Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Offline Signature Updates

Hi,

I was wondering how to perform signature updates without a direct internet connection. I understand you can point the dynamic update address to a local web server, so do we have to leverage or build an existing web server to do this, or are this a web service with say CSM that we could leverage for this?

Thanks,

Peter

4 REPLIES
Bronze

Re: Offline Signature Updates

If an agent can not reach its CSA MC for some reason, it will still benefit from local signature correlation but it will not benefit from globally correlated signatures until it can reach the CSA MC and polls in. The local functionality of an agent will protect the host from buffer overflow, exception handling, and denial of service attacks that use MSRPC and LPC protocols.

http://www.cisco.com/en/US/docs/security/csa/csa60/user_guide/Signatures.html#wp1013079

New Member

Re: Offline Signature Updates

I'm just talking about updating the MARS signatures without having an internet connection to the MARS appliance, never mentioned CSA.

New Member

Re: Offline Signature Updates

I too have restricted MARS from the internet. I've been updating our MARS IPS signatures by downloading them to my PC where I am running a virtual HTTP file server from HFS.

http://www.rejetto.com/hfs/

It's free and very easy to use. once i have HFS running (doesnt need to be installed)I just drag the IPS signature zip file to the HFS file structure (don't forget to creat user credentials on the http file server). Then I give MARS it's needed info. Don't forget to turn off your windows firewall (if your running windows).

Re: Offline Signature Updates

As Dustin mention, you can setup any open/free web server and have your MARS box point to it.

Or you can keep a virtual machine (HTTP server) and power it when you need to upgrade.

However I would highly recommend the automatic upgrade, you can be very specific with your outbound policy as mentioned here:

http://www.cisco.com/en/US/products/ps6241/products_tech_note09186a00808f1279.shtml#P19

Regards

Farrukh

174
Views
0
Helpful
4
Replies
CreatePlease login to create content