© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 12 Cisco Intrusion Detection System Maintenance

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the naming convention for IDS software update files. Install IDS signature updates and service packs. Recover the Sensor application partition. Restore the Sensor default configuration. Configure the Time Settings on the sensor via IDM.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Pack and Signature Updates

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Software Updates Overview IDS software updates provide the latest signature and intrusion detection improvements. New IDS signatures are released as signature updates. Intrusion detection improvements are released as service packs. Updates can be uninstalled to return the IDS software to the previous version.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Software Update Guidelines The following are guidelines for installing IDS software updates: Read the release notes to determine whether the Sensor meets the requirements. Download the correct update for the Sensor appliance, IDSM, IDSM-2, or NM-CIDS. Use one of the following to update the Sensor: –IDM –IDS MC –CLI

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Files Example: IDS-sig S64.rpm.pkg Example: IDS-K9-sp S61.rpm.pkg IDS-K9–type–major.minor-sp-Ssignature.rpm.pkg Extension Signature version Software version Upgrade type

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensor(config)#upgrade source-url Applies a service pack, signature update, or image upgrade from an FTP, SCP, HTTP, or HTTPS server upgrade Command sensor(config)#upgrade 3-S61.rpm.pkg Upgrades the Sensor to Service Pack 3 for IDS Software Version 4.1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using IDM to Install an Update Choose Administration > Update.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Automatic Updates Choose Configuration > Auto Update.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Image Recovery

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Image Recovery Overview The Sensor appliance has two partitions: the application partition and the recovery partition. You can recover the application partition image from the image stored on the recovery partition. You should back up your configuration before recovering the application partition. Recovery procedures for the Sensor appliance differ from the recovery procedures for the IDSM-2 and the NM-CIDS.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensor(config)# recover application-partition Reimages the application partition with the image stored on the recovery partition Image Recovery sensor(config )# recover application-partition Warning: Executing this command will stop all applications and re-image the node to version 4.1(1)S47. All configuration changes except for network settings will be reset to default. Continue with recovery?:yes Request Succeeded sensor(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Upgrading the Recovery Partition A recovery partition image file is available for every major and minor release of the IDS Software Version 4.x. The recovery partition image file is the only upgrade available for the recovery partition. It is a good idea to keep your recovery partition up to date with the latest recovery partition image so that it is ready if you need to recover the application partition on your Sensor. You can use the upgrade command to install the recovery partition image.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Recovery Partition Image File Example IDS-42XX-K9-r-1.2-a S47.tar.pkg Sensor TypeRecovery Software version Extension Signature version Recovery partition image file version

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Resetting, Powering Down, and Restoring the Default Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using IDM to Reset or Power Down the Sensor Choose Administration > System Control.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using IDM to Restore the Default Configuration Choose Configuration > Restore Defaults.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Time Settings

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using IDM to Configure the Time Settings Choose Device > Sensor Setup > Time.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using IDM to Configure the Time Settings (Cont.) Choose Device > Sensor Setup > Time.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary You can use any of the following to install service pack and signature updates on your Sensor: –CLI –IDM –IDS MC To install service pack and signature updates via the CLI or IDM, you must first download the correct update file to an FTP, SCP, HTTP, or HTTPS server on your network.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) To install service pack and signature updates via the IDS MC, the update file must reside on the IDS MC. You can use either IDM or the IDS MC to configure automatic service pack and signature updates. This enables the software to be automatically applied to your Sensor after you download it to a central FTP or SCP server. The Sensor recovery partition can be used to recover the Sensor software image if it becomes corrupted. The recovery can be performed via the CLI. You can use IDM to restore the default configuration to your Sensor. You can use IDM to set the Sensor Time Settings.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS WEB FTP RBB