Sensor Maintenance

[ LiB ]  

To perform sensor maintenance, you should understand the update installation process, the update files for signatures and service packs , and image recovery. The following sections cover these concepts.

Update File Location and Access

To install a new update, you need to access the sensor via the CLI or use the IDS MC. In both cases, you need administrator privileges to the sensor or the IDS MC. If using the CLI, you must store the update file on a server that is accessible via File Transfer Protocol (FTP), Secure Copy Protocol (SCP), or Hypertext Transfer Protocol/Secure HTTP (HTTP/HTTPS). If using the IDS MC, you should store the update file in \Program Files\CSCOPX\MDC\etc\ids\Updates .

Identifying IDS Update Files

IDS update files are named according to the notation shown in Figure 12.1.

Figure 12.1. Notation for naming Cisco IDS update files.


The best way to illustrate this notation is through examples:

  • Example 1 : IDS-sig-4.0-2-S42.rpm.pkg

  • Example 2 : IDS-K9-sp-4.0-2-S42.rpm.pkg

In Example 1, sig-4 indicates that this is a signature update, as opposed to a service pack. The 4.0 that follows the hyphen indicates that this signature update is for IDS version 4.0. The 2 shows that the service pack level is 2; the S42 is the signature version; and the rpm indicates that this is a Red Hat Package Manager file.

Example 2 is a service pack for IDS software updates, as indicated by the K9-sp . It is also for IDS version 4.0, service pack level 2, and signature version S42. And again, the rpm extension indicates that it is a Linux Red Hat Package Manager file.


When presented with an IDS update filename, you should be able to identify the software type, IDS version, service pack level, signature version, and extension, as illustrated in Figure 12.1.

Updating Signatures and Service Packs with the CLI

Earlier in this chapter, you saw that to perform an update from the CLI, you need administrator privileges to the sensor and FTP, SCP, or HTTP/HTTPS access to the update file location. The command to perform the upgrade is the upgrade command, which you execute from global configuration mode, as shown in this example:

 sensor(config)#upgrade ftp://cisco@ 

The upgrade command is followed by the source-url , which is ftp://cisco@ in the example. In this case, we include the username within the URL; however, if you prefer, you may simply enter the URL and be prompted for the username and password. The command syntax, as you have likely worked out, is as follows:

 Sensor(config)#upgrade  source-url  

source-url is the path to the update file's location. Although our example is performing a service pack update, you can use the upgrade command to perform both signature updates and service packs alike.

You can also downgrade the sensor and restore it to a previous configuration by using the downgrade command. This command is even simpler because there is no file path to enter. The complete usage of this command is as follows:


This command removes the most recent upgrade from a sensor or IDSM. The command is not available if no upgrade has been installed on the sensor.

IDS Software Updates with IDS MC

Performing updates with the IDS MC is similarly straightforward. You perform all update tasks from the Updates option on the Configuration tab, as shown in Figure 12.2.

Figure 12.2. Navigating to Configuration, Updates on the Cisco IDS MC to perform update tasks from the Updates page.


You can see from the TOC in the figure that there are two options within the Configuration, Updates page: Update Network IDS Signatures and Update Sensor Version.

Update Network IDS Signatures

To update IDS signatures, follow these steps:

  1. Click Update Network IDS Signatures from the TOC on the left side of the IDS MC interface to display the Update Network Signatures page. Recall from earlier in this chapter that your update file must be stored in the (now famous) directory \Program Files\CSCOPx\MDC\etc\ids\updates . If you have stored the new update file in the correct file location, it appears as an option in the Update File drop-down menu.

  2. Select the update file that you want to install from the drop-down menu. Recall that you need to first update the IDS MC with a signature update before applying the signature update to sensors. You see a verification message for you to confirm that you have selected the correct file and procedure.

  3. Click the Finish action button to refresh the Update Summary page, which shows a message confirming that the update was completed.

Update Sensor Version

To perform an IDS sensor update, complete the following tasks:

  1. Navigate to Configuration, Updates and select Update Sensor Version from the TOC to display the Update Sensor Version page. You see a hierarchical list of only IDS version 3.x sensor groups and sensor devices.

  2. Click Selection to specify which device or devices you want to update; alternatively, click the Update action button on the All page to perform the update on all version 3.x sensor devices, as shown in Figure 12.3.

    Figure 12.3. The Update Sensor Version page from the IDS MC, where you perform updates from IDS version 3.x sensors to version 4.


Image Recovery with the CLI

You saw in Chapter 8, "Command-Line Interface Commands," how to use the recover command to re-image the application partition with the image stored on the recovery partition. This task is possible on sensor appliances and not on IDSM2 because IDSM2 does not have a recovery partition. As shown in the Secure Shell (SSH) session in Figure 12.4, although it takes several reboots to complete the recover operation, the command itself is quite simple.

Figure 12.4. Performing the recover application-partition command from an SSH session to re-image the application partition.


The full command syntax is

 sensor(config)# recover application-partition 


On a version 4 sensor appliance, the CLI command to re-image the application partition with the image in the recovery partition is recover application-partition . This command is not available for IDSM2.

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: