Re: IPS Signature Update Support on MARS?

cgiulini · ‎05-08-2007

Hello,

Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-4.2.6.2458.pkg update. I have to believe I'm missing something something here.

Thanks in advance for the assistance.

Regards,

Chad

rnaydenov · ‎05-08-2007

Unfortunately, no!

MARS gets its understanding of the signatures through patches. In every patch is mentioned which IPS signature supports.

I think this would be changed in latest upgrades to both the IPS engine and the MARS', although not sure when.

cgiulini · ‎05-09-2007

That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...

Thanks for the answer!

Regards,

Chad

mhellman · ‎05-09-2007

breaking out the soapbox...

Cisco has had this product now for a couple years, I wouldn't hold your breathe on this.

Cisco has a (IMHO) ridiculous hack in IPS V6 software that includes the Mars category in the alarm. I expect at some point the CSMARS will probably support it. I have more issues with this design, but primarily I'm afraid it will be used as an excuse not to "do the right thing" with respect to sig updates.