Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
4
Helpful
2
Replies

MARS/IPS Singature Tuning

Wilson Samuel
Level 7
Level 7

‎06-19-2007 05:37 AM - edited ‎03-09-2019 06:13 PM

Hi,

We have got a deployment of IPS v6 with MARS which is thus far quite effective in mitigating most of the issues.

However I'm bit stuck with a scenario and require help, my question goes as below:-

1. For all the TCP based attacks, I guess the best way to defend is to issue a TCP Reset to the Router or PIX, however, oflately I guess more and more attacks (being reported) is of Port Sweep (TCP and ICMP) and that of many worms trying to get propaged using the ICMP.

So in these circumstances, what should be my mitigation strategy? Should I consider shunning? but, shunning doesnt look like practical as the number of hosts originating the attacks are numerous...

2. Once MARS/IPS combo is deployed, should the mitigation strategy always be deployed from the MARS appliance (just like once NMS / LMS is in place we encourage all the configurations to be deployed from LMS only) or should I continue to fine tune the Signatures / Release IDs on the individual IPS Appliancees?

Any help would be greatly appreciated.

Kind Regards,

Wilson Samuel

Labels:
0 Helpful
2 Replies 2

srue
Level 7
Level 7

‎06-25-2007 09:49 AM

MARS is not able to push out any changes so you'll still have to make changes to the appliances however you want to.

Are you using inline mode? you could always just drop the unwanted packets.

pmccubbin
Level 5
Level 5
In response to srue

‎06-25-2007 12:08 PM

Adding to what srue has stated, I prefer making all changes on the devices themselves and not pushing anything out from MARS. I trust MARS but I like to verify things for myself. After all, it is only one of the forensic tools we have at our disposal.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents