Re: Frustration with signature updates

efink · ‎03-16-2004

It seems that the last signature updates are coming in pairs - if I can be a little ironic. Sometimes ther's not even 24 hours of differnce between two updates. I don't even have time to apply one signature update, there goes another one. Is Cisco planning to do something to optimize the whole procedure ?

Thanks.

a.arndt · ‎03-16-2004

While I see your point that having two updates in as many days is a pain, I can't help but point out that it could always be worse. Once upon a time, it could take two to three MONTHS to see new signatures, despite the release of various threats into the public domain. Myself, I'd rather get these new and/or re-tuned detection signatures quickly rather than wait for a "regularly scheduled" release.

Because IDS is a key component of a layered defence, having an IDS signature that will detect the latest viral threat as it comes in the front door is really important. I can sleep at night knowing that my IDS will help me identify which systems running an e-mail server are receiving just in case the anti-virus software fails somehow so that I can quickly contain a problem should something go horribly wrong. I realize this won't help me in the "prevention" department, but "detection" is an equally important phase of the Incident Response life cycle. Besides, once I know my other defences have been properly configured and tested, I can always turn the signature(s) off…

Just my two cents,

Alex

darin.marais · ‎03-16-2004

well said alex, you have my vote regarding this subject

marcabal · ‎03-16-2004

Just a few extra comments.

The standard release schedule for signature updates is every 2 weeks for version 4.x sensors.

What we have experienced the last couple of months have been what we term Emergency Signature Updates.

A virus, worm, or exploit has been released that could be very damaging to the machines being attacked. We felt that we should not wait the standard 2 weeks for the release of the update to detect it. So we create the signature and release it as soon as possible. In the situations where you've seen 2 updates be released within 24 hours this is because either a second virus/worm/exploit was released in the same time frame, or there were issues with the first update that needed quick resolution.

The optimization has not been to limit the number of updates, but instead to optimize (decrease) the time between when an exploit is seen and when the sensor can detect it.

Things to keep in mind:

The signature updates are cumulative (relying on the last service pack to be installed). So you don't have to install every single one. Once you have the latest service pack installed you can simply install the latest signature update and skip the ones inbetween. So if you don't have time to apply one before the next update comes out, then simply skip it because the signatures are included in that latest update.

The sensor does have an automatic update mechanism that you can use to assist in deploying the updates.

You would still have to manually download the update from CCO, but then you just place it on your own ftp (or scp) server. You configure the sensors to check for new updates on your ftp (or scp) server every couple of hours.

So once you've downloaded the file and placed it on your ftp (or scp) server all of your sensors could be updated within just a few hours with no extra work on your part.

SIDE NOTE: If using IDS MC, the IDS MC team recommends deploying the updates through IDS MC instead of using the automatic update feature in order to keep the IDS MC and sensors in sync.

efink · ‎03-17-2004

Thanks marcabal for your explanation which gives more precise answers to my question than the first two answers in thread. My intention is certanly not to configure the appliance and then let it run, I was not talking about that, we all know that the number of threats and vulnerabilities is going up - so everybody should react. That's OK,but it distrubs me when updates are coming in less then 24 hours period and from the changes that they include you can feel certain amount of confusion. That's what I'm talking about and I still agree that is better to have 10 signature updates than 0.

darin.marais · ‎03-17-2004

My apologies, it is perhaps a bit of misunderstanding of the subject on my apart and possibly a bit off the mark with the comment. I am very sorry and do now realise the un-professionalism of such a comment. I won’t let it happen again. Please accept my sorry.

Marco does clarify things very well.

efink · ‎03-18-2004

Oh, you took it even more serious than you should. I didn't have that kind of intetion. No problem, app. accepted, that's why this is called discussion forum.

Best regards,

a.arndt · ‎03-18-2004

My apologies too - it looks like I climbed on my soap box again...

I guess I've just been using this product for so long that it took me by surprise that anyone would be seemingly complaining about updates coming out too often. I wasn't kidding about things being a whole lot slower in the past.

In any case, your question was directed at Cisco folks and my reply obviously wasn't very helpful at answering your question at all. Thankfully, Marco provided an answer that went right to the heart of your question.

I'll try an reign in my sermons from now on... =)