MARS IPS 6

Unanswered Question
Aug 28th, 2007
User Badges:

IPS 6 is reporting the STORM WORM...MARS says it is an Unkown Device Event Type. I have latest code and sigs on all platforms.

Does this report from MARS indicate that I have to train and/or make a catagory or something like that on MARS?

I want MARS to generate a IPS/sig event description just like all of the other sigs on the IPS that are reported to MARS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
acomiskey Tue, 08/28/2007 - 10:29
User Badges:
  • Green, 3000 points or more

Signature 5894 Storm Worm was released in S298.


The latest Mars release, 4.2.8, only supports up to S294.



garyprice Tue, 08/28/2007 - 10:36
User Badges:

ok, let say my uppermanagement wants a report that shows the impact of this 'Unknown" on their network. How can I achieve that?

gp

mhellman Tue, 08/28/2007 - 11:05
User Badges:
  • Blue, 1500 points or more

Welcome to MARS;-)


MARS is only updated about once every 2-3 months, and this includes signature updates. The latest release (about 2 days ago) understands Cisco IPS signatures up to S294, so it doesn't understand that signature. Why don't you ask management if they can wait until October? LOL.


Anyway, about the best you can do currently is to copy the data into another tool, like Excel, and clean it up.

Actions

This Discussion