|[ LiB ]|
To perform sensor maintenance, you should understand the update installation process, the update files for signatures and service packs , and image recovery. The following sections cover these concepts.
To install a new update, you need to access the sensor via the CLI or use the IDS MC. In both cases, you need administrator privileges to the sensor or the IDS MC. If using the CLI, you must store the update file on a server that is accessible via File Transfer Protocol (FTP), Secure Copy Protocol (SCP), or Hypertext Transfer Protocol/Secure HTTP (HTTP/HTTPS). If using the IDS MC, you should store the update file in \Program Files\CSCOPX\MDC\etc\ids\Updates .
IDS update files are named according to the notation shown in Figure 12.1.
The best way to illustrate this notation is through examples:
Example 1 : IDS-sig-4.0-2-S42.rpm.pkg
Example 2 : IDS-K9-sp-4.0-2-S42.rpm.pkg
In Example 1, sig-4 indicates that this is a signature update, as opposed to a service pack. The 4.0 that follows the hyphen indicates that this signature update is for IDS version 4.0. The 2 shows that the service pack level is 2; the S42 is the signature version; and the rpm indicates that this is a Red Hat Package Manager file.
Example 2 is a service pack for IDS software updates, as indicated by the K9-sp . It is also for IDS version 4.0, service pack level 2, and signature version S42. And again, the rpm extension indicates that it is a Linux Red Hat Package Manager file.
When presented with an IDS update filename, you should be able to identify the software type, IDS version, service pack level, signature version, and extension, as illustrated in Figure 12.1.
Earlier in this chapter, you saw that to perform an update from the CLI, you need administrator privileges to the sensor and FTP, SCP, or HTTP/HTTPS access to the update file location. The command to perform the upgrade is the upgrade command, which you execute from global configuration mode, as shown in this example:
The upgrade command is followed by the source-url , which is ftp://firstname.lastname@example.org/IDS-K9-sp-4.0-2-S29.bin in the example. In this case, we include the username within the URL; however, if you prefer, you may simply enter the URL and be prompted for the username and password. The command syntax, as you have likely worked out, is as follows:
source-url is the path to the update file's location. Although our example is performing a service pack update, you can use the upgrade command to perform both signature updates and service packs alike.
You can also downgrade the sensor and restore it to a previous configuration by using the downgrade command. This command is even simpler because there is no file path to enter. The complete usage of this command is as follows:
This command removes the most recent upgrade from a sensor or IDSM. The command is not available if no upgrade has been installed on the sensor.
Performing updates with the IDS MC is similarly straightforward. You perform all update tasks from the Updates option on the Configuration tab, as shown in Figure 12.2.
You can see from the TOC in the figure that there are two options within the Configuration, Updates page: Update Network IDS Signatures and Update Sensor Version.
To update IDS signatures, follow these steps:
To perform an IDS sensor update, complete the following tasks:
You saw in Chapter 8, "Command-Line Interface Commands," how to use the recover command to re-image the application partition with the image stored on the recovery partition. This task is possible on sensor appliances and not on IDSM2 because IDSM2 does not have a recovery partition. As shown in the Secure Shell (SSH) session in Figure 12.4, although it takes several reboots to complete the recover operation, the command itself is quite simple.
The full command syntax is
sensor(config)# recover application-partition
On a version 4 sensor appliance, the CLI command to re-image the application partition with the image in the recovery partition is recover application-partition . This command is not available for IDSM2.
|[ LiB ]|