IPS Signature Update Support on MARS?

Unanswered Question
May 8th, 2007
User Badges:


Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars- update. I have to believe I'm missing something something here.

Thanks in advance for the assistance.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
rnaydenov Tue, 05/08/2007 - 22:32
User Badges:

Unfortunately, no!

MARS gets its understanding of the signatures through patches. In every patch is mentioned which IPS signature supports.

I think this would be changed in latest upgrades to both the IPS engine and the MARS', although not sure when.

cgiulini Wed, 05/09/2007 - 03:55
User Badges:

That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...

Thanks for the answer!



mhellman Wed, 05/09/2007 - 05:07
User Badges:
  • Blue, 1500 points or more

breaking out the soapbox...

Cisco has had this product now for a couple years, I wouldn't hold your breathe on this.

Cisco has a (IMHO) ridiculous hack in IPS V6 software that includes the Mars category in the alarm. I expect at some point the CSMARS will probably support it. I have more issues with this design, but primarily I'm afraid it will be used as an excuse not to "do the right thing" with respect to sig updates.


This Discussion