Cisco Systems, Inc. Cisco Intrusion Prevention System IPS 5.1(7)E1 Release October 18, 2007 Copyright (C) 2007 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== REVISION HISTORY ENGINE UPDATES NOTE IPS 5.1(7)E1 UPDATE DETAILS - FILE LIST - NEW FEATURES - RESOLVED CAVEATS - CAVEATS - DOCUMENTATION SERVICE PACK UPDATE INSTRUCTIONS - REQUIRED VERSION - TARGET PLATFORMS - IMPORTANT INSTALLATION NOTES - INSTALLATION VIA CLI - INSTALLATION VIA CSM 3.1 - INSTALLATION VIA CSM 3.0 or MC 2.2 - INSTALLATION CAVEATS SYSTEM IMAGE FILE INSTRUCTIONS - INTRODUCTION - SUPPORTED PLATFORMS - INSTALLATION NOTES RECOVERY IMAGE FILE INSTRUCTIONS - INTRODUCTION - SUPPORTED PLATFORMS - INSTALLATION NOTES - USING THE RECOVERY PARTITION ISO IMAGE FILE INSTRUCTIONS ======================================================================== REVISION HISTORY 10/18/2007: Initial Version ======================================================================== ENGINE UPDATES NOTE Engine updates were introduced to the IPS Version 5.1 train for the first time with the release of 5.1(5)E1. Engine updates allow Cisco to deliver new inspection Engines more rapidly, which increases the overall security effectiveness of the sensor. An example of this benefit is providing the SMB and TNS inspection Engines that are available currently in IPSv6.0 to IPSv5.1. It is recommended that you treat Engine updates like Signature updates and install them immediately. As a result of the introduction of Engines, the IPS Signature Update nomenclature changed from IPS-sig-S2XX-minreq-5.1-4.pkg to IPS-sig-S2XX-req-E1.pkg to reflect the new Engine requirements (In this case, E1). The new engine-style signature updates can be downloaded from the following CCO location: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup NOTE: Cisco stopped releasing the older non-engine style signature updates as of May 1, 2007. With each engine update release, the latest service pack and system image files will be repackaged to include the new engine update. In order to install an engine update, your sensor must be running the required IPS version which is contianed in the engine update package's filename. For example, in order to install the IPS-K9-engine-E1-req-5.1-5.pkg engine update package, your sensor must be running IPS version 5.1(5) or later code. If you are running an earlier IPS version such as IPS version 5.1(4), the sensor can be upgraded to 5.1(6)E1 or 5.1(7)E1 using the Service Pack files. ------------------------------------------------------------------------ EXAMPLE: If the engine update, IPS-K9-engine-E2-req-5.1-7.pkg was released, the 5.1(7)E1 service pack and system image files on CCO would be replaced with 5.1(7)E2 files. In order to upgrade from 5.1(7)E1 to 5.1(7)E2, the E2 engine update would be installed (the 5.1(7)E2 service pack could not be used because the sensor is already at 5.1(7)). ------------------------------------------------------------------------ For more details regarding the E1 engine update and the other 5.1(7)E1 files delivered in this release, refer to the detailed instructions included below. ======================================================================== IPS 5.1(7)E1 UPDATE DETAILS FILE LIST The following files are included as part of this release: Readme Files - IPS-5.1-7-E1.readme.txt IPS 5.1-7-E1 Service Pack Files - IPS-K9-5.1-7-E1.pkg - IPS-CS-MGR-K9-5.1-7-E1.zip - IPS-4260-K9-5.1-7-E1.pkg - IPS-CS-MGR-4260-K9-5.1-7-E1.zip System Image Files - IPS-4215-K9-sys-1.1-a-5.1-7-E1.img - IPS-4240-K9-sys-1.1-a-5.1-7-E1.img - IPS-4255-K9-sys-1.1-a-5.1-7-E1.img - IPS-4260-K9-sys-1.1-a-5.1-7-E1.img - IPS-NM_CIDS-K9-sys-1.1-a-5.1-7-E1.img - IPS-IDSM2-K9-sys-1.1-a-5.1-7-E1.bin.gz - IPS-SSM_10-K9-sys-1.1-a-5.1-7-E1.img - IPS-SSM_20-K9-sys-1.1-a-5.1-7-E1.img Recovery Images - IPS-K9-r-1.1-a-5.1-7-E1.pkg - IPS-4260-K9-r-1.1-a-5.1-7-E1.pkg ISO Image - IPS-K9-cd-1.1-a-5.1-7-E1.iso NEW FEATURES The 5.1-7-E1 Service Pack includes the S302 Signature Update. Refer to the S302 or later Readme for more details on this signature update release. The Signature Update readmes are available for download from Cisco.com: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/ RESOLVED CAVEATS The following known issues have been resolved in the 5.1(7)E1 release: Identifier Headline CSCeh12238 H225 sig 12505 subsig 5 is not alarming CSCsb60379 show int clear not clearing interface statistics on idsm-2 CSCsc74205 Time slows down when auto bypass activated CSCsc80083 Integration merge of CSCef91892 failed for rel_zirconium_5.1 CSCsc87782 show stat host command date always increases CSCsd29169 Un-tuning of event-actions may retain previously tuned values CSCsd56199 IDM hanging with large iplogs CSCsd72726 getting rbcp exception errors on nm-cids CSCse24364 4FE - interfaces not reporting Missed Packet Percentage CSCse32979 Analysis Engine should short circuit all same src/dst addr packets CSCse76558 Leading [\r\n] in Regex Causes MML Not to Work Properly CSCsf09370 sensorApp analysisEngine statistics packets reset can be inaccurate CSCsf15005 IPS: Specifying RegEx breaks IPv6 tunneling inspection CSCsf24499 NM-CIDS interface info is missing CSCsg04913 install - service account's .bash_profile not carried forward CSCsg05090 Ethernet frames with unknown protocol triggers sig 1102 in 5.1 CSCsg23357 4250-XL and IDSM-2 - sensor lockup when monitoring loop of pcaps CSCsg24632 String.TCP sigs may fire out of order CSCsg25839 IPS 5.1.3 ssh process vulnerable to CRC32 compensation DOS attack CSCsg28140 admin disable an interface does not produce link down event CSCsg36508 setting rate value on flood-net sigs requires reset to take effect -Zirc CSCsg66199 event-action tunings not affecting global-summary alert CSCsg72053 sigID 1307:0 produces False Neg CSCsg95895 sensor host-ip netmask issue CSCsh02866 4250-XL and IDSM-2 - (5.1)display warning messages after looping traffic CSCsh12977 Creation/cloning of customer created AD signature should not be allowed. CSCsh36795 Flows not inspected on SSM in certain case CSCsh41862 IDSM2 does not send reboot msg when doing an upgrade with 5.1(5)E2 CSCsh66450 5.1(5)SP signature regression identified a few sigs that false negative CSCsh76500 sensorApp memory leak during pcap replay CSCsh84203 Meta Signatures Have promisc-delta Applied in Inline Mode CSCsh92703 5.1(5) Recovery Image - wrong link in platform check error message CSCsh95142 extend http performance enhancement algorithm to other than port 80 CSCsh98882 extend 5.1 virtual sensor stats to improve field troubleshooting CSCsi02469 IDS - Remote event monitor apps cause high sensor HDD access CSCsi15321 Signatures 5745 and 5746 context captures 9 digits instead of 10 CSCsi15449 retiring signatures does not stop inspection CSCsi17548 Tcp Syn Cookies do not appear to work CSCsi17610 When leaving backlog level 3 CSCsi23979 4250-xl locks up with 1 gig 256 byte ixia traffic CSCsi42159 IPS mainapp memory leak due to SNMP CSCsi56448 5.1(5)E1 Service Pack can not install on top of 5.1(1p1) CSCsi58642 IDM does not handle slash in a user name correctly CSCsi72263 Allow inline Asymmetric traffic CSCsi86391 smb engine generating alert with bad xml CSCsi87943 traffic conditions can stimulate small memory leak in inspector SNMP CSCsj03849 4260 not responding after system reimage CSCsj17459 low-end sensor out of memory during sigupdate CSCsj41582 IPS 5.1(5)E1 UDP-string engine does not distinguish direction CSCsj49738 IPS 5.1 AIP-SSM Performance - Dropping packets at low throughput CSCsj49923 SenorApp may stop responding shortly after startup CSCsj74455 service pack install should preserve sensorApp.conf CSCsj80570 Add cidDump to upgrades CSCsk07649 add sensorApp.conf token to bypass GRE inspection CSCsk09897 IPS: sends ACK with destination mac of orignal packet CSCsk27436 sigupdate hangs on 5.1(6.20)-bad matrix prune fix CAVEATS The following known issues are present in the 5.1(7)E1 release. You can view release notes in Bug Navigator at this URL: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Identifier Headline CSCsc23261 No error for unauthorized sigupdate push upgrade attempt CSCse38575 Sigid 2004 does not fire on ping packets above 65502 Bytes CSCsg09619 IPS accepts RSA keys with exponent 3 which are vulnerable to forgery CSCsg18379 MainApp core due to XML Parsing Error CSCsg20868 4260 platform cannot recognize 4260 specific packages for autoupgrade CSCsg21826 CISCO-CIDS-MIB v3.5 does not have denyPacket and blockHost defined CSCsg26929 Interface errors when enabled in cli and ifconfig up CSCsg59161 NAC: never-block-networks config fails to stop hosts from being blocked CSCsg96871 AnalysisEngine InspectorServiceAICWeb::ToServiceInspect abort CSCsh41862 IDSM2 does not send reboot msg when doing an upgrade with 5.1(5)E2 CSCsh45936 Leading Space in the uri-regex in Service-HTTP Works Ambiguously CSCsh50205 IPS 5.1(4) 4215 imaged as CF based system because of HD failure CSCsh50516 IPS Fails to remove blocking if the blocked host is in PIX's name list CSCsh50760 NAC causes high mainApp usage CSCsh75673 valid NTP key values stored as -1 CSCsi21029 GRE tunnels blocked by sensorApp inspection defect CSCsi22195 Refactor normalizer processTcpOptions unit CSCsi29166 Some special characters are accepted as part of the username CSCsi42747 Memory leak in mainApp when checking license status CSCsi43787 Memory leak in mainApp when log event initiated remotely CSCsi45463 6.0(2) TCP SYN Flood Cookies not functioning on XL platform CSCsi48979 Sig 2152:0 false alarms after tunings or restore defaults CSCsi50951 ARC IPS cannot access blocking device with 'usage' in the banner CSCsi61184 AIP-SSM: Ident signature 6202/2 firing on SYN packets CSCsi87943 traffic conditions can stimulate small memory leak in inspector SNMP CSCsi98677 erase current-config hangs sensor CLI CSCsj17459 low-end sensor out of memory during sigupdate CSCsj30225 SNMP gets result in mainApp memory leak CSCsj35723 Sigs not alarming after default service sig sig0 CSCsj41582 IPS 5.1(5)E1 UDP-string engine does not distinguish direction CSCsj82458 global-block-timeout allows values outside supported range CSCsj95950 ASA/SSM False Data Plane Failover Occuring CSCsk05475 Packet display or packet capture causes rx errors CSCsk27472 "IDS 4250 with Dual SX cards, causing interface flaps" CSCsk30811 Unnecessary webserver error logging causes hard drive failure CSCsk35511 Service-TNS Engine Enhancement Request CSCsk48762 risk rating miscalculated for low severity due to signed math CSCsk53813 upgrade log files are not preserved during an upgrade CSCsk54274 4250 int errors with onboard nic CSCsk56818 5.1(6)E1 custom AD sig issue DOCUMENTATION 5.1 Documentation is available at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/index.htm ======================================================================== SERVICE PACK UPDATE INSTRUCTIONS REQUIRED VERSION ------------------------------------------------------------------------ NOTE: You must have a valid Cisco Service for IPS maintenance contract per sensor to receive and use software upgrades including signature updates from Cisco.com. ------------------------------------------------------------------------ The minimum required version for installing this Service Pack update is 5.0(1) for CLI and IDM users. For CSM (IPS MC) users, the minimum required version is 5.1(1). To determine the current sensor version, log in to the CLI and type the following command at the prompt: show version Refer to the Release Notes for the Cisco Intrusion Prevention System 5.0 available at the following URL for instructions on upgrading to 5.0(1): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/5020_02.htm Refer to the Release Notes for the Cisco Intrusion Prevention System 5.1 available at the following URL for instructions on upgrading to 5.1(1): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/8492_01.htm TARGET PLATFORMS The IPS-K9-5.1-7-E1.pkg and IPS-CS-MGR-K9-5.1-7-E1.zip update files can be applied to the following IPS version 5.x sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors (except for IPS-4260 which uses a 4260 specific 5.1(7) upgrade package) - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except for the IDS-4220 and the IDS-4230 series) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3660, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) The IPS-4260-K9-5.1-7-E1.pkg and IPS-CS-MGR-4260-K9-5.1-7-E1.zip service pack update files can be applied to the following IPS version 5.x sensor platform: - IPS-4260 Cisco Intrusion Prevention System (IPS) sensors ------------------------------------------------------------------------- NOTE: The IPS-4260-K9-5.1-7-E1.pkg and IPS-CS-MGR-4260-K9-5.1-7-E1.zip update files can only be applied to the IPS-4260 sensor platform. The IPS-K9-5.1-7-E1.pkg and IPS-CS-MGR-K9-5.1-7-E1.zip update files can NOT be applied to the 4260 sensor platform. ------------------------------------------------------------------------- IMPORTANT INSTALLATION NOTES Installation of the 5.1(7)E1 service pack results in a complete re-imaging of the sensor. While the sensor configuration settings are maintained, all data written to the event store as well as any unsupported customizations will be lost. As with all upgrades, users are strongly advised to save a copy of the sensor's current configuration settings to an ftp server prior to upgrading their sensors. This service pack can not be uninstalled. In order to revert back to the sensor's previous version, the sensor must be re-imaged and then upgraded (if necessary) to return it to it's previous version. The sensor's configuration settings can then be re-applied from a saved copy. Refer to the "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1" Guide available at the following URL for detailed instructions on performing these steps: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/index.htm INSTALLATION VIA CLI ------------------------------------------------------------------------ NOTE: This service pack will require a reboot of the sensor to apply the changes. Note that inline network traffic will be disrupted during the reboot. ------------------------------------------------------------------------ To install the 5.1(7)E1 service pack update, follow these steps: 1. Download the file IPS-K9-5.1-7-E1.pkg (or IPS-4260-K9-5.1-7-E1.pkg for IPS-4260 sensors) to an FTP, SCP, HTTP, or HTTPS server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 -------------------------------------------------------------------------- CAUTION: You must log in to Cisco.com using an account with cryptographic privileges to download the file. Do not change the file name. You must preserve the original file name for the sensor to accept the update. Refer to Release Notes for Cisco Intrusion Prevention System 5.1 for the procedure for obtaining an account with cryptographic privileges. --------------------------------------------------------------------------- 2. Log in to the CLI using an account with administrator privileges. 3. Enter configuration mode: sensor# configure terminal 4. Upgrade the sensor: sensor(config)# upgrade [URL]/IPS-K9-5.1-7-E1.pkg where the [URL] is a uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: sensor(config)# upgrade ftp://@/// IPS-K9-5.1-7-E1.pkg The available transport methods are SCP, FTP, HTTP, or HTTPS. 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. NOTE: The Sensor will reboot after installing the service pack. INSTALLATION VIA CSM 3.1 1. Start the CSM Client. 2. Download the package a. Select Tools-->Security Manager Administration... b. Select IPS Updates in the popup window c. Click on "Edit Settings" button. In the popup window choose "Cisco.com" in dropdown, and give Cisco.com (CCO) username/password. Click Ok, Click Save (May need to scroll down to see this button). d. Click Download Latest Updates. e. Click the Start Button on the Downloading Sensor Updates box, Close pop-up when complete. f. Close the Security Manager Administration window 3. Apply newly downloaded package and deploy to your device(s) a. Select Tools > Apply IPS Update ... b. In the Drop Down box, select Sensor Updates. c Select IPS-CS-MGR-K9-5.1-7-E1.zip from the Update File list box and click Next. Note: If the downloaded file did not show up in the list wait 2 minutes and re-launch Apply IPS Update as CSM sometime takes longer to register a package. d. Select the sensor(s) you want to update and click Finish. e. Click on the Deployment Manager Icon. f. Click Deploy. g. Click Yes when asked if you want to Submit and Deploy. h. Verify the successful Deployment in the Status Details Window. INSTALLATION VIA CSM 3.0 & IPS MC 2.2 The minimum required version to install the IPS-CS-MGR-K9-5.1-7-E1.zip service pack is IPS MC version 2.2 (with SP 2), CSM 3.0.1 (with IPS patch), or CSM 3.1. The minimum required version to install the IPS-CS-MGR-4260-K9-5.1-7-E1.zip service pack is CSM 3.1. To install the 5.1(7)E1 service pack on a CSM server, follow these steps: 1. Download the service pack ZIP file, IPS-CS-MGR-K9-5.1-7-E1.zip or IPS-CS-MGR-4260-K9-5.1-7-E1.zip (for IPS-4260 sensors) to the /MDC/etc/ids/updates directory on the server where you have installed IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. INSTALLATION CAVEATS The 5.1(7)E1 service pack cannot be uninstalled. You must re-image the sensor using a system image file. All configuration settings will be lost. - CSCsg20868 Aurora-4260 cannot recognize 4260 specific package files for autoupgrade. Symptom: Autoupdate does not recognize the 4260 package files (e.g. IPS-4260-K9-sp-5.1-x.pkg or IPS-4260-K9-5.1-5-E1.pkg). Conditions: If Autoupdate is configured on the IPS 4260, it will not recognize the 4260 packages and therefore does not install them. Workaround: Install the service pack using CLI or IDM. Further Problem Description: IPS version 5.1(x) does not recognize platform specific major, minor, or service pack filenames. - CSCsh95811 CSM 3.0.1 IPS does not handle 5.1(x)-4260 update package Symptom: The 5.1(x) upgrade package for the 4260 platform is different than the rest. CSM 3.0.1 SP2 cannot upgrade the 4260 because it does not recognize the platform specific filename (IPS-4260-K9-sp-5.1-x.zip). Workaround: Update the 4260 sensor using CLI or IDM. - CSCsh95807 IPSMC does not handle 5.1(x)-4260 update package Symptom: The 5.1(x) upgrade package for the 4260 platform is different than the rest. IPS MC 2.2 SP2 cannot upgrade the 4260 because it does not recognize the platform specific filename (IPS-4260-K9-sp-5.1-x.zip). Workaround: Update the 4260 sensor using CLI or IDM. ======================================================================== SYSTEM IMAGE FILE INSTRUCTIONS INTRODUCTION You can use the 5.1(7)E1 System Image files to completely reimage a sensor in situations where you are not concerned about maintaining sensor configuration, or in cases of disaster recovery. Installation of a system image file reformats the storage media and loads both a new application and recovery image. The current sensor configuration and all log files are lost. Do not use the 5.1(7)E1 System Image to upgrade the current software version to 5.1(7)E1 as all configuration settings will be lost. To maintain your configuration settings upgrade to 5.1(7)E1 using the 5.1(7)E1 Service Pack Update file (Refer to the SERVICE PACK UPDATE INSTRUCTIONS section of this readme). SUPPORTED PLATFORMS Each IDS & IPS sensor platform has it's own system image file. These files listed below can be downloaded at the following URL: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml System Image Files - IPS-4215-K9-sys-1.1-a-5.1-7-E1.img - IPS-4240-K9-sys-1.1-a-5.1-7-E1.img - IPS-4255-K9-sys-1.1-a-5.1-7-E1.img - IPS-4260-K9-sys-1.1-a-5.1-7-E1.img - IPS-NM_CIDS-K9-sys-1.1-a-5.1-7-E1.img - IPS-IDSM2-K9-sys-1.1-a-5.1-7-E1.bin.gz - IPS-SSM_10-K9-sys-1.1-a-5.1-7-E1.img - IPS-SSM_20-K9-sys-1.1-a-5.1-7-E1.img You must log in to Cisco.com using an account with cryptographic privileges to download these files. INSTALLATION NOTES Refer to the "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1" Guide available at the following URL for detailed installation instructions. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/index.htm ======================================================================== RECOVERY IMAGE FILE INSTRUCTIONS INTRODUCTION The IPS-K9-r-1.1-a-5.1-7-E1.pkg and IPS-4260-K9-r-1.1-a-5.1-7-E1.pkg files contain the 5.1(7)E1 Recovery Image. Install these files if you need to upgrade or reimage your Recovery Partition. The 5.1(7)E1 Recovery Image upgrades the recovery partition of a 5.x sensor. It does not affect the current application partition unless you use the recover application-partition command to reimage the application partition from the recovery partition. You must install this image on a sensor already running version 5.0 or later. Do not use the 5.1(7)E1 Recovery Image to upgrade the current software version to 5.1(7)E1 as all configuration settings will be lost. To maintain your configuration settings upgrade to 5.1(7)E1 using the 5.1(7)E1 Service Pack Update file (Refer to the SERVICE PACK UPDATE INSTRUCTIONS section of this readme). SUPPORTED PLATFORMS The IPS-K9-r-1.1-a-5.1-7-E1.pkg recovery image file is supported on the following platforms: - IDS-4210 Series Sensor Appliances - IDS-4215 Series Sensor Appliances - IDS-4235 Series Sensor Appliances - IPS-4240 Series Sensor Appliances - IDS-4250 Series Sensor Appliances - IPS-4255 Series Sensor Appliances - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS Intrusion Detection System Network Module - ASA-SSM-AIP-10 series Cisco ASA Advanced Inspection and Prevention Security Service Modules - ASA-SSM-AIP-20 series Cisco ASA Advanced Inspection and Prevention Security Service Modules The IPS-4260-K9-r-1.1-a-5.1-7-E1.pkg recovery image file is supported on: - IPS-4260 Series Sensor Appliances ------------------------------------------------------------------------- NOTE: The IPS-4260-K9-r-1.1-a-5.1-7-E1.pkg recovery image file can only be applied to the IPS-4260 sensor platform. The IPS-K9-r-1.1-a-5.1-7-E1.pkg recovery image file can NOT be applied to the 4260 sensor platform. ------------------------------------------------------------------------- INSTALLATION NOTES Refer to the "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1" Guide available at the following URL for detailed installation instructions. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/index.htm USING THE RECOVERY PARTITION For detailed instructions on how to use recovery partition, refer to the "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1" Guide available at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliimage.htm#wp1030707 ======================================================================== ISO IMAGE FILE INSTRUCTIONS The Recovery ISO Image is for IDS-4235 and IDS-4250 Series sensors only. Refer to the ISO_Image_FAQ1.htm for instructions on how to use this file. The ISO image file (IPS-K9-cd-1.1-a-5.1-7-E1.iso) and ISO_Image_FAQ1.htm can be downloaded from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system