How to do Cisco IPS signatures update manually

If you have problem with signature updating on your Cisco IPS module for your Cisco ASA firewall you can try to do it manually, from CLI. In my network I had this problem, we successfully did update manually and get all IPS modules finally green￿. Before I start with update process explanation I want to notice you that I did update on Cisco ASA-SSM-20 modules installed at ASA 5500 and process explained is applied to those device models. I will try to explain process in four simple steps. So let`s go with steps:

Step 1 : Download signatures and place it to ftp server

At the beginning you have to get signature file downloaded from Cisco site (https://sso.cisco.com/autho/forms/CDClogin.html) at which are update files are placed. You should log in at site with same credentials that are configured at your IPS module at section Configuration->Sensor Management->Auto/Cisco.com Update.

So, go to site https://sso.cisco.com/autho/forms/CDClogin.html, log in and navigate to file for your concrete IPS system and download it. In our case it was file IPS-sig-S962-req-E4.pkg and at that moment that file was actual signature file.

Step 2: Put your file to ftp server

When you have signature file downloaded from you should set repository, protocol and server from which your IPS will get signature file. My recommendation is to use FTP or TFTP server where FTP server gives you faster transfer. In my case I used FileZilla FTP server which is very ease and intuitive. So, I put downloaded signature file at FTP server folder from which IPS will get file.

Step 3: Log in to your IPS

To start CLI command for signature updating you should log in to your IPS sensor through SSH session or directly from ASA firewall CLI by using session command. In our case it was session command. Command should have IPS module number as argument which is 1 in our case. So, from my ASA CLI I did:

CiscoASA#session 1
Opening command session with module 1.
Connected to module 1. Escape character sequence is ‘CTRL-^X’.
CiscoASA#session 1
Opening command session with module 1.
Connected to module 1. Escape character sequence is ‘CTRL-^X’.

login: ciscologinname

Password:
Last login: Wed Jan 25 12:55:49 from 127.0.1.1
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.
cisco-ips#

and I have my IPS CLI prompt. Now I can continue with update process.

Step 4: Apply command for downloading signature file and start upgrade

When I have signature file uploaded to FTP server and I have logged in my IPS module, I can input command for signature file downloading and applying. Command has next syntax:

ftp://[[username@]location][/relativeDirectory]/filename

where username is username for your FTP (TFTP, SFTP) server logging, location is IP of your FTP (TFTP, SFTP) server, relativeDirectory is directory at your FTP (TFTP, SFTP) server where file is located and filename is signature file (in our case IPS-sig-S962-req-E4.pkg). Now we can apply command for update at our concrete system (note that you should do it from conf mode at CLI):

cisco-ips(config)# upgrade ftp://ciscouser@10.0.0.30//FTP/IPS-sig-S962-req-E4.pkg
Password: *********
Warning: Executing this command will apply a signature update to the application partition.
Continue with upgrade? []: yes
Broadcast Message from root@ cisco-ips
(somewhere) at 13:21 …
Applying update IPS-sig-S962-req-E4
Broadcast Message from root@ cisco-ips
(somewhere) at 13:25 …
Update complete
cisco-ips (config)#

As you can see from message, signature updates are done and you can log in your IME application to confirm that device has newest signatures installed. Maybe you should reset your sensor (it is easy with reset command at CLI) and you should have your IPS module updated and working correctly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s