Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-126.96.36.1998.pkg update. I have to believe I'm missing something something here.
Thanks in advance for the assistance.
MARS gets its understanding of the signatures through patches. In every patch is mentioned which IPS signature supports.
I think this would be changed in latest upgrades to both the IPS engine and the MARS', although not sure when.
That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...
Thanks for the answer!
breaking out the soapbox...
Cisco has had this product now for a couple years, I wouldn't hold your breathe on this.
Cisco has a (IMHO) ridiculous hack in IPS V6 software that includes the Mars category in the alarm. I expect at some point the CSMARS will probably support it. I have more issues with this design, but primarily I'm afraid it will be used as an excuse not to "do the right thing" with respect to sig updates.