Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
10
Helpful
6
Replies

Why IPS for MARS

Go to solution
cisco_lite
Level 1
Level 1

‎01-23-2009 07:01 AM

I would like to know what is the function of IPS signature download feature in CS-MARS. Is it required for network security of MARS or other devices.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rajett
Cisco Employee
Cisco Employee
In response to cisco_lite

‎01-29-2009 01:33 PM

The IPS devices need signature updates and MARS needs the XML version to keep in sync with what the IPS has.

To do automatic IPS signature updates on the sensors use the CS-Manager software.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
rajett
Cisco Employee
Cisco Employee

‎01-28-2009 09:04 AM

One problem with signature based solutions is the need to constantly update those signatures.

As you may be aware, device updates, software updates, bug fixes, and other items are rolled into each MARS software update available for download from Cisco.com. These updates are not released at the same rate as IPS signature updates and a lag occurs. The Cisco IPS signature updates have been broken out from this update cycle to allow for shortened update cycles.

The IPS Signature download feature gives MARS the capabilities to download Cisco IPS signature updates for itself automatically. This will free up your cycles in that you won't have to manually update these.

If you need to do automatic signature and software updates on your IPS Sensors take a look at the Cisco Security Manager software. You can download the software from Cisco.com and install it without a license to run it in a full featured, but time limited mode for testing.

Go to solution
firewalz
Level 1
Level 1
In response to rajett

‎01-28-2009 11:27 AM

I don't think you understood the question. I believe he was asking what functionality does the IPS signatures in MARS provide? Do events and/or sessions get matched against the sigs? or are they there to help MARS interface with an IPS as a reporting device?

0 Helpful

Go to solution
cisco_lite
Level 1
Level 1
In response to rajett

‎01-28-2009 11:28 AM

Do you mean, the IPS signatures downloaded by MARS are used by itself for its own network security ?

Or does it apply to other devices as well.

0 Helpful

Go to solution
rajett
Cisco Employee
Cisco Employee
In response to cisco_lite

‎01-29-2009 09:34 AM

The IPS Signatures downloaded by MARS are used by MARS to understand what the IPS is sending it.

If MARS cannot normalize the log message coming from the IPS you'd end up with an unknown event.

Go to solution
cisco_lite
Level 1
Level 1
In response to rajett

‎01-29-2009 11:20 AM

Wow!

Seems like incorrect terminology for this feature. 'IPS Signatures' download gives the same impression as IPS Signature download for IPS devices.

0 Helpful

Go to solution
rajett
Cisco Employee
Cisco Employee
In response to cisco_lite

‎01-29-2009 01:33 PM

The IPS devices need signature updates and MARS needs the XML version to keep in sync with what the IPS has.

To do automatic IPS signature updates on the sensors use the CS-Manager software.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents