Release Notes for Cisco Intrusion Prevention System 5.1(7)E1 Revised: July 9, 2012 Contents • Signature Engine Updates, page 2 • IPS 5.1(7)E1 File List, page 2 • Supported Platforms, page 3 • Supported Servers, page 3 • ROMMON and TFTP, page 4 • IPS Management and Event Viewers, page 4 • New and Changed Information, page 5 • Cisco Security Intelligence Operations, page 6 • Before Upgrading to Cisco IPS 5.1(7)E1, page 6 • Upgrading to Cisco IPS 5.
Signature Engine Updates Caution The BIOS on Cisco IDS/IPS sensors is specific to Cisco IDS/IPS sensors and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on Cisco IDS/IPS sensors voids the warranty. For more information on how to obtain instructions and BIOS files from the Cisco website, see Obtaining Software on Cisco.com, page 9.
Supported Platforms – IPS-IDSM2-K9-sys-1.1-a-5.1-7-E1.bin.gz – IPS-SSM_10-K9-sys-1.1-a-5.1-7-E1.img – IPS-SSM_20-K9-sys-1.1-a-5.1-7-E1.img • Recovery Images – IPS-K9-r-1.1-a-5.1-7-E1.pkg – IPS-4260-K9-r-1.1-a-5.1-7-E1.pkg • ISO Image – IPS-K9-cd-1.1-a-5.1-7-E1.iso For More Information • For the procedure for obtaining these files on Cisco.com, see Obtaining Software on Cisco.com, page 9. • For the procedure for installing service pack files, see Upgrading to 5.1(7)E1, page 20.
ROMMON and TFTP • Sambar 6.0 (Windows 2000) • Serv-U 5.0 (Windows 2000) • MS IIS 5.0 (Windows 2000) The following HTTP/HTTPS servers are supported for IPS software updates: Note • VMS - Apache Server (Tomcat) • VMS - Apache Server (JRun) The sensor cannot download software updates from Cisco.com. You must download the software update from Cisco.com to your FTP server, and then configure the sensor to download them from your FTP server.
New and Changed Information Note If you are using these tools to monitor 5.1(7)E1 sensors, add the sensors to the configuration as if they were 4.1 sensors. You cannot view the new fields in 5.1(7)E1 alerts in these alarm viewers until they have been upgraded to accommodate the new fields in 5.1(7)E1. Security Monitor 2.1 is being upgraded to display the fields in 5.1(7)E1 alerts. Note Viewers that are already configured to monitor the 4.
Cisco Security Intelligence Operations • New Event Actions Two new deny attacker event actions have been added in the 5.1(7)E1 release: Deny Attacker Service Pair Inline and Deny Attacker Victim Pair Inline. A new Request Rate Limit event action with a parameter that lets you specify a percentage of traffic from a denied attacker has been added to support rate limiting. • GRE/IPV4-in-IPV4 Tunneling IPS 5.1(7)E1 sensors can now monitor GRE and IPV4-inIPV4 encapsulated traffic.
Before Upgrading to Cisco IPS 5.1(7)E1 Perform These Tasks Before you upgrade your sensors to Cisco IPS 5.1(7)E1, make sure you have performed the following tasks: • Created a backup copy of your configuration. • Saved the output of the show version command. I f you need to downgrade a service pack or signature update, you will know what versions you had, and you can then apply the configuration you saved when you backed up your configuration.
Before Upgrading to Cisco IPS 5.1(7)E1 • current-config—The current running configuration. The configuration becomes persistent as the commands are entered. • backup-config—The storage location for the configuration backup. The exact format of the source and destination URLs varies according to the file. Here are the valid types: • ftp:—Source or destination URL for an FTP network server.
Before Upgrading to Cisco IPS 5.1(7)E1 Restoring the Current Configuration From a Backup File To restore your current configuration from a backup file, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Back up the current configuration to the remote server. sensor# copy scp://user@192.0.2.0//configuration/cfg current-config Password: ******** Warning: Copying over the current configuration may leave the box in an unstable state.
Before Upgrading to Cisco IPS 5.1(7)E1 Step 4 Choose Intrusion Prevention System (IPS). Step 5 Enter your username and password. Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download. Note Step 7 You must have an IPS subscription service license to download software. Click the type of software file you need. The available files appear in a list in the right side of the window.
Before Upgrading to Cisco IPS 5.1(7)E1 Major and Minor Updates, Service Packs, and Patch Releases Figure 1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases. Figure 1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases Major Update Contains new functionality or an architectural change in the product. For example, the IPS 5.
Before Upgrading to Cisco IPS 5.1(7)E1 Patch Release Used to address defects that are identified in the upgrade binaries after a software release. Rather than waiting until the next major or minor update, or service pack to address these defects, a patch can be posted. Patches include all prior patch releases within the associated service pack level. The patches roll into the next official major or minor update, or service pack.
Before Upgrading to Cisco IPS 5.1(7)E1 Figure 3 illustrates what each part of the IPS software file represents for signature engine updates. Figure 3 IPS Software File Name for Signature Engine Updates Signature Engine Updates Executable files containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator.
Before Upgrading to Cisco IPS 5.1(7)E1 5.1 Software Release Examples Table 1 lists platform-independent IDS 5.1 software release examples. Refer to the Readmes that accompany the software files for detailed instructions on how to install the files. Table 1 Platform-Independent Release Examples Target Frequency Identifier Example Version Example Filename Weekly sig S700 IPS-sig-S700-req-E1.pkg As needed engine E1 IPS-engine-E1-req-5.1-3.pkg Semi-annually or as needed — 5.1(3) IPS-K9-5.
Before Upgrading to Cisco IPS 5.1(7)E1 Table 3 describes the platform identifiers used in platform-specific names. Note IDS-4235 and IDS-4250 do not use platform-specific image files. Table 3 Platform Identifiers Sensor Identifier IDS-4215 IDS-4215- IPS-4240 IPS-4240- IPS-4255 IPS-4255- IPS-4260 IPS-4260- IDS module for Catalyst 6K WS-SVC-IDSM2- IDS network module IPS-NM-CIDS- AIP-SSM IPS-SSM- For More Information For instructions on how to access these files on Cisco.
Before Upgrading to Cisco IPS 5.1(7)E1 Step 3 Power off the appliance. Step 4 Remove the power cord and other cables from the appliance. Step 5 Place the appliance in an ESD-controlled environment. Step 6 Remove the chassis cover by unscrewing the screw on the front of the cover and sliding the cover straight back. Step 7 Locate the DIMM sockets and select an empty DIMM socket next to the existing DIMM. Note The existing DIMM is installed in socket 0.
Before Upgrading to Cisco IPS 5.1(7)E1 For More Information For more information about ESD-controlled environments, refer to Working in an ESD Environment. Upgrading the IDS-4215 BIOS The BIOS/ROMMON upgrade utility (IDS-4215-bios-5.1.7-rom-1.4.bin) upgrades the BIOS of IDS-4215 to version 5.1.7 and the ROMMON to version 1.4. To upgrade the BIOS and ROMMON on IDS-4215, follow these steps: Step 1 Download the BIOS ROMMON upgrade utility (IDS-4215-bios-5.1.7-rom-1.4.
Upgrading to Cisco IPS 5.1(7)E1 Step 6 Specify the TFTP server IP address: rommon> server ip_address Step 7 Specify the gateway IP address: rommon> gateway ip_address Step 8 Verify that you have access to the TFTP server by pinging it from the local Ethernet port: rommon> ping server_ip_address rommon> ping server Step 9 Specify the filename on the TFTP file server from which you are downloading the image: rommon> file filename Example: rommon> file IDS-4215-bios-5.1.7-rom-1.4.
Upgrading to Cisco IPS 5.1(7)E1 Upgrade Notes and Caveats The following upgrade notes and caveats apply to upgrading from 4.x to 5.1(7)E1: • The sensor must show version 5.0(1) or later before you can apply this service pack. • Installing 5.1(7)E1 completely reimages the sensor. Sensor configuration settings are maintained, but all data written to the Event Store and any unsupported customizations are lost.
Upgrading to Cisco IPS 5.1(7)E1 • After you upgrade from 4.x to 5.0, you cannot downgrade. If you want to return to the previous version, you must reimage and then copy the backup configuration to the reimaged sensor. You cannot downgrade from 5.1(7)E1 to 5.0. • IDS MC cannot manage sensors that have been upgraded to 5.x until the IDS MC 2.1 release. For More Information • For the procedure for changing the status of signatures, refer to Configuring the Status of Signatures.
Upgrading to Cisco IPS 5.1(7)E1 Step 4 Type yes to complete the upgrade. Note Step 5 Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation. Verify your new sensor version: sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 5.1(7)E1 Host: Realm Keys key1.0 Signature Definition: Signature Update S278.0 2007-03-28 Virus Update V1.2 2005-11-24 OS Version: 2.4.
After Upgrading to Cisco IPS 5.1(7)E1 Installing the ISO Image File Note You must create a recovery CD on a Linux system to install the ISO image for IDS-4235 and IDS-4250. The Recovery ISO Image is for IDS-4235 and IDS-4250 sensors only. To create the recovery CD for the ISO image for IDS-4235 and IDS-4250, follow these steps: Step 1 Insert a blank CD-R media in to the CD-R recorder of the burn host.
After Upgrading to Cisco IPS 5.1(7)E1 Note If you are converting from IPS 4.x, the 4.x configuration has to be converted to the 5.1(7)E1 commands, because IPS 5.1(7)E1 has some new configuration parameters. Caution If the configuration is not properly converted, see Caveats, page 33, or check Cisco.com for any upgrade issues that have been found. Contact the TAC if no DDTS refers to your situation.
After Upgrading to Cisco IPS 5.1(7)E1 Step 4 If you have Java Plug-in 1.5 installed: a. Choose Java. The Java Control Panel appears. b. Click the Java tab. c. Click View under Java Applet Runtime Settings. The Java Runtime Settings window appears. d. In the Java Runtime Parameters field, enter -Xms256m, and then click OK. e. Click OK and exit the Java Control Panel. Java Plug-In on Linux and Solaris To change the settings of Java Plug-in 1.4.2 or 1.
After Upgrading to Cisco IPS 5.1(7)E1 To log in to IDM, follow these steps: Step 1 Open a web browser and enter the sensor IP address: https://sensor_ip_address Note IDM is already installed on the sensor. Note The default IP address is 192.168.1.2/24,192.168.1.1, which you change to reflect your network environment when you initialize the sensor.
After Upgrading to Cisco IPS 5.1(7)E1 Note If you created a shortcut, you can launch IDM by double-clicking the IDM shortcut icon. You can also close the The Cisco IPS Device Manager Version window. After you launch IDM, is it not necessary for this window to remain open. For More Information • For more information about security and IDM, refer to IDM and Certificates. • For the procedure for initializing the sensor, refer to Initializing the Sensor.
After Upgrading to Cisco IPS 5.1(7)E1 For More Information • For more information on Cisco service contracts, see Service Programs for IPS Products, page 27. • For the procedure for obtaining and installing the License key, see Obtaining and Installing the License Key, page 28. Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates.
After Upgrading to Cisco IPS 5.1(7)E1 • ASA-SSM-AIP-20-K9 Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site. For example, if you purchased an ASA-5510 and then later wanted to add IPS and purchased an ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract.
After Upgrading to Cisco IPS 5.1(7)E1 The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated. Step 6 Click OK. Step 7 Go to www.cisco.com/go/license. Step 8 Fill in the required fields. Caution You must have the correct IPS device serial number because the license key only functions on the device with that number. Your license key will be sent to the e-mail address you specified.
After Upgrading to Cisco IPS 5.1(7)E1 Note • If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol, you must add the remote host to the SSH known hosts list. http:—Source URL for the web server. The syntax for this prefix is: http:[[/[username@]location]/directory]/filename • https:—Source URL for the web server.
Restrictions and Limitations application-data is using 36.5M out of 166.8M bytes of available disk space (23% usage) boot is using 39.4M out of 68.6M bytes of available disk space (61% usage) MainApp AnalysisEngine CLI 2005_Feb_18_03.00 2005_Feb_15_03.00 2005_Feb_18_03.00 (Release) (QATest) (Release) 2005-02-18T03:13:47-0600 2005-02-15T12:59:35-0600 2005-02-18T03:13:47-0600 Running Running Upgrade History: IDS-K9-min-5.1-7 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.
Connecting IPS-4240 to a Cisco 7200 Series Router The PIX and ASA Firewalls and other security devices support a feature known as TCP Sequence Randomization. The initial TCP packets for a connection have their initial Sequence Numbers randomized as they flow through the firewall. A sensor monitoring the side of the firewall where the TCP client is located as well as monitoring the side of the firewall where the TCP server is located sees the same TCP session twice, but with different sequence numbers.
Recovering the Password Recovering the Password The following password recovery options exist: • If another Administrator account exists, the other Administrator can change the password. • If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account’s password. For example, if the Administrator username is “adminu,” the command is password adminu.
Caveats Resolved Caveats The following known issues have been resolved in IPS 5.1(7)E1: • CSCeh12238—H225 sig 12505 subsig 5 is not alarming • CSCsb60379—show int clear not clearing interface statistics on idsm-2 • CSCsc74205—Time slows down when auto bypass activated • CSCsc80083—Integration merge of CSCef91892 failed for rel_zirconium_5.
Caveats • CSCsi15321—Signatures 5745 and 5746 context captures 9 digits instead of 10 • CSCsi15449—retiring signatures does not stop inspection • CSCsi17548—Tcp Syn Cookies do not appear to work • CSCsi17610—When leaving backlog level 3 • CSCsi23979—4250-xl locks up with 1 gig 256 byte ixia traffic • CSCsi42159—IPS mainapp memory leak due to SNMP • CSCsi56448—5.1(5)E1 Service Pack can not install on top of 5.
Caveats • CSCsh50760—NAC causes high mainApp usage • CSCsh75673—valid NTP key values stored as -1 • CSCsi21029—GRE tunnels blocked by sensorApp inspection defect • CSCsi22195—Refactor normalizer processTcpOptions unit • CSCsi29166—Some special characters are accepted as part of the username • CSCsi42747—Memory leak in mainApp when checking license status • CSCsi43787—Memory leak in mainApp when log event initiated remotely • CSCsi45463—6.
Related Documentation Related Documentation Refer to the following documentation for more information on IPS 5.1 found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html • Documentation Roadmap for Cisco Intrusion Prevention System 5.1 • Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor • Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 5.
Related Documentation Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
