. This section covers how to update signature packs on the IDS sensor as well as how to configure automatic updates and active update notifications.

IDS version 3.0 uses the idsupdate command both for scheduled and manual updates of service packs and signature packs. The idsupdate command also can be used to set up scheduled updates. The IDS 4.0 software uses the upgrade command.

Updating Signatures (IDS 3.0)

To manually update signatures under IDS 3.0, the idsupdate command can be used to download and install the signature update. The idsupdate command only supports ftp as a communication protocol. The following command can be used to update a 3.0 sensor with a new signature pack. 

/usr/nr/bin/idsupdate netrangr@192.168.45.100/updates

Note

Care must be used when using the idsupdate command. If there is already an automatic update schedule in effect, a new schedule will be created and the old schedule will be cancelled.

Automatic Updates

IDS 3.0 sensors can be configured to automatically download and apply signatures and service pack updates. This removes the administrative burden of updating sensors by the network operations staff or security personnel. To configure automatic updates on IDS 3.0 sensors:

  1. Select a remote machine where sensor updates will be stored. Make sure that this host is running an FTP server since the sensors will download the updates using FTP.

  2. Log in as root on the sensor via Telnet, SSH, or a local console.

  3. Change the directory to the /usr/nr/bin directory:

    sensor# cd /usr/nr/bin

  4. Use the following command to set up idsupdate. If the directory /usr/nr/bin is not in root's execution path, use the full pathname. The format for the idsupdate command is as follows:

    idsupdate username@ftpserver/

    The components of this command are

    • ftpserver Must be an IP address

    • / separates the FTP server and the FTP home directory

    • directory The name of the directory that is relative to the ftp home directory. For example, if the FTP home directory is /usr/home/ftp and the directory name is updates, then the FTP server will look in /usr/home/ftp for a directory named "updates" where the service packs and signature updates can be found. The directory specified can include several levels of subdirectories.

    • Day Consists of a comma-separated list of one to seven digits that have the values of 0–6. Each day of the week is specified by a single number according to the following convention: 0=Sunday, 1=Monday, 2=Tuesday, 3=Wednesday, 4=Thursday, 5=Friday, and 6=Saturday.

    • hh:mm Represents the hour and minutes in 24-hour military convention.

    For example, to update the IDS 3.1 sensor at 11:15 p.m. every night with updates from the updates directory on the FTP host 10.1.1.101 using the netrangr account with the password attack, the following command can be used:

    sensor# /usr/nr/bin/idsupdate netrangr@10.1.1.101/updates attack
    0,1,2,3,4,5,6 23:15

  1. To view the current update schedule use:

    sensor# /usr/nr/bin/idsupdate show

  2. To cancel the current schedule use:

    sensor# /usr/nr/bin/idsupdate stop
Supported FTP Servers

The IDS sensor cannot download signature updates and service packs directly from Cisco's FTP servers. Rather the signature updates and service packs must be downloaded to a local FTP server for use by the IDS sensor. At the time of this writing, the following FTP servers were officially supported by Cisco as being compatible with the FTP client on the IDS sensor:

  • Windows NT 4.0 (Microsoft ftp server version 3.0)

  • Sambar FTP Server Version 5.0 (win32)

  • Windows 2000 (Microsoft ftp server version 5.0)

  • Web-mail Microsoft FTP Service Version 5.0 (win32)

  • HP-UX (HP-UX qdir-5 B.10.20. A 9000/715

  • Serv-U FTP-Server v2.5 for WinSock (win32)

  • Solaris 2.8

Active Update Notification

The Active Update Notification feature on Cisco's Web site can be used to receive updates on changes to IDS signatures. To receive notification of signature updates:

  1. Go to www.Cisco.com/warp/public/779/largeent/it/ids_news/subscribe.html.

  2. Fill in the E-mail Address box.

  3. Enter the CCO password associated with the e-mail address in the Password box.

  4. Click Submit.

When a signature update occurs, an e-mail will be sent to the e-mail address entered, with instructions on how to obtain it.

Updating Signatures (IDS 4.0)

IDS signature updates under IDS sensor software version 4.0 use the upgrade command in the same fashion as the software upgrades. The manual update process for signatures uses the upgrade command as well. The primary difference in updating signatures between IDS software version 3.0 and 4.0 is in the configuration of automatic updates. Automatic updates can be configured in IDS 4.0 using either the command line or through IDM.

How to Restore the Default Configuration

If necessary, the default sensor configuration can be restored. This may be due to a configuration mistake that cannot be located, or a retasking of the IDS sensor in the network. The following procedure can be used to restore the default configuration to the sensor:

  1. Select Configuration | Restore Defaults. The Restore Default page appears.

  2. To restore the default configuration, click Apply to Sensor.

The netmask, default gateway, IP address, allowed hosts, password, and time will not be reset. Automatic and manual blocks will also remain in effect.

If you have found yourself in a situation that requires more then a simple restoration of the defaults, version 4.x has a recovery partition available that is a very nice safety net to have. Simply go to the command line and use the recover command to rebuild the sensor