Cisco Intrusion Prevention System Signature Update S225 April 19, 2006 Copyright (C) 1999-2006 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== IPS 5.x LICENSING NOTE S225 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IPS 5.x SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS IPS MC SIGNATURE UPDATE INSTRUCTIONS - AUTOMATIC SIGNATURE UPGRADE NOTE - INSTALLATION - UNINSTALLATION - CAVEATS IPS 5.x EVENT VIEWER SUPPORT S220-S224 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== IPS 5.x LICENSING NOTE IMPORTANT NOTE: You must have a valid Cisco Services for IPS contract per sensor to receive and use software upgrades including signature updates from Cisco.com. Beginning with version 5.0, an IPS Subscription Service License is required for the installation of signature updates. The IPS Subscription Service License for all systems covered by a maintenance contract can be requested from the following url: http://www.cisco.com/go/license To manage your maintenance contracts use the Service Contract Center: http://www.cisco.com/cgi-bin/front.x/scccibdispatch?AppName=ContractAgent ======================================================================== S225 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5750.0 WLSE Cross Site Scripting SERVICE-HTTP Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS CSCsd17267 idsPackageMgr: digital signature of the update file was not valid Symptom: Customer attempts to install a signature update but gets an error message that the "digital signature of the update file was not valid". May also report that "update requires KB in /usr/cids/idsRoot, there are only 54400Kb available" Conditions: This will happen when the customer sensor does not have enough disk space on the sensor in the var/updates directory to verify, decrypt and install the signature update file. Workaround: Log in to the sensor via the service account and remove the files in the following directory: /usr/cids/idsRoot/var/updates/backups/* Also see Installation Caveats below. ======================================================================== IPS 5.x SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ---------------------------------------------------------------------- NOTE: All signature updates are cumulative. The S225 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S225-minreq-5.0-5.pkg signature update can be applied to version 5.x sensors as follows: You can only apply this signature update to IDS-4210, 4215, 4235, 4240, 4250, and 4255 series of IDS or IPS appliance sensors, the WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2), the NM-CIDS series Intrusion Detection Network Module, and the ASA-SSM-AIP-10 and ASA-SSM-AIP-20 series Cisco ASA Advanced Inspection and Prevention Security Service Modules. It is not compatible with the NRS-xx series appliance IDS sensors, the IDS-4220 or 4230 series appliance IDS sensors, or the WS-X6381-IDS series Intrusion Detection System Module (IDSM). The sensor must report the version of sensor as 5.0(5), 5.0(6) or 5.1(1) before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version NOTE: Versions 5.0(1), 5.0(2), 5.0(3), 5.0(4), 5.0(5p1) and 5.0(5p2) are no longer supported by S221 and higher Signature Levels, the sensors must first be upgraded to 5.0(6) or 5.1(1d) before installing the S225 Signature Update. Version 4.x and earlier sensors must first be upgraded to 5.0(1), and then to either 5.0(6) or 5.1(1d). Refer to the Release Notes for Cisco Intrusion Prevention System 5.0 for instructions on upgrading version 4.x and earlier sensors: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/index.htm INSTALLATION ------------------------------------------------------------------------ Note: Beginning with S221, signature updates now have a minimum required version of 5.0(5). You must be running IPS version 5.0(5) or later to install signature update S221 or later. ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the Version 5.0(1) Command Reference Guide located at the following url: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cmdref/index.htm WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the version S225 signature update on a 5.x sensor: 1. Download the binary file IPS-sig-S225-minreq-5.0-5.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S225-minreq-5.0-5.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S225-minreq-5.0-5.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S225 signature update on a 5.x sensor and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. CAVEATS The IPS-sig-S225-minreq-5.0-5.pkg Signature Update and all following signature updates can only be applied to version 5.0(5), 5.0(6) and 5.1(1) sensors. The Signature Update can not be applied to version 5.0(1), 5.0(2), 5.0(3), or 5.0(4) sensors. NOTE: All fixes in the 5.0(2), 5.0(3), and 5.0(4) Service Packs are incorporated into the 5.0(5), 5.0(6) Service Packs and 5.1(1) Minor Upgrade files. When upgrading from 4.1(5)S220 or higher Signature Level to 5.0(1), you must also upgrade to the 5.0(6) Service Pack or 5.1(1d) Minor Upgrade file. Upon upgrading from 4.1(5)S220 (or higher Signature Level) to 5.0(1), you should not attempt to upgrade to the 5.0(2), 5.0(3), 5.0(4), or 5.0(5) Service Packs or the 5.1(1), 5.1(1a), 5.1(1b) or 5.1(1c) Minor Upgrade files. The S220 and higher Signature Levels require sensorApp binaries that can read the new signature settings. These new binaries are only available in the 5.0(6) Service Pack and 5.1(1d) Minor Upgrade file. NOTE: The S225 Signature Update can be safely installed on existing 5.0(5), 5.1(1), 5.1(1a), 5.1(1b) and 5.1(1c) sensors because the signature update will include the new sensorApp binary when installed directly on those versions. However, you should not upgrade to those versions from an older version sensor with S220 or higher Signature Level. These caveats only apply to the S220 and higher Signature Levels. For lower Signature Levels refer to the related readmes for their upgrade caveats. ======================================================================== IPS MC SIGNATURE UPDATE INSTRUCTIONS You can only apply the IPS-sig-S225-minreq-5.0-5.zip signature update to IPS MC version 2.1 or later. ------------------------------------------------------------------------ Note: Beginning with S220, signature updates now have a minimum required version of 5.0(5). You must be running IPS version 5.0(5) or later to install signature update S220 or later. ------------------------------------------------------------------------ AUTOMATIC SIGNATURE UPGRADE NOTE Applying any IPS 5.x update or upgrade using Automatic Signature Download, either from Cisco.com or from a Local Server, will cause Sensors of that signature level to become unmanageable from IPS MC unless you have applied the CSCsb208061 patch. The CSCsb208061 patch is available at: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids-app If you are using windows you should apply the idsmdc2.1.0-win-CSCsb208061.tar patch and if you are using Solaris you should apply the CSCOids2.1.0-sol-CSCsb208061.tar patch. INSTALLATION To install the version S225 signature update on an IPS MC, follow these steps: 1. Download the MC signature update ZIP file, IPS-sig-S225-minreq-5.0-5.zip to the /MDC/etc/ids/updates directory on the server where you have installed IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using IPS MC, follow the uninstallation instructions listed in the SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS The IPS-sig-S225-minreq-5.0-5.zip Signature Update and all following signature updates can only be applied to version 5.0(5), 5.0(6) and 5.1(1) sensors. The Signature Update can not be applied to version 5.0(1), 5.0(2), 5.0(3), or 5.0(4) sensors. NOTE: All fixes in the 5.0(2), 5.0(3), and 5.0(4) Service Packs are incorporated into the 5.0(5), 5.0(6) Service Packs and 5.1(1) Minor Upgrade files. When upgrading from 4.1(5)S220 or higher Signature Level to 5.0(1), you must also upgrade to the 5.0(6) Service Pack or 5.1(1d) Minor Upgrade file. Upon upgrading from 4.1(5)S220 (or higher Signature Level) to 5.0(1), you should not attempt to upgrade to the 5.0(2), 5.0(3), 5.0(4), or 5.0(5) Service Packs or the 5.1(1), 5.1(1a), 5.1(1b) or 5.1(1c) Minor Upgrade files. The S220 and higher Signature Levels require sensorApp binaries that can read the new signature settings. These new binaries are only available in the 5.0(6) Service Pack and 5.1(1d) Minor Upgrade file. NOTE: The S225 Signature Update can be safely installed on existing 5.0(5), 5.1(1), 5.1(1a), 5.1(1b) and 5.1(1c) sensors because the signature update will include the new sensorApp binary when installed directly on those versions. However, you should not upgrade to those versions from an older version sensor with S220 or higher Signature Level. These caveats only apply to the S220 and higher Signature Levels. For lower Signature Levels refer to the related readmes for their upgrade caveats. ======================================================================== IPS 5.x EVENT VIEWER SUPPORT The IPS Event Viewer (IEV) Version 5.1(1) supports IPS 5.0 and later releases. IEV Version 5.1(1) can be downloaded from CCO at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev Refer to the readme for installation instructions. NOTE: With the 5.1(1) release of IEV, Signature information is dynamically retrieved from the sensor(s). It is no longer necessary to install a separate IEV signature update package for each new signature update. The following additional applications can be used for event monitoring: - IDS Security Monitor Version 2.1 or later - CLI - IDM - CS MARS For details on using CLI or IDM refer to the user documentation available at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/index.htm For more information on CS-MARS, visit: http://www.cisco.com/en/US/products/ps6241/index.html ======================================================================== S224 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5706.0 Persistent Content in a Dynamic Webpage STRING-TCP Medium True 5747.0 MDAC Function Remote Code Execution META High True 5747.1 MDAC Function Remote Code Execution STRING-TCP High True 5747.2 MDAC Function Remote Code Execution STRING-TCP High True 5749.0 Internet Explorer Double Byte Character Parsing STRING-TCP High False TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5237.0 HTTP CONNECT Tunnel STRING-TCP Low True CSCsd80422 5693.1 Metafile Buffer Overflow STRING-TCP High True CSCsd54889 CAVEATS CSCsd17267 idsPackageMgr: digital signature of the update file was not valid Symptom: Customer attempts to install a signature update but gets an error message that the "digital signature of the update file was not valid". May also report that "update requires KB in /usr/cids/idsRoot, there are only 54400Kb available" Conditions: This will happen when the customer sensor does not have enough disk space on the sensor in the var/updates directory to verify, decrypt and install the signature update file. Workaround: Log in to the sensor via the service account and remove the files in the following directory: /usr/cids/idsRoot/var/updates/backups/* Also see Installation Caveats below. ======================================================================== S223 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3110.0 Suspicious Mail Attachment STATE Low True CSCsd58391 CAVEATS CSCsd17267 idsPackageMgr: digital signature of the update file was not valid Symptom: Customer attempts to install a signature update but gets an error message that the "digital signature of the update file was not valid". May also report that "update requires KB in /usr/cids/idsRoot, there are only 54400Kb available" Conditions: This will happen when the customer sensor does not have enough disk space on the sensor in the var/updates directory to verify, decrypt and install the signature update file. Workaround: Log in to the sensor via the service account and remove the files in the following directory: /usr/cids/idsRoot/var/updates/backups/* Also see Installation Caveats below. ======================================================================== S222 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5737.0 Internet Explorer Action Handlers Overflow STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3327.6 Windows RPC DCOM Overflow STRING-TCP High False CSCsd69525 12660.0 Content Type application/postscript Header Check APPLICATION-POLICY-ENFORCEMENT-HTTP Low False CSCsd24514 12660.1 Content Type application/postscript Header Check APPLICATION-POLICY-ENFORCEMENT-HTTP Low False CSCsd24514 12660.2 Content Type application/postscript Header Check APPLICATION-POLICY-ENFORCEMENT-HTTP Low False CSCsd24514 CAVEATS CSCsd17267 idsPackageMgr: digital signature of the update file was not valid. Symptom: Customer attempts to install a signature update but gets an error message that the "digital signature of the update file was not valid". May also report that "update requires KB in /usr/cids/idsRoot, there are only 54400Kb available" Conditions: This will happen when the customer sensor does not have enough disk space on the sensor in the var/updates directory to verify, decrypt and install the signature update file. Workaround: Log in to the sensor via the service account and remove the files in the following directory: /usr/cids/idsRoot/var/updates/backups/* ======================================================================== S221 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5736.0 WinVNC Client Buffer Overflow STRING.TCP High False TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5558.0 Webcart Command Injection SERVICE.HTTP High False CSCsd65822 5646.0 Gatekeeper Overflow SERVICE.HTTP High False CSCsd65822 5647.0 Savant Webserver Request Overflow SERVICE.HTTP High False CSCsd65822 5666.0 Unix chetcpasswd.cgi File Disclosure Vulnerability SERVICE.HTTP Low False CSCsd65822 CAVEATS CSCsd17267 idsPackageMgr: digital signature of the update file was not valid. Symptom: Customer attempts to install a signature update but gets an error message that the "digital signature of the update file was not valid". May also report that "update requires KB in /usr/cids/idsRoot, there are only 54400Kb available" Conditions: This will happen when the customer sensor does not have enough disk space on the sensor in the var/updates directory to verify, decrypt and install the signature update file. Workaround: Log in to the sensor via the service account and remove the files in the following directory: /usr/cids/idsRoot/var/updates/backups/* ======================================================================== S220 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5648.1 Tomcat Denial of Service Attack STRING-TCP Medium True 5739.0 Active Directory Failed Login ATOMIC-IP Medium False 5739.1 Active Directory Failed Login STRING-TCP Medium False TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5648.0 Tomcat Denial of Service Attack ATOMIC-IP Medium False CSCsd45966 CAVEATS CSCsd17267 idsPackageMgr: digital signature of the update file was not valid. Symptom: Customer attempts to install a signature update but gets an error message that the "digital signature of the update file was not valid". May also report that "update requires KB in /usr/cids/idsRoot, there are only 54400Kb available" Conditions: This will happen when the customer sensor does not have enough disk space on the sensor in the var/updates directory to verify, decrypt and install the signature update file. Workaround: Log in to the sensor via the service account and remove the files in the following directory: /usr/cids/idsRoot/var/updates/backups/* ========================================================================