IPS Signature Update Support on MARS?

Unanswered Question
May 8th, 2007

Hello,

Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-4.2.6.2458.pkg update. I have to believe I'm missing something something here.

Thanks in advance for the assistance.

Regards,

Chad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
rnaydenov Tue, 05/08/2007 - 22:32

Unfortunately, no!

MARS gets its understanding of the signatures through patches. In every patch is mentioned which IPS signature supports.

I think this would be changed in latest upgrades to both the IPS engine and the MARS', although not sure when.

cgiulini Wed, 05/09/2007 - 03:55

That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...

Thanks for the answer!

Regards,

Chad

mhellman Wed, 05/09/2007 - 05:07

breaking out the soapbox...

Cisco has had this product now for a couple years, I wouldn't hold your breathe on this.

Cisco has a (IMHO) ridiculous hack in IPS V6 software that includes the Mars category in the alarm. I expect at some point the CSMARS will probably support it. I have more issues with this design, but primarily I'm afraid it will be used as an excuse not to "do the right thing" with respect to sig updates.

Actions

This Discussion