                           Cisco Systems, Inc.
                    Cisco Intrusion Prevention System
                              IPS 6.1(1)E2
                             June 20, 2008

Copyright (C) 2008 Cisco Systems, Inc. All rights reserved. Printed in
the USA. Cisco, Cisco Systems, and the Cisco Systems logo are
registered trademarks of Cisco Systems, Inc. in the U.S. and certain
other countries. All other trademarks mentioned in this document are
the property of their registered owners.

======================================================================
                          Table Of Contents
======================================================================

REVISION HISTORY

IPS 6.1(1)E2 UPDATE DETAILS
  - FILE LIST
  - SUPPORTED PLATFORMS
  - NEW FEATURES
  - DOCUMENTATION
  - CAVEATS
  - RESOLVED ISSUES

UPDATING TO E2 ENGINE FROM 6.1(1)E1

MINOR VERSION UPGRADE FILE INSTRUCTIONS
  - INTRODUCTION
  - MINIMUM REQUIREMENTS
  - INSTALLATION NOTES

SYSTEM IMAGE & RECOVERY FILE INSTRUCTIONS
  - INTRODUCTION
  - SYSTEM FILES
  - INSTALLATION NOTES

CISCO IPS DEVICE MANAGER (IDM)
  - SYSTEM REQUIREMENTS
  - STARTING CISCO IPS EVENT VIEWER
  - CAVEATS

======================================================================

REVISION HISTORY

4/29/08: Initial Version
5/06/08: Added Installation notes to MINOR VERSION UPGRADE FILE
         INSTRUCTIONS and SYSTEM IMAGE & RECOVERY FILE INSTRUCTIONS
         sections.  Re-formatted to fixed-width font.
5/13/08: Added Note about RDEP.
6/20/08: Changed to reflect E2 reposted files. Added installation
         information for the IPS-engine-E2-req-6.1-1.pkg file

======================================================================

IPS 6.1(1)E2 UPDATE DETAILS

FILE LIST

The following files are included as part of this release:

Readme
 - IPS-6.1-1-E2.readme.txt

Minor Version Upgrade File
 - IPS-K9-6.1-1-E2.pkg
 - IPS-AIM-K9-6.1-1-E2.pkg

System Image Files
 - IPS-4240-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-4255-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-4260-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-4270_20-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-IDSM2-K9-sys-1.1-a-6.1-1-E2.bin.gz
 - IPS-SSM_10-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-SSM_20-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-SSM_40-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-AIM-K9-sys-1.1-a-6.1-1-E2.img

Recovery Image Files
 - IPS-K9-r-1.1-a-6.1-1-E2.pkg
 - IPS-AIM-K9-r-1.1-a-6.1-1-E2.pkg

E2 Engine Update Files
 - IPS-engine-E2-req-6.1-1.pkg

SUPPORTED PLATFORMS

The following IPS/IDS platforms are supported in Cisco IPS 6.1:

 - IPS-4240 Series Appliance Sensor
 - IPS-4255 Series Appliance Sensor
 - IPS-4260 Series Appliance Sensor
 - IPS-4270 Series Appliance Sensor
 - IDSM2 for Catalyst 6500
 - IPS-SSM 10 for ASA 5500
 - IPS-SSM 20 for ASA 5500
 - IPS-SSM 40 for ASA 5500
 - AIM-IPS for ISR Router

The following platforms are no longer supported:

 - IDS 4210 Series Appliance Sensor
 - IDS 4215 Series Appliance Sensor
 - IDS-4235 Series Appliance Sensor
 - IDS-4250 Series Appliance Sensor
 - NM-CIDS for Cisco 26xx, 3660, and 37xx Router Families

NEW FEATURES

For features introduced by the E2 Engine Update, see the
IPS-engine-E2.readme.txt file at:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips6

Cisco IPS 6.1 introduces the following new IPS features:

 - IPS Sensor Enhancements:
    - Automatic Signature Updates from Cisco.com
    - New sensor and security health statistics
    - Simplified CLI for sensor initialization
    - Unauthenticated NTP
    - Improved upgrade status information
    - Support of inline asymmetric traffic*
    - Password Integrity Service

 - Enhanced IPS Device Manager (IDM):
    - Startup wizard
    - Health Monitoring Improvements
    - Customizable Dashboards
    - New Policy & Enhanced Signature Tables
    - User Interface Performance Improvements

* To support inline asymmetric traffic in earlier 6.0(x) releases, a
  manual workaround was documented in the 6.0(4) readme file (refer
  to the Resolved Caveats section of the  6.0(4) readme for details).
  In the IPS 6.1 release, this functionality is now configurable via
  the sensor CLI or IDM.  If you utilized the workaround to enable
  asymmetric traffic, the manual setting should be removed and
  asymmetric traffic should be re-enabled as in the following example
  using the CLI:

  sensor-xyz(config)# ser analysis-engine
  sensor-xyz(config-ana)# vi vs0
  sensor-xyz(config-ana-vir)# inline-TCP-evasion-protection-mode ?
  strict Full TCP ordering and sequence checking will be applied to
         all TCP sessions on this virtual sensor.
  asymmetric   Relaxed TCP ordering and sequence checking will be
         applied to all TCP sessions on this virtual sensor.

  For more details regarding asymmetric traffic, refer to the
  "Configuring the Cisco IPS Sensor Using the CLI IPS 6.1" on-line
  user guide available at:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

  Note: If the manual entry in the sensorApp.conf file is not removed,
  the following main.log warning will be generated each time the sensor
  is rebooted:
  NormalizerSettings in sensorApp.conf (AsynchMode and AsymmetricFlows)
  have been removed.  Use Service AnalysisEngine - VS -
  inline-TCP-evasion-protection-mode.

NOTE: The legacy RDEP event-server, used by IDS versions 4.x to communicate
events, is not enabled by default in this release.  Customers should migrate
to SDEE/CIDEE as support of the RDEP event-server will be dropped from future
releases.  To enable the RDEP event-server in this release, refer to the
setup section of the IDM and IME user documentation available at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guides_list.html

The E2 Engine version includes the S339 Signature Update as a built-in
update.  S339 will not be available for seperate download.  Refer to
the archived Active Update Bulletin for S339 for more details on this
signature update release.  Active Update Bulletins are available at:

http://tools.cisco.com/security/center/bulletin.x?i=57

----------------------------------------------------------------------

DOCUMENTATION

The following documentation is available with this release:

 - This readme
 - IDM and IME on-line help
 - Introducing IME Video
 - Cisco IPS 6.1 on-line user documentation available at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

CAVEATS

The following known issues are present in Cisco IPS 6.1(1)E2.  You can
view release notes in Bug Navigator at this URL:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Identifier  Headline
CSCsq76880  Incorrect error/warning messages in E2 Engine Update Installation
CSCsq68594  AIM: 'Regex parse failure' message displayed in main.log
CSCso96079  META alarms may have the wrong risk ratings
CSCso85697  crazy traffic inline causes failure in updateProtocolState
CSCso78274  ASA/SSM False Failover
CSCso74628  Attack mis-counts seen with promiscuous mode (moderate traffic)
CSCso60709  Flood net Engine Sigs 69xx are not firing in promiscuous mode
CSCso49304  IPS - Large KB Thresholds represented as negatives
CSCso45473  Analysis Engine terminated prematurely
CSCso28141  Wrong attack context data captured
CSCso20750  modify-packet-inline computing incorrect checksum
CSCso15103  4260 w/ 4x1Gb NIC may enter HW bypass on engine update
CSCso09813  Missing victim context data in sig 5081
CSCso02370  CPU and Load periodically revert to 0
CSCsm90428  string-tcp alert contains incorrect data in 'from target' context
CSCsm72321  AIP module get stuck in high cpu due to mainApp infinite loop
CSCsm46158  Critical memory condition can cause race condition
CSCsm24466  Jumbo frames on XL interface can cause dropped packets
CSCsl69776  AD is not generating an alert for every worm attacker
CSCsl66235  Setup errors after defaulting sensor config via IDM
CSCsk53813  upgrade log files are not preserved during an upgrade
CSCsj83029  CRAZYHAWK:sig 1308_0 not firing on fragroute tcp_chaff TTL attack
CSCsj82458  global-block-timeout allows values outside supported range
CSCsj80889  IP frags subjected to modify-packet-inline have been re-fragmented
CSCsj78809  IPS 6.0(3) SigProcessor failure with reinjected frag
CSCsj70643  Normalizer signatures not modifying-packet-inline
CSCsj57474  Frag traffic with dot1q headers misses a few sweep and atomic-ip sigs
CSCsi73502  6.0(2)E1: No warning message when removing sensor used by ASA
CSCsi60530  69xx firing but reporting wrong interface
CSCsh89833  Delete event variable referenced by filter or sig from IDM
CSCsh50760  NAC causes high mainApp usage
CSCsh16294  IPSVIRTUALIZATION:Physical Interface info not passed to ASA/SSM Database
CSCsg96871  AnalysisEngine InspectorServiceAICWeb::ToServiceInspect abort
CSCsd19619  NO statistics on traffic under heavy load

RESOLVED ISSUES

The following bugs have been resolved in this release:

Identifier  Headline
CSCso31217  encrypted passwords not decrypted after upgrade
CSCsm99137  cli error on login attempt to 4240 - Monarchos
CSCsm10898  the external management interface on the NM-IPS will not autonegotiate
CSCsk30811  Misconfigured remote application can cause sensor HDD failure
CSCso65593  6.0(4a) upgrade failure with virus version 1.4 has bad error message
CSCso56465  mainApp cplane error message needs actual error code
CSCso21050  Frequent error generation - SigEventList not empty
CSCsm70361  service external-product-interface config not carried forward on upgrade
CSCsk84825  Non-printable character in event XML causes cascading events
CSCsk09025  idsm2 interface Operational Mode: down after reload from switch
CSCsj75538  Auto Update - not pulling platform specific patch
CSCsj18246  Event variables not tagged with the smallest locality
CSCsi10476  cidsAlertProtocol missing from SNMP Traps
CSCsg21826  CISCO-CIDS-MIB v3.5 does not have denyPacket and blockHost defined

The following issues have been resolved as a part of incorporating the E2 Engine Update:

Identifier  Headline
CSCeg78504  Request for Service.Generic style decode in Layer6
CSCsd10894  Refactor SMB-A and MSRPC-TCP Engines.
CSCse45666  P2P Engine
CSCsh02555  smb-advanced engine needs regex table splitting support +
CSCsi57158  Want an "OR" operator added to META
CSCsi57174  Blended Ordering in META
CSCsi57225  Track which component sigs fire in META alarm
CSCsi61184  Ident signature 6202/2 firing (False Positive) on dataless packets
CSCsj95887  New engine capable of monitoring on all ports needed
CSCsk35511  Service-TNS Engine Not Parsing the Traffic Properly
CSCsk97606  Several H225 signatures fire when VOIP in use.
CSCsl28426  IDS firing sig 1300 false-positive during TCP retransmissions
CSCsm04146  IDSM2: sensor is not learning host OS when configured in Inline mode
CSCsm71528  Analysis Engine NotRunning after sig update reconfig
CSCso00699  ENH: IPS support for blocking ARES P2P application
CSCso02940  alarm interval signatures may fire unexpectedly
CSCso26303  Signature 1330.18 fires frequently
CSCso99040  SCP very slow across inline sensor
CSCsq51530  Traffic drops by sensor after 100 successful sessions

======================================================================

UPDATING TO E2 ENGINE FROM 6.1(1)E1

See the IPS-engine-E2.readme.txt file for information on upgrading an
existing IPS 6.1(1)E1 sensor to IPS 6.1(1)E2.  The E2 Engine readme
can be found at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips6

MINOR VERSION UPGRADE FILE INSTRUCTIONS

The Cisco IPS 6.1 minor version upgrade file upgrades a sensor to
Cisco IPS 6.1 while preserving the configuration settings  of the
sensor.

To completely reimage a sensor and reset the sensor to its default
settings, see SYSTEM IMAGE FILE INSTRUCTIONS.

MINIMUM REQUIREMENTS

To install the IPS-K9-6.1-1-E2.pkg or IPS-AIM-K9-6.1-1-E2.pkg minor
version upgrade file, you must be running IPS version 5.0(1) or later
on your sensor.

Note: The IPS-AIM-K9-6.1-1-E2.pkg upgrade file can only be used to
upgrade a AIM-IPS sensors. For all other supported sensors, the
IPS-K9-6.1-1-E2.pkg upgrade file should be used.

To see what version the sensor is currently running, log in to the CLI
and execute the show version command.

For detailed instructions on installing the minor version upgrade file,
refer to "Configuring the Cisco Intrusion Prevention System Sensor Using
the Command Line Interface 6.1" available at this URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guides_list.html

INSTALLATION NOTES

WARNING:  If you are upgrading an AIM-IPS, you must disable the
heartbeat-reset on the router before installing the 6.1(1) upgrade.
The heartbeat-reset can be re-enabled once the upgrade has completed.
Failure to disable the router's heartbeat-reset may cause the upgrade
to fail and leave the AIM-IPS in an unknown state that may require a
re-image to recover.  If you are upgrading an AIM-IPS using auto
upgrade, then disable the heartbeat-reset before placing the upgrade
file on your auto update server.  The heartbeat-reset can be
re-enabled once the AIM-IPS has been auto updated.

NOTE: If you are using auto update with a mixture of AIM-IPS modules
and other IPS appliances or modules, then be sure to place both the
standard IPS-K9-6.1-1-E2.pkg and the IPS-AIM-K9-6.1-1-E2.pkg files on
the auto update server so the AIM-IPS can properly detect which file
needs to be auto downloaded and installed.  Placing only the
IPS-K9-6.1-1-E2.pkg file on the auto update server can cause the
AIM-IPS to download and attempt to install the incorrect file.

======================================================================

SYSTEM IMAGE & RECOVERY FILE INSTRUCTIONS

INTRODUCTION

System and recovery images are intended primarily for disaster recovery.

Installation of the system and recovery image files reformats the
storage media and loads the Cisco IPS 6.1 application image.  This
results in the reset of all configuration and log files to their
default settings.

To preserve the configuration settings of your sensor, use the minor
upgrade file to upgrade your sensor from earlier IPS versions to Cisco
IPS 6.1.  For details on using the upgrade file, see MINOR VERSION
UPGRADE FILE.

SYSTEM AND RECOVERY FILES

Each IDS & IPS sensor platform has its own system image file.  You can
access them at this URL:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

System Image Files

 - IPS-4240-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-4255-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-4260-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-4270-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-IDSM2-K9-sys-1.1-a-6.1-1-E2.bin.gz
 - IPS-SSM_10-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-SSM_20-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-SSM_40-K9-sys-1.1-a-6.1-1-E2.img
 - IPS-AIM-K9-sys-1.1-a-6.1-1-E2.img

You can access the following recovery images at this URL:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

Recovery Image Files

 - IPS-K9-r-1.1-a-6.1-1-E2.pkg
 - IPS-AIM-K9-r-1.1-a-6.1-1-E2.pkg

You must log in to Cisco.com using an account with cryptographic
privileges to download these files.

INSTALLATION NOTES

For detailed instructions on installing the system and recovery image
files, refer to "Configuring the Cisco Intrusion Prevention System
Sensor Using the Command Line Interface 6.1" Guide at this URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guides_list.html

WARNING:  If you are re-imaging an AIM-IPS, you must disable the
heartbeat-reset on the router before installing the 6.1(1) system or
recovery image.  The heartbeat-reset can be re-enabled once the
re-image has completed.  Failure to disable the router's
heartbeat-reset may cause the re-image to fail and leave the AIM-IPS
in an unknown state.

======================================================================

CISCO IPS DEVICE MANAGER (IDM)

SYSTEM REQUIREMENTS

Minimum Hardware Requirement
 - CPU: Pentium, AMD Athlon or equivalent running at 1 Ghz or higher

Memory
 - 512 MB minimum�

Supported OS
 - Windows Vista Business and Ultimate, Windows XP Professional,
   Windows Server 2003 R2 (Note: both the English and Japanese
   versions of Windows are supported)
 - Red Hat Linux Desktop Version 4; Red Hat Enterprise Linux Server
   Version 4�

Supported Browsers
 - Internet Explorer 6.0 and 7.0
 - Firefox 2.0�

Java Plug-in Requirement
 - Java SE 1.4.2, 5.0 or 6�

Minimum Screen Size
 - 1024x768

STARTING CISCO IDM

There are two ways to start IDM:

1. Cross launch from IME (recommended)
2. Via browser

To cross launch IDM from IME, open IME and click
Configuration. All IDM functionality is available in IME.

To launch IDM from a browser, enter the IP address of the target
sensor in the address window as follows:

https://xx.xx.xx.xx

CAVEATS

The following known issues are present in Cisco IPS 6.1(1)E2.  You can
view release notes in Bug Navigator at this URL:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Identifier  Headline
CSCso96654  Editing EventActionRules removes all like Sig Actions

RESOLVED ISSUES

The following bugs have been resolved in this release:

Identifier Headline
CSCsj68881 Auto update settings won't save correctly in IDM.
CSCsi96099 Borealis - IDM/webserver - 2 unknown failed control transactions

======================================================================