CSM 3.0.1 and lost custom signiture abilitie

willdavi129 · ‎04-26-2007

Hopefully someone can assist with this question.

While testing the response time for incidents that MARS was suppose to see I came across a basic attack that it did not see SNMP WALK. So I figured the IPS signatures did not see or did not have one define. So I started to configure one using the signature wizard. I created the signature but it would not deploy to the sensor. currently I have 549 signatures, so I worked the issue for a while and attempt to copy the custom signature to the global setting. Well in doing that I can no longer connect to the custom signatures section. I am about to reset the IOS IPS back to default but I don't feel 100% that this will fix my issue.

Currently I am running CSM 3.0.1 patch 1

pmccubbin · ‎04-26-2007

Interesting question.

My initial reaction was that MARS wouldn't see this sort of attack as an Incident. I say this because MARS uses SNMPWALK for the discovery of routes, connected networks, ARP tables, and address translations.

Somebody else on this forum will have to speak to the creation of a custom signature that would see this sort of attack.

willdavi129 · ‎04-27-2007

thank you for your respones that is very informative, it explains why I am not seeing that.