Updating the Cisco IDSM Sensor
Updating the IDSM sensor might result from a need to move to
newer code, or because the current image has been corrupted. A different reason
for updating (or more appropriately: to recover the IDSM sensor) is that the
password has been forgotten. In any case, the image of the IDSM sensor OS needs
to be replaced. The IDSM sensor has two partitions on the internal hard drive.
The first is the application partition or hdd:1. The
second is the maintenance partition or hdd:2. Both of
these partitions contain a complete operating system and therefore the IDSM
sensor can be booted from either partition. The partition that the IDSM sensor
booted from is called the active partition. Any updates to
the IDSM sensor operating system must be done to an offline partition so the
production partition would need to be offline by booting to the maintenance
partition.
Be aware that when updating the IDSM sensor, the process must be
done at the command line. To update the IDSM requires administrative privileges
to the maintenance partition. This is why we reboot to the maintenance partition
and log in as ciscoids, using the password attack. If no upgrade has been done before, we need to set
the network settings for the IDSM sensor to communicate with the network—in
particular, to communicate with the FTP server that holds the new CAB files for
the update. This setting of the network parameters in the maintenance mode is
accomplished by using the ids-installer command. The
update file that the ids-installer will use must reside on
an FTP server or the IDS Director. In the following examples, we used an FTP
server called "Cerberus FTP Server," which is free for personal and non-profit
use and can be found at www.cerberusftp.com.
Booting the
IDSM Sensor from Partition 2
In order to boot from a particular partition, we can set the
default partition by using the command set boot device, as
shown in the following example:
switch> (enable) set boot device hdd:2 4
Device BOOT variable = hdd:2
Warning: Device list is not verified but still set in the boot string.
switch> (enable)
Alternatively, we can have the IDSM boot from a given partition
temporally, as shown in the following example.
Switch> (enable) reset 4 hdd:2
This command will reset module 4 and have it boot off the boot
device: hdd number 2, which is the maintenance partition. We can see this in Figure
6.6.
As we saw in Figure 6.6, there are several messages that tell us
module 4 is being reset and that diagnostics are being run. We can see the
bridge port messages of ports 1 and 2 leaving the switch and coming back into
the switch.
In Figure 6.7, we are logging into the IDSM after the
reset to partition 2. We can see that the hostname of the IDSM is now shown as
maintenance.
We can also see that there are very limited commands from this
version of the IDSM sensor operating system to work with. No IDS commands are
available from the maintenance partition. To get back to our production IDSM
operating system, all we need to do is log out of the IDSM sensor and use the reset module command but leave the boot device off.
Now that we have learned about how to boot the IDSM sensor into
the maintenance mode using the second partition, we are ready to upgrade the OS
of the IDSM. In the following example, we will upgrade the IDSM V1sensor from
version 2.5 to 3.0 of the OS. The first step is to boot to the second partition
just as we did before using the reset command, as shown in
Figure
6.8.
Upgrading
the IDSM Sensor
Remember that the hdd:2 will boot the IDSM off the OS on the
second partition. Once the IDSM has completely rebooted and run through its
diagnostics, we are ready to configure the maintenance IDSM OS for a network
connection. First, we will session into the IDSM and log
in as we have done before. Then we will use the ids-installer command to verify any network configuration, or
to add the network information, as shown in the following example:
switch-2> (enable) session 4
Trying IDS-4...
Connected to IDS-4.
Escape character is '^]'.
login: ciscoids
Password: attack
We change to the diagnostic mode by typing in diag, and then we verify the existing network configuration, if
there is one:
maintenance#(diag) ids-installer netconfig /view
IP Configuration for Control Port:
IP Address : 0.0.0.0
Subnet Mask : 0.0.0.0
Default Gateway : 0.0.0.0
Domain Name Server : 77.1.1.1
Domain Name : cisco
Host Name : CISCO_IDS
maintenance(diag)#
To either change the network settings or to configure the network
settings, we use the ids-installer command and the
following command-line parameters:
ids-installer netconfig /configure /ip=ip_address /subnet=subnet_mask
    /gw=default_gateway /dns=dns_server /domain=nw_domain
        /hostname=host_name
In the following example of the ids-installer command, we see how to change the network
configuration in the diag mode of the maintenance partition:
maintenance(diag)# ids-installer netconfig /configure /ip=10.10.10.101
    /subnet=255.255.0.0 /gw=10.10.10.1 /hostname=testids
In Table 6.2, we show the ids-installer netconfig parameters and what they mean:
Table 6.2: ids-installer
netconfig Parameters
|
Parameters |
Notes |
|
netconfig |
This keyword specifies that a network configuration action
will take place. |
|
/configure |
This keyword specifies the configuration of port
parameters. |
|
/ip |
This keyword specifies an IP address as a
parameter. |
|
ip_address |
This is the IP address of the IDSM command and control port
(port 2). |
|
/subnet |
This keyword specifies the subnet mask address
parameter. |
|
Subnet |
This is the subnet mask for the IDSM command and control
port. |
|
/gw |
This keyword specifies the Default Gateway
parameter. |
|
default_gateway |
This is the IP address of the default gateway for the
IDSM. |
|
/dns |
This is an OPTIONAL keyword that specifies the DNS
server. |
|
ip_address |
This is the IP address of the optional DNS server
parameter. |
|
/domain |
This is an OPTIONAL keyword that specifies a network domain
name. |
|
nw_domain |
This is the network domain name assigned to the command and
control port. |
|
/hostname |
This OPTIONAL keyword specifies the hostname assigned to the
IDSM. |
|
host_name |
This is the hostname assigned to the
IDSM. |
To install the image to the partition, we use the ids-installer command mentioned earlier. This command has
several parameters that can be used to install the image. The command line is
structured as shown in this example:
ids-installer system /nw /install /server=ip_address /user=username
    /dir=directory /prefix=update_file /save=yes
In Table 6.3, we see a listing of the command-line
arguments that can be used:
Table 6.3: ids-installer
Command-Line Parameters to Install an Image
|
Parameters |
Notes |
|
system |
This keyword specifies that a system action will be
performed. |
|
/nw |
This keyword specifies that the installation of the image
will be done from the network. |
|
/install |
This keyword specifies the system action will be to
install. |
|
/server |
This keyword specifies that the image file will be on an FTP
server. |
|
ip_address |
This is the IP address of the FTP server. |
|
/user |
This specifies that a username is required to log in to the
FTP server. |
|
username |
This is the username required. |
|
/dir |
This specifies that the files are stored in a specific
directory. |
|
directory |
This is the directory name of where the files are
stored. |
|
/prefix |
This specifies that the update filename prefix is
required. |
|
update_file |
This is the update filename that will be installed but
without the extension. |
|
/save |
This keyword specifies that the image will be saved as a
cached copy. |
|
yes | no |
If yes, then the image will be cached. If no, the image is
installed but not cached. |
In the following example, we will have the IDSM do a network
install of the new code from an FTP server and a certain user account:
maintenance(diag)# ids-installer system /nw /install /server=10.1.2.11 /
    user=ciscoids /save=yes /dir='ftpupload' /prefix=IDSMk9-a-3.0-1-S4
The FTP server is 10.1.2.11 using a user ID of ciscoids. We are
saving the image to cache, and the directory name on the FTP server is
ftpupload. The filename is IDSMk9-a-3.0-1-S4 but without the .bin extension on
it.
In Figure 6.9, we see the complete upgrade of an IDSM
V1 in progress. Note that it has been shortened in some places for brevity.
Verifying
the IDSM Sensor Upgrade
Once the IDSM sensor has rebooted and
completed its self-diagnostics, we need to log back into the IDSM sensor and run
the setup command since the original configuration has
been overwritten. We can see in Figure 6.10 that the new configuration is void of
data except for the default IP address and mask. We also see that the version of
the software is 3.0(1)S4.
Note that the preceding line shows our new version number of the
OS.
!
Sensor application status:
nr.postofficed not running
nr.fileXferd not running
nr.loggerd not running
nr.packetd not running
nr.sapd not running
Configuration last modified Never
Sensor:
IP Address: 10.0.0.1
Netmask: 255.0.0.0
Default Gateway:
Host Name: Not Set
Host ID: Not Set
Host Port: 45000
Organization Name: Not Set
Organization ID: Not Set
Director:
IP Address: Not Set
Host Name: Not Set
Host ID: Not Set
Host Port: 45000
Heart Beat Interval (secs): 5
Organization Name: Not Set
Organization ID: Not Set
Direct Telnet access to IDSM: disabled
#
Shutting
Down the IDSM Sensor
In order to disable or to remove the IDSM sensor from a live
switch, we need to shut down the IDSM sensor. If we do not, given Windows
tendency to corrupt on a dirty shutdown, we could easily find ourselves
reinstalling the OS without the clean shutdown. The good news is that this is
very easy to accomplish. As shown in Figure 6.11, just log in
to the IDSM and issue a shutdown command.
If we use the command show module, we will
see that the current state of the module is in the shutdown mode, as seen in Figure
6.12.
Now for the final command, we issue a set
power command to actually shut off the power to the IDSM. Once this is
completed, we can safely remove the IDSM from the switch even with the switch
live. In Figure 6.13, we see the command and resulting
output:
To bring the IDSM sensor back online, all we do is reverse the
commands. We apply power to the IDSM sensor and wait for about two minutes for
the IDSM sensor to boot up and then we enable the IDSM sensor to bring it back
online. In Figure 6.14, we see the steps and results:
Updating the
IDSM Sensor Signatures and Service Packs
To update the signatures on the IDSM sensor, we use a
command called apply. This command is used from the
primary partition when the IDSM sensor is in the configuration mode. In the
following sample, we apply a typical signature.
Apply ftp://username@server/path/filename
This installs the signature or update in the active partition from
the path set in the apply command argument. In this case,
the entire filename is needed, not just the prefix, as seen in Figure
6.9. In Figure 6.15, we see the results of the command when
used to install a service pack on an IDSM v1.
At the end of the update, the IDSM will be rebooted and you
will have to log back into the IDSM to verify the service pack was applied. To
verify the update, we will use the show config command, as
detailed in Figure 6.10. If, during the updates or service pack
installation, you can not get the IDSM sensor to talk to the FTP server, from
the diag prompt of the maintenance partition, execute the PING command. This is a quick and simple way to make sure the
IDSM sensor can, in fact, see the FTP server. More often then not there is a
configuration issue with the network configuration of the IDSM sensor such as
the incorrect default gateway or an incorrect subnet mask.
Sections
Comments (0 posted)
Syndication
