cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
872
Views
5
Helpful
13
Replies

MARS 5.3.5 Auto Signature Update

martinwilson
Level 1
Level 1

I am having some problems getting my MARS box to perform signature updates automatically.

I have entered in the correct proxy information and such yet when I hit the "Test connectivity" button I immediately get the error "Unable to connect to web server, please check URL, Username and password"

I have the correct username and password in there as I can access the site from a web browser.

Any ideas ? I'm not sure where I can look on the device to get visibility into where its falling over.

Cheers.

13 Replies 13

mhellman
Level 7
Level 7

login to the mars cli and try this:

tcpdump -s0 -X port and

where and are the settings configured in Admin->System Parameters->Proxy Settings.

Then try testing and you should see the connection attempt and it should give you an indication of why it failed.

Thanks, a great help.

Using TCPDump and examining our ISA proxy logs it looks like the MARS is trying to authenticate to our proxy as anonymous, despite the fact that I have set the proxy settings + username and password within mars.

Seems strange, any ideas ?

What type of authentication is the ISA proxy configured for? If you're not sure, get a trace and look at the "Proxy-Authenticate" HTTP header(s) being retured by the proxy in the "407 proxy auth required" response. It's just a wag, but the Jakarta http client may not like any of the types of authentication being offered up by the proxy (in particular, NTLM wouldn't work).

You could just whitelist the following URL on the ISA proxy server:

https://www.cisco.com/cgi-bin/ida/locator/locator.pl

Nevermind all that. I looked at the connection and it's a direct CONNECT call using basic authentication. I'm curious, what makes you conclude that it's trying to authenticate as "anonymous"?

What you should see is something like this:

CONNECT http://www.cisco.com:443 HTTP/1.1

Authorization: Basic

Proxy-Authorization: Basic

User-Agent: Jakarta.Commons-HttpClient/2.0final

Host: http://www.cisco.com

Proxy-Connection: Keep-Alive

Just remember that MARS opens two separate connections to the Cisco website, one is HTTP and the other is HTTPS. I hope you have both of those allowed.

Regards

Farrukh

Good point, I only saw the https connection...possibly because this is just the first call to find out if there are any updates and there weren't. In any event, the second request looks something like this:

http://software-sj.cisco.com/cisco/ciscosecure/ips/csmars/IPS-CS-MARS-Sig-S342.zip

I am running Mars 4.3. I have my auto update point to Cisco (https://www.cisco.com/cgi-bin/ida/locator/locator.pl). The updates have worked fine until today. For some reason my password in the Mars config became corrupt. After resetting my CCO password in Mars, the Mars IPS updates are working again.

Looks like our ISA server is not configured to accept Basic authentication.

I'm not sure if the MARS can be configured to pass any other form of authentication but testing it on a server that accepts basic authentication works no problems.

fbpettis1
Level 1
Level 1

I'm having the same problem. Cannot connect to server anymore. Checked and rechecked settings (MARS 4.3.5). Using tcpdump, I can see it talking to the servers (both https & http). It's not my CCO account either. Anyone figure this one out?

The changed their key or something a while back. Enter the CCO username and password in MARS again and hit 'Update Now'.

Regards

Farrukh

Tried that, it fails. Says it's beginning download, and to refresh the screen to see the status, but fails after a couple of minutes every time.

This is through a proxy or a direct connection to the internet?

Regards

Farrukh

Direct connection.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: