×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

MARS/IPS Singature Tuning

Unanswered Question
Jun 19th, 2007
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Mobile User, July 2015

Hi,


We have got a deployment of IPS v6 with MARS which is thus far quite effective in mitigating most of the issues.


However I'm bit stuck with a scenario and require help, my question goes as below:-



1. For all the TCP based attacks, I guess the best way to defend is to issue a TCP Reset to the Router or PIX, however, oflately I guess more and more attacks (being reported) is of Port Sweep (TCP and ICMP) and that of many worms trying to get propaged using the ICMP.


So in these circumstances, what should be my mitigation strategy? Should I consider shunning? but, shunning doesnt look like practical as the number of hosts originating the attacks are numerous...


2. Once MARS/IPS combo is deployed, should the mitigation strategy always be deployed from the MARS appliance (just like once NMS / LMS is in place we encourage all the configurations to be deployed from LMS only) or should I continue to fine tune the Signatures / Release IDs on the individual IPS Appliancees?



Any help would be greatly appreciated.



Kind Regards,

Wilson Samuel



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
srue Mon, 06/25/2007 - 09:49
User Badges:
  • Blue, 1500 points or more

MARS is not able to push out any changes so you'll still have to make changes to the appliances however you want to.

Are you using inline mode? you could always just drop the unwanted packets.

pmccubbin Mon, 06/25/2007 - 12:08
User Badges:
  • Silver, 250 points or more

Adding to what srue has stated, I prefer making all changes on the devices themselves and not pushing anything out from MARS. I trust MARS but I like to verify things for myself. After all, it is only one of the forensic tools we have at our disposal.

Actions

This Discussion