03-16-2004 03:49 AM - edited 03-09-2019 06:45 AM
It seems that the last signature updates are coming in pairs - if I can be a little ironic. Sometimes ther's not even 24 hours of differnce between two updates. I don't even have time to apply one signature update, there goes another one. Is Cisco planning to do something to optimize the whole procedure ?
Thanks.
03-16-2004 06:48 AM
While I see your point that having two updates in as many days is a pain, I can't help but point out that it could always be worse. Once upon a time, it could take two to three MONTHS to see new signatures, despite the release of various threats into the public domain. Myself, I'd rather get these new and/or re-tuned detection signatures quickly rather than wait for a "regularly scheduled" release.
Because IDS is a key component of a layered defence, having an IDS signature that will detect the latest viral threat as it comes in the front door is really important. I can sleep at night knowing that my IDS will help me identify which systems running an e-mail server are receiving
Just my two cents,
Alex
03-16-2004 06:59 AM
well said alex, you have my vote regarding this subject
03-16-2004 10:02 AM
Just a few extra comments.
The standard release schedule for signature updates is every 2 weeks for version 4.x sensors.
What we have experienced the last couple of months have been what we term Emergency Signature Updates.
A virus, worm, or exploit has been released that could be very damaging to the machines being attacked. We felt that we should not wait the standard 2 weeks for the release of the update to detect it. So we create the signature and release it as soon as possible. In the situations where you've seen 2 updates be released within 24 hours this is because either a second virus/worm/exploit was released in the same time frame, or there were issues with the first update that needed quick resolution.
The optimization has not been to limit the number of updates, but instead to optimize (decrease) the time between when an exploit is seen and when the sensor can detect it.
Things to keep in mind:
The signature updates are cumulative (relying on the last service pack to be installed). So you don't have to install every single one. Once you have the latest service pack installed you can simply install the latest signature update and skip the ones inbetween. So if you don't have time to apply one before the next update comes out, then simply skip it because the signatures are included in that latest update.
The sensor does have an automatic update mechanism that you can use to assist in deploying the updates.
You would still have to manually download the update from CCO, but then you just place it on your own ftp (or scp) server. You configure the sensors to check for new updates on your ftp (or scp) server every couple of hours.
So once you've downloaded the file and placed it on your ftp (or scp) server all of your sensors could be updated within just a few hours with no extra work on your part.
SIDE NOTE: If using IDS MC, the IDS MC team recommends deploying the updates through IDS MC instead of using the automatic update feature in order to keep the IDS MC and sensors in sync.
03-17-2004 03:39 AM
Thanks marcabal for your explanation which gives more precise answers to my question than the first two answers in thread. My intention is certanly not to configure the appliance and then let it run, I was not talking about that, we all know that the number of threats and vulnerabilities is going up - so everybody should react. That's OK,but it distrubs me when updates are coming in less then 24 hours period and from the changes that they include you can feel certain amount of confusion. That's what I'm talking about and I still agree that is better to have 10 signature updates than 0.
03-17-2004 07:31 AM
My apologies, it is perhaps a bit of misunderstanding of the subject on my apart and possibly a bit off the mark with the comment. I am very sorry and do now realise the un-professionalism of such a comment. I wont let it happen again. Please accept my sorry.
Marco does clarify things very well.
03-18-2004 02:45 AM
Oh, you took it even more serious than you should. I didn't have that kind of intetion. No problem, app. accepted, that's why this is called discussion forum.
Best regards,
03-18-2004 09:29 AM
My apologies too - it looks like I climbed on my soap box again...
I guess I've just been using this product for so long that it took me by surprise that anyone would be seemingly complaining about updates coming out too often. I wasn't kidding about things being a whole lot slower in the past.
In any case, your question was directed at Cisco folks and my reply obviously wasn't very helpful at answering your question at all. Thankfully, Marco provided an answer that went right to the heart of your question.
I'll try an reign in my sermons from now on... =)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide