Upgrading the IDSM Sensor

Upgrading the IDSM Sensor

Remember that the hdd:2 will boot the IDSM off the OS on the second partition. Once the IDSM has completely rebooted and run through its diagnostics, we are ready to configure the maintenance IDSM OS for a network connection. First, we will session into the IDSM and log in as we have done before. Then we will use the ids-installer command to verify any network configuration, or to add the network information, as shown in the following example:

switch-2> (enable) session 4
Trying IDS-4...
Connected to IDS-4.
Escape character is '^]'.

login: ciscoids
Password: attack

We change to the diagnostic mode by typing in diag, and then we verify the existing network configuration, if there is one:

maintenance#(diag) ids-installer netconfig /view
IP Configuration for Control Port:
IP Address : 0.0.0.0
Subnet Mask : 0.0.0.0
Default Gateway : 0.0.0.0
Domain Name Server : 77.1.1.1
Domain Name : cisco
Host Name : CISCO_IDS

maintenance(diag)#

To either change the network settings or to configure the network settings, we use the ids-installer command and the following command-line parameters:

ids-installer netconfig /configure /ip=ip_address /subnet=subnet_mask 
/gw=default_gateway /dns=dns_server /domain=nw_domain
/hostname=host_name

In the following example of the ids-installer command, we see how to change the network configuration in the diag mode of the maintenance partition:

maintenance(diag)# ids-installer netconfig /configure /ip=10.10.10.101
/subnet=255.255.0.0 /gw=10.10.10.1 /hostname=testids

In Table 6.2, we show the ids-installer netconfig parameters and what they mean:

Table 6.2: ids-installer netconfig Parameters

Parameters

Notes

netconfig

This keyword specifies that a network configuration action will take place.

/configure

This keyword specifies the configuration of port parameters.

/ip

This keyword specifies an IP address as a parameter.

ip_address

This is the IP address of the IDSM command and control port (port 2).

/subnet

This keyword specifies the subnet mask address parameter.

Subnet

This is the subnet mask for the IDSM command and control port.

/gw

This keyword specifies the Default Gateway parameter.

default_gateway

This is the IP address of the default gateway for the IDSM.

/dns

This is an OPTIONAL keyword that specifies the DNS server.

ip_address

This is the IP address of the optional DNS server parameter.

/domain

This is an OPTIONAL keyword that specifies a network domain name.

nw_domain

This is the network domain name assigned to the command and control port.

/hostname

This OPTIONAL keyword specifies the hostname assigned to the IDSM.

host_name

This is the hostname assigned to the IDSM.

To install the image to the partition, we use the ids-installer command mentioned earlier. This command has several parameters that can be used to install the image. The command line is structured as shown in this example:

ids-installer system /nw /install /server=ip_address /user=username 
/dir=directory /prefix=update_file /save=yes

In Table 6.3, we see a listing of the command-line arguments that can be used:

Table 6.3: ids-installer Command-Line Parameters to Install an Image

Parameters

Notes

system

This keyword specifies that a system action will be performed.

/nw

This keyword specifies that the installation of the image will be done from the network.

/install

This keyword specifies the system action will be to install.

/server

This keyword specifies that the image file will be on an FTP server.

ip_address

This is the IP address of the FTP server.

/user

This specifies that a username is required to log in to the FTP server.

username

This is the username required.

/dir

This specifies that the files are stored in a specific directory.

directory

This is the directory name of where the files are stored.

/prefix

This specifies that the update filename prefix is required.

update_file

This is the update filename that will be installed but without the extension.

/save

This keyword specifies that the image will be saved as a cached copy.

yes | no

If yes, then the image will be cached. If no, the image is installed but not cached.

In the following example, we will have the IDSM do a network install of the new code from an FTP server and a certain user account:

maintenance(diag)# ids-installer system /nw /install /server=10.1.2.11 /
user=ciscoids /save=yes /dir='ftpupload' /prefix=IDSMk9-a-3.0-1-S4

The FTP server is 10.1.2.11 using a user ID of ciscoids. We are saving the image to cache, and the directory name on the FTP server is ftpupload. The filename is IDSMk9-a-3.0-1-S4 but without the .bin extension on it.

In Figure 6.9, we see the complete upgrade of an IDSM V1 in progress. Note that it has been shortened in some places for brevity.

Start Figure
maintenance(diag)# ids-installer system /nw /install /server=10.1.2.11
/user=ciscoids /save=no /dir='ftpupload' /prefix=IDSMk9-a-3.0-1-S4
Please enter login password: *****
Downloading the image.. File 01 of 05
Downloading the image.. File 02 of 05
Downloading the image.. File 03 of 05
Downloading the image.. File 04 of 05
Downloading the image.. File 05 of 05

FTP STATUS: Installation files have been downloaded successfully!
Validating integrity of the image... PASSED!
Formatting drive C:\....
Verifying 4016M
0 percent completed.1 percent completed.2 percent completed.3 percent
completed.4 percent completed.5 ::shortened for brevity::
100 percent completed.Format completed successfully.
4211310592 bytes total disk space.
4206780416 bytes available on disk.

Volume Serial Number is C49D-CFDA
Extracting the image...

::shortened for brevity::

STATUS: Image has been successfully installed on drive C:\!
maintenance(diag)# exit
maintenance# exit
switch>(enable) reset 4 hdd:2
This command will reset module 4.
Unsaved configuration on module 4 will be lost
Do you want to continue (y/n) [n]? y
Module 4 shut down in progress, please don't remove module until shutdown
completed.
switch>(enable) 2003 Jun 17 13:15:06 PDT -07:00 %SYS-3-
SUP_OSBOOTSTATUS:Starting IDSM Diagnostics
2003 Jun 17 13:15:49 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM diagnostics
completed successfully.
2003 Jun 17 13:15:49 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM has not been
configured. Network is unguarded!
2003 Jun 17 13:15:49 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:Use session to
login to IDSM and run setup.
2003 Jun 17 13:15:58 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online
End Figure

Figure 6.9: Complete Upgrade of IDSM V1

Verifying the IDSM Sensor Upgrade

Once the IDSM sensor has rebooted and completed its self-diagnostics, we need to log back into the IDSM sensor and run the setup command since the original configuration has been overwritten. We can see in Figure 6.10 that the new configuration is void of data except for the default IP address and mask. We also see that the version of the software is 3.0(1)S4.

Start Figure
switch>(enable) session 4
Trying IDS-4...
Connected to IDS-4.
Escape character is '^]'.
login: ciscoids
Password:
# show config
Using 38240256 out of 267702272 bytes of available memory
!
Using 439668736 out of 4211310592 bytes of available disk space
!
Sensor version is : 3.0(1)S4 ;
End Figure

Figure 6.10: Verifying the Successful Upgrade of the IDSM Sensor

Note that the preceding line shows our new version number of the OS.

!
Sensor application status:
nr.postofficed not running
nr.fileXferd not running
nr.loggerd not running
nr.packetd not running
nr.sapd not running

Configuration last modified Never
Sensor:
IP Address: 10.0.0.1
Netmask: 255.0.0.0
Default Gateway:
Host Name: Not Set
Host ID: Not Set
Host Port: 45000
Organization Name: Not Set
Organization ID: Not Set
Director:
IP Address: Not Set
Host Name: Not Set
Host ID: Not Set
Host Port: 45000
Heart Beat Interval (secs): 5
Organization Name: Not Set
Organization ID: Not Set
Direct Telnet access to IDSM: disabled
#

Shutting Down the IDSM Sensor

In order to disable or to remove the IDSM sensor from a live switch, we need to shut down the IDSM sensor. If we do not, given Windows tendency to corrupt on a dirty shutdown, we could easily find ourselves reinstalling the OS without the clean shutdown. The good news is that this is very easy to accomplish. As shown in Figure 6.11, just log in to the IDSM and issue a shutdown command.

Start Figure
switch> (enable) session 4
Trying IDS-4...
Connected to IDS-4.
Escape character is '^]'.
login: ciscoids
Password:
# shutdown
WARNING: Shutting down the line card will disable IDS.
Continue with shutdown?: y
Shutting down the module...
# exit
switch> (enable)
End Figure

Figure 6.11: Sample of the Module in Shutdown Mode

If we use the command show module, we will see that the current state of the module is in the shutdown mode, as seen in Figure 6.12.

Start Figure
switch> (enable)
switch> (enable) show module 4
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- ------
4 4 2 Intrusion Detection Syste WS-X6381-IDS no shutdown
Mod Module-Name Serial-Num
--- ------------------- -----------
4 SAD052800JV
Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- ----------
4 00-03-32-bd-41-3a to 00-03-32-bd-41-3b 1.1 4B4LZ0XA 3.0(1)S4
switch> (enable)
End Figure

Figure 6.12: Sample of Module in Shutdown Mode

Now for the final command, we issue a set power command to actually shut off the power to the IDSM. Once this is completed, we can safely remove the IDSM from the switch even with the switch live. In Figure 6.13, we see the command and resulting output:

Start Figure
switch> (enable)
switch> (enable) set module power down 4
Module 4 powered down.
switch> (enable) 2003 Jun 17 12:31:40 PDT -07:00 %SYS-5-MOD_PWRDN:Module
4 powered down
switch> (enable) show module 4
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- - -----
4 4 0 Intrusion Detection Syste WS-X6381-IDS no power-down
Mod Module-Name Serial-Num
--- ------------------- -----------
4
Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -------- --
4 unknown
switch> (enable)
End Figure

Figure 6.13: Sample of the set module power Command

To bring the IDSM sensor back online, all we do is reverse the commands. We apply power to the IDSM sensor and wait for about two minutes for the IDSM sensor to boot up and then we enable the IDSM sensor to bring it back online. In Figure 6.14, we see the steps and results:

Start Figure
switch> (enable) set module power up 4
Module 4 powered up.
switch> (enable) 2003 Jun 17 12:32:28 PDT -07:00 %SYS-5-MOD_PWRON:Module
4 powered up
switch> (enable) set module enable 4
Enabling module 4. Please wait until module on line.
switch> (enable)
End Figure

Figure 6.14: Bringing the IDSM Sensor Back Online from a Power-Off Condition

Updating the IDSM Sensor Signatures and Service Packs

To update the signatures on the IDSM sensor, we use a command called apply. This command is used from the primary partition when the IDSM sensor is in the configuration mode. In the following sample, we apply a typical signature.

Apply ftp://username@server/path/filename

This installs the signature or update in the active partition from the path set in the apply command argument. In this case, the entire filename is needed, not just the prefix, as seen in Figure 6.9. In Figure 6.15, we see the results of the command when used to install a service pack on an IDSM v1.

Start Figure
IDSM(config)# apply ftp://ciscoids@10.4.2.11/ftpupload/IDSMk9-sp-3.0-6-
S42.exe
WARNING: Installing Service Pack will temporarily disable IDS.
Continue with IDS Service Pack install?: y

Enter the FTP user password: *****
Connecting to site...

Receiving file.
Installing files from 3.0(6)S23

Starting NetRanger Signatures Merging Utility...
Checking file: C:\Program Files\Cisco Systems\Netranger/etc/packetd.
conf...
Adding signature: SigOfGeneral 993 to C:\Program Files\Cisco
Systems\Netranger/etc/packetd.conf.
Adding signature: SigOfGeneral 1107 to C:\Program Files\Cisco
Systems\Netranger/etc/packetd.conf.
::trimed for brevity:::
The Install for IDSM Service Pack file IDSMk9-sp-3.0-6-S42.exe was
successful
System needs to be restarted. Rebooting...
End Figure

Figure 6.15: Service Pack Installation on an ISDM v1 Sensor

At the end of the update, the IDSM will be rebooted and you will have to log back into the IDSM to verify the service pack was applied. To verify the update, we will use the show config command, as detailed in Figure 6.10. If, during the updates or service pack installation, you can not get the IDSM sensor to talk to the FTP server, from the diag prompt of the maintenance partition, execute the PING command. This is a quick and simple way to make sure the IDSM sensor can, in fact, see the FTP server. More often then not there is a configuration issue with the network configuration of the IDSM sensor such as the incorrect default gateway or an incorrect subnet mask