Offline Signature Updates

Unanswered Question
Jul 6th, 2009
User Badges:

Hi,


I was wondering how to perform signature updates without a direct internet connection. I understand you can point the dynamic update address to a local web server, so do we have to leverage or build an existing web server to do this, or are this a web service with say CSM that we could leverage for this?


Thanks,


Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pradeepde Mon, 07/13/2009 - 10:31
User Badges:
  • Bronze, 100 points or more

If an agent can not reach its CSA MC for some reason, it will still benefit from local signature correlation but it will not benefit from globally correlated signatures until it can reach the CSA MC and polls in. The local functionality of an agent will protect the host from buffer overflow, exception handling, and denial of service attacks that use MSRPC and LPC protocols.



http://www.cisco.com/en/US/docs/security/csa/csa60/user_guide/Signatures.html#wp1013079

pcoates84 Mon, 07/13/2009 - 10:35
User Badges:

I'm just talking about updating the MARS signatures without having an internet connection to the MARS appliance, never mentioned CSA.

dustinsuko Thu, 08/20/2009 - 08:03
User Badges:

I too have restricted MARS from the internet. I've been updating our MARS IPS signatures by downloading them to my PC where I am running a virtual HTTP file server from HFS.

http://www.rejetto.com/hfs/


It's free and very easy to use. once i have HFS running (doesnt need to be installed)I just drag the IPS signature zip file to the HFS file structure (don't forget to creat user credentials on the http file server). Then I give MARS it's needed info. Don't forget to turn off your windows firewall (if your running windows).



Farrukh Haroon Sat, 08/22/2009 - 00:51
User Badges:
  • Red, 2250 points or more

As Dustin mention, you can setup any open/free web server and have your MARS box point to it.


Or you can keep a virtual machine (HTTP server) and power it when you need to upgrade.


However I would highly recommend the automatic upgrade, you can be very specific with your outbound policy as mentioned here:


http://www.cisco.com/en/US/products/ps6241/products_tech_note09186a00808f1279.shtml#P19


Regards


Farrukh

Actions

This Discussion