SDM & IPS

Hi all

I started to learn Cisco? s new tool SDM and I have a few questions regarding the IP addresses and its signature files.

I plan to enable IPS as its ease of configuration is quite simple and it is more useful.

I intend to load predefined advanced signature files? attack - drop.sdf? and? 256MB.sdf?

The first question I have is how are these files updated by Cisco and is there any means of communication regarding when these files are updated so that it customers are aware and that they have the ability to load new types of attacks from most recent signatures, etc.

My second question is, with the two mentioned above advanced signature files, that would suffice as a company IPS? I'm not interested in writing my own signatures. I prefer to monitor and prevent known and typical attacks more common.

I hope that by updating the two predefined of signature files? attack - drop.sdf? and? 256MB.sdf? When they are updated this will be enough.

Any feedback is greatly appreciated.

Thank you in advance.

See you soon,.

Hi Christophe,

IOS IPS on the routing platform now supports two different versions of the signature format. A 4.x and 5.x signature format.

If you use the version of IOS before 12.4 (11) T version, he uses the signature 4.x format. In this version, you must use the basic (128MB.sdf) and the advanced SDF (256MB.sdf) file.

If you use 12.4 (11) T and later version of IOS is based signature 5.x format. And you can see the quick start guide in the link of reference for more details below.

Cisco updates these files on a need basis. Currently, you need to check the website of Cisco for updates. Or if you use SDM or CSM, these software can perform a check and auto download as well.

For your question if it is adequate for a company of IPS, the answer depends on your networking/traffic situation in your actual deployment. If you can provide more details, I can better answer your question. If you ask about the signature series, they are selected by Cisco with high severity, signatures of high-fidelity that best integrate into the routing platform. Again, these Homeless files are intended to provide a good/solid point of departure, the IPS system needs a few adjustments during the operation.

Reference:

Getting started with Cisco IOS IPS with 5.x Format Signatures: http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml

ORC IOS IPS: http://www.cisco.com/go/iosips

Thank you

-Chris

Tags: Cisco Security

Similar Questions

  • 2.4 SDM and IPS V5

    IPS V5 does not work with SDM? I get the message "Not supported IPS" using IOS 12.4 (11) T1. CLI show working IPS.

    SDM should 12.4 (11) T2 or image later to support IOS IPS format of signature 5.x due to some problems of IOS.

    For 12.4 (11) T1, the best option is to use CLI for now.

    Also, please see http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml

    Thank you

    -Chris

  • New IOS IPS definitions

    Hello

    When I try to install on a router definitions the new IPS cisco 1721 with the command "copy flash: virtualSensor.xml ips - homeless" I encounter the following error

    TI - RV - ipnetworks.it - gw1 #sh flash

    Directory of flash system:

    Filename length/status

    1 12332180 c1700-advsecurityk9 - mz.123 - 11.T2.bin

    2 attack 93095 - drop.sdf

    3 3883008 sdm.tar

    4 270848 home.tar

    5-1463 home.html

    6 1187840 ips.tar

    [17768820 bytes used, 15523464 available, 33292284 total]

    32768 K bytes of processor onboard flash system (read/write)

    TI - RV - ipnetworks.it - gw1 #copy tftp:virtualSensor.xml flash: virtualSensor.xml

    Address or name of the host remote []? 172.16.0.1

    Destination file name [virtualSensor.xml]?

    Access tftp://172.16.0.1/virtualSensor.xml...

    Erase the flash: before copying? [confirm] n

    VirtualSensor.xml of loading of 172.16.0.1 (via FastEthernet0):!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!

    [OK - 1917467 bytes]

    Checksum checking... OK (0x63A9)

    1917467 bytes copied in 55,368 seconds (34631 bytes/s)

    TI - vr - ipnetworks.it - gw1 #conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    It-vr - ipnetworks.it-(config) #no ip ips homeless lightning location: attack - drop.sdf

    It-vr - ipnetworks.it-(config) #ip ips fail closed

    It-vr - ipnetworks.it-(config) #exit

    TI - RV - ipnetworks.it - gw1 #copy flash: virtualSensor.xml ips - homeless

    % Could not allocate the table of State of regular expressions: 7575360

    % Could not allocate the table of State of regular expressions: 3450200

    How can install and active the new IPS IOS definitions?

    I checked all internal investigations of Cisco TAC and the error messages and I couldn't identify the problem. It does not seem you have a memory problem, you have available 15meg. I try three things and then maybe contact TAC to see if they can help.

    1. download the file again just in case it is damaged.

    2. give your file extension .sdf just in case the name of the file ips_sdf into a problem (shouldn't be).

    3 download the homeless, just in case there is an invalid content in the file that you currently have.

    4. it seems that you have installed to SDM. Try the SDM to install signatures.

    I hope this helps, if not repost or give a TAC guys.

  • 2651XM IPS Signature Update?

    Hello

    I have a 12.4 (25) running to 2651XM 256 MB / 32 MB and I want to update the IPS signature file.  I see that the last update for 256MB.sdf made since August 2008.  The recent IPS that I found is IPS-GIS-S518-req - E4.pkg of

    http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y

    I tried the command

    property intellectual ips homeless location flash:\\IPS-sig-S518-req-E4.pkg

    &

    property intellectual ips homeless flash location: IPS-GIS-S518-req - E4.pkg

    but when I apply an IPS for an interface and execution "show ip IP addresses of all the ' no signature doesn't load and I get the message"invalid token ".

    I tried to see if the latest SDM will help too but nothing.

    My question is, what am I doing wrong or missing?  My router is too old to be able to get the latest signature files?

    Advice or tips to the right direction is appreciated.

    Thank you

    You have a version of IOS, which includes the old version of the IOS IPS feature (known as v4).  This version only supports signature updates using the SDF formatted files.  These files are is more updated.

    The updated signature file you found (ending in .pkg) is accompanied by appliances Cisco IPS signature update package and is not compatible with the IOS IPS feature set.

    The current IOS IPS feature (called v5) also uses the .pkg files.  You have to pass your 2651 IOS to a version of the T train such as version 12.4 (24) T2 for the newest IOS IPS.

    You can find more information about the features of IOS IPS here:

    http://www.Cisco.com/go/iosips

    To get started with IOS IPS v5:

    http://www.Cisco.com/en/us/products/ps6634/products_tech_note09186a008097db66.shtml

    Scott

  • Latest package (pkg) for IPS signature

    Hello

    Really need a helping hand to understand what are the .pkg files?

    • I have download a last signature packet - IOS-S573 - CLI.pkg
    • I copied it to Flash on a router to test and I can access it via the SDM
    • I have setup my router and put in all the config for FPS

    Router with IOS-S573 - CLI.pkg as the basis of active signatures

    #sh ip ips signatures

    Builtin signatures are configured

    Signatures were last load of flash:/ips/IOS-S556-CLI.pkg

    Total active Signatures: 0

    Inactive Signatures total: 0

    But if I change the router to use the file 256MB.sdf from cisco, I see 537 signatures

    #sh ip ips signatures

    Builtin signatures are configured

    Signatures were last load of flash:/ips/256MB.sdf

    Total assets Signatures: 537

    Inactive Signatures total: 0

    Q. What is the best way to have the signatures up-to-date on the router? I would have thought that it would be to use the last file namely IOS-S573 - CLI.pkg

    Kevin,

    I answered a similar question from another user a minute ago. Please read the link below. It should dissipate most of your confusion. (Once you have read the link then keep reading below).

    In addition, if your router is able to use 5.x signatures, then you don't have user control"

    Flash:/IPS/iOS-S556-CLI.pkg. "It's for the signatures of version 4.x, which I think is using your router. You would load the signature by typing "copy flash:/ips/IOS-S556-CLI.pkg idconf." Which will cause the signature compile. You'd be off to the races after that. (Remember to read the link to the other post, I presented. This will give you exactly the way that everything is set up.)

    After the back if you have other questions. Nice day. Nice day.

    https://supportforums.Cisco.com/message/3418935#3418935

  • Can Cisco Configuration Professional to use the IPS feature?

    Dear Expert

    Hello.

    Could you tell me about Cisco Configuration Professional.

    I would try the IOS - IPS on Cisco2901-SEC/K9.

    I was looking to the ORC on Cisco Configuration Professional.

    Cisco2901-SEC/K9 does not support SDM.

    But the Cisco2901-SEC/K9 support the Cisco Configuration Professional.

    Can you Cisco Configuration professional to use IPS as SDM function?

    Kind regards

    Takuro.

    Hello

    Yes, you can configure Cisco Configuration Professional IOS IPS.

    CCP has a wizard to guide you through the process, there is a link for it:

    http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html

    I hope this helps you.

    -------

    Mashal

  • Spyware on IOS IPS signatures

    The following document lists three types of signatures of spyware for Cisco IDS Version 4.1. These are available on IOS IPS for new 2800 routers?

    http://www.Cisco.com/en/us/partner/NetSol/ns340/ns394/ns171/ns292/networking_solutions_newsletter0900aecd800fc536.html

    Cisco IDS Active Update Bulletin #114 [Intrusion Detection System Solution] - Cisco Systems

    Yes,

    I just looked in the files of the latest signature S128 for IOS IPS and these documents are available.

    They are, however, disabled by default. So you will have to edit the file and allow it before applying the S128 to the router.

    You can make this change by hand or through SDM V2.0:

    http://www.Cisco.com/en/us/products/sw/secursw/ps5318/products_user_guide_book09186a0080327f8b.html

    (NOTE: I was told that you can change the sigs by SDM V2.0, but there is no specific instructions in the user guide).

    The IOS IPS signature updates are found here:

    http://www.Cisco.com/cgi-bin/tablebuild.pl/iOS-sigup

    If you download and unzip the S128. You can edit the file virtualSensor.xml (another name for the attack file - drop.sdf) and find the 3 signatures you mentioned.

  • FAQ (26): I installed a different version/version of Windows and now SDM will not show me updates.

    I installed a different version/version of Windows and now the SDM does not work in "Update" mode

    This can occur when some system that HP did not specifically tests with the model is installed and often happens with models and Windows Ultimate edition (or even 64-bit editions on some older models) before Windows 8 Ultimate.

    Because SDM detects the new operating system, but it cannot match in the SDM catalog, he (SDM) will disable mode "Update."  However, please note that you can still use SDM mode 'All products' to download your SoftPaqs by doing as follows (the Probook 4730 s is used as an example):

    1. Press the "view all products" in the SDM toolbar
    2. If a dialog box warning that "no operating system have been selected, then skip to step.
    3. Press OK to close the dialog box.
    4. Check the «Microsoft Windows 7 Professional 64 Edition»
    5. Click on the tab "language filter".
    6. 'English - International' is checked.
    7. Press the OK button.
    8. Now, expand the tree on the left side of the SDM application by selecting the following:
    9. HP Probook Notebook PC Series 4700
    10. HP Probook 4730 s Notebook PC
    11. Microsoft Windows 7 Professional Edition 64
    12. Check the box 'international - English.
    13. Press the button "find available SoftPaqs.
    14. After "things calm down", click on the button "See the last SoftPaqs" at the top right of the application of SDM.

    The latest list of the Softpaqs for your model should now be displayed. We recommend that you download all listed SoftPaqs. This whole new way SoftPaqs are released for this model will appear on the top list titled "Available SoftPaqs" display.

    To install a SoftPaq after downloading, do the SoftPaq to the ListView "Downloaded SoftPaqs" right click and select "install SoftPaq.

    Important note: most SoftPaqs listed using the method above should apply to your model, but a small number of SoftPaqs might not be applicable to your model due to the offers of different material for your model. This means that not all listed SoftPaqs will install on your model and that is normal.

  • Improvements of the SSM/SDM

    I don't know if there is a forum for the SSM. SSM is part of the SDM so this forum seems OK to me. If there is a forum separate SSM please let me know.
    Sorry if I look like a b * but I don't see any alternative to SDM/SSM. I think that the SDM is good single-use PC. SDM for enterprise is not all good.

    First, here is how you use SSM.
    All first using SDM. Select all the computer models and operating systems do you use in your company.
    Second; Select download and extract. Third; Then update SSM database and install the network drivers.

    Here is my list of complains:

    When downloading files and extract them I usually get the path is too long and cannot be extracted. I extracted the D:\Drivers path. I found myself in the extraction of the drivers at D:\D
    If we have installed the network drivers it fails during the installation of the network drivers. Somehow, it's logical and solution would be to copy the files locally before running DFS. However SDM I cannot sort the drivers extracted using model. Resulting in almost 100 GB of files copying and 80% is not necessary due to bad model.

    My list of feature enhancements / SSM/SDM.

    SDM
    Add feature to extract to < model > \ \softpaq < category > name >. < model > should be my model selected in the view of three and not supported models for the pilot.
    Add feature to command line to select compatible drivers SSM only.
    Add feature to command line to exclude certain categories. Example: SOFTPAQDOWNLOADMANAGER. /Exclude EXE: "Software - security", "diagnosis".
    There is a bug in SDM. It does not unzip subst readers.

    SSM
    When running the network. Do the SSM driver to install in two phases. The first phase. Query the computer and database SSM. Copy all necessary store softpaq to local disk files. The second phase. Install the drivers from local drive.

    Difficulty for HP softpaqs.
    Shorten the paths for softpaqs to maximum 100-130 characters.
    I used to have drivers nvidia reboot the machine when installed with SSM. Forcing me to rerun SSM again after the reboot. I ended up not used drivers Nvidia packed by HP (they do not work with MDT update 1 2012 either). Instead, I use Nvidia drivers from the Microsoft catalog.

    Thanks for the suggestions.

    SSM does not currently have a forum, but I think that they are planning to have a. In the meantime, I'll pass your suggestions to their development team.

    I will also pass suggestions of SDM at SDM development team.

  • How to exclude software is inaccessible from SDM

    I'm trying to remove some software, we don't use SDM so that it never installed on any computers screw SSM.

    Examples: HP protect tools, McAfee Total Protection ect. Face recognition software (our laptops don't have webcams) Manager software, Hp support and many other things.

    I can't find a way to get rid of it or can download them.

    I tried to simply delete the folders. but it just comes back.

    What are the steps to uninstall SDM, so SSM installs ever?

    Currently, it has no feature in SDM which excludes software be available from SDM.

    Would not hurt to write an email detailing how you would consider such a feature to work to support the implementation of SDM SDM team.

  • FAQ (25): SDM offers to install SoftPaqs that are already installed.


    SDM is based on SSM-compliance to detect the version of already installed SoftPaqs. Needless to say that, if there are errors in the file CVA SSM-compliance then SDM may not report the State installed the affected SoftPaqs. This will manifest itself as one of the following:

    1. A reported SoftPaq not installed over and over again.
    2. A reported SoftPaq having himself as the update.

    Note: given that SDM installs the SoftPaqs silently (no dialog boxes with all default values) accepted, any error messages that hint at what the problem might be also will not appear. In this case, try to install the SoftPaq manually in folllwing instructions on this post:

    /T5/HP-SoftPaq-Download-Manager/FAQ-18-what-should-I-do-if-a-SoftPaq-does-not-install/m-p/2414809#M341

    Important note: in some cases, a reboot is required to complete the SoftPaq installation. Before you continue, please restart and rerun the SDM.

    If you want confirmation that the a specific SoftPaq may have trouble with SSM-compliance, please send MDS support team, a newspaper SDM of the session after finishing SDM file tries to install the SoftPaq in question and they can do.

    However, this only expertise team being with SDM technical issues and not individual SoftPaqs which are released by a completely different entity, they will ask you to declare the SoftPaqs complained to HP support.

    To report problems with individual SoftPaq SSM-compliance, please contact HP support at http://welcome.hp.com/country/us/en/wwcontact_us.html

  • FAQ (24): SDM won't install after upgrade to win 8

    I have upgraded to Windows 8 and now the SDM will not be installed. Why is this?

    HP SoftPaq Download Manager (SDM) requires .NET 3.5. Windows 8 has native support for .NET 4.x.

    Unfortunately, .NET 4.x is unlike .NET 3.5 where 3.5 reflected in support for 2.0, 3.0, and 3.5 all in one.  In our humble opinion, .NET 3.0 and .NET 3.5 must have been called 2.1 and 2.2 .NET, .NET respectively.

    From .NET 4.0, Microsoft, is not including backwards support for .NET 2.0, 3.0 and 3.5.

    Fortunately, in Windows 8, the .NET Framework 3.5 comes with the operating system. However, it is disabled by default.

    To activate the .NET 3.5 in Windows 8, follow these instructions:

    • Set up the 'Control Panel'.
    • Click the "programs and features".
    • Select "Turn Windows fearures on or off" (located at the top left of the window.
    • In the dialog box, check the option ".NET Framework 3.5 (including .NET 2.0 and 3.0).
    • Click on the Ok"" button.

    The SDM installation should work after that.

  • FAQ (30): SDM can save the model named directories?

    I like to keep SoftPaqs separated by the name of the model.

    In the Options of Configuration/Tools, there is a way to download SoftPaqs and separate them by SoftPaq names. Is it possible to separate them by a model/product name?

    No, but you can download and save SoftPaqs for download different directories (directories may have another name, including model names) by making use of SDM in mode 'All products' and 'building Driver Pack"SDM.

    To do this, select the template that you want, then go to Tools/Configuration Options and change the name of the download directory for the model name/number. When you set up the configuration if you wish, save by selecting file/save or file/save product Configuration under. We recommend saving all your SDM configurations in the same folder for easy selection.

    When you are ready to load a configuration, simply select file/load Configuration of the product.

    For more information on the SDM Configurations, please see using the application.

  • FAQ (28): why SDM displayed everything available for a newly released operating system SoftPaqs?

    A new operating system was recently released and SDM appears not all SoftPaqs support this new OS mode 'all products '. Why?

    If you use SDM in "Update" mode, you can view FAQS (20) (/t5/HP-SoftPaq-Download-Manager/FAQ-20-quot-This-specific-model-could-not-be-matched-All-models/td-p/5317159) and then continue reading below.

    There are three reasons why this might be the case:

    1. Not all HP models have required or recommended hardware specifications to run new operating systems.
      A rule of thumb to consider is that the more recent model is, more it is likely that SoftPaqs favourable to a new operating system will be released on the said model. In the past, a "cut-off" line seems to be about 3 years old. However, HP reserves the right to change at any time.
    2. It takes time to qualify for the new operating system software.
      A rule of thumb to consider is that the most recent model, the earlier SoftPaqs will be released which are supported on a new operating system. For example: a model that is only a year old, will probably updated before a model that is two years old.

      Note: in the above two cases, a way to check is to visit http://www.hp.com/support and go to the download page for your model. If the new operating system is listed and SoftPaqs support, then SDM will support it as well.
    3. If you use the 'All products' mode, there is a filter of BONE that is still active. If you have already used the 'All products' mode, SDM is always apply this filter that will probably not include any newly released operating system. Please, go to the Configuration Options and select all editions of the newly released operating system.

  • FAQ (27): the SDM requires administrator rights to run?

    When I launch SDM, it happens with this dialog box. Is this normal?

    Yes. SDM requires administrator rights because it requires the appropriate rights to update or apply SoftPaq updates to your computer.

    The above message appears only if UAC (User Access Control) is turned on and that the user doesn't have administrator rights. For more information about UAC, please visit this link: http://en.wikipedia.org/wiki/User_Account_Control

    UNFORTUNATELY, the SDM version 3.5.0.0 (later from this post) has a problem where it wrong will not recognize the user as administrator if UAC is enabled.

    If you have the SDM version 3.5.0.0, have active UAC and you are logged on under an account that has administrator rights and SDM displays the dialog box above, please note that this is a bug found ONLY in the SDM 3.5.0.0 version and will be fixed with the next version.

    In the meantime, there are two solutions we can suggest you to work around this problem:

    (1) Although not recommended, you can disable UAC and reboot for the changes to take effect. We do not recommend this approach because UAC protects the computer against attacks. We include this option only for purposes of completeness.

    2) RECOMMENDED WORKAROUND: Force MDS to start with administrator right.  To do this, please follow these steps to work around the problem, until a new version of SDM is available:

    1. Open Windows Explorer.
    2. Go to C:\Program Files (x 86) \Hewlett-Packard\HP SoftPaq Download Manager. Note: If you have a 32-bit operating system, navigate to C:\Program Hewlett-Packard HP SoftPaq Download Manager.
    3. Right click on the file "SoftPaqDownloadManager.exe".
    4. Select "Run as Administrator" from the context menu.

Maybe you are looking for

  • Looking to update my first internal hard drive 2011 MBP

    Instead of recently updated to a new external drive. I thought it may be time to update HDD internal (500 GB) original on my MPB. I have 8 GB of RAM and internal light enough to keep my drive in without worrying about storage and applications. Everyo

  • Can I use a SATA drive on my SR1090nx?

    New here Hendrikus

  • Questions regarding the installation of key code

    I was helping a friend with his computer. She bought a computer to measure with Widows XP installed on it, a store of the local computer, about three months ago. She got big virus on his computer. If she needs to format and reinstall Windows XP.She d

  • Windows 7 factory reset

    Somone please, Im trying to Factory Reset my laptop but this always this thing, how can I fix. My other problem is my brother installed 64-bit windows 7 only 2 GB of ram that the problem is that I can't reformat.

  • Text with scrollbar

    Hello I want to view huge (amount of characters) text with a bar to scroll if the text exceeds the dimensions indicated. No idea how this playbook? I don't want to load custome inside a webview.