Wednesday, November 07, 2007

MARS Cisco IPS 6 Dynamic Updates

Beginning in 4.3.1 and 5.3.1, MARS can discover new Cisco IPS signatures and correctly process and categorize received events that match those signatures.

Note, the Dynamic IPS Update feature is not enabled by default, and has to be configured as pictured above. Now there are two ways to get the updates. One is automatically (via a schedule) from Cisco, where a valid username and password is required. (ie, CCO Account). The second is to download the files manually from CCO, and place these on a server that MARS will have access too.

You can from the page above, Test your connectivity or perform an immediate update.

What is in these updates? These updates provides event normalization and event group mapping, and they enable your MARS Appliance to parse Day Zero signatures from the IPS devices. They are in the format of an xml file, as pictured below..

Note, these file do not contain detailed information, such as vulnerability information. Detailed signature information is provided in later MARS signature upgrade packages just as with 3rd-party signatures. Also Custom Signatures are not supported.

What happens once MARS gets the update file? The MARS Appliance performs an auto-activate to load the new signature information.

What happens if I do not enable this feature? If this feature is not configured, the events appears as unknown event type in queries and reports, and MARS does not include these events in inspection rules.

How Often Does MARS Check for Updates? This is scheduled, and can be hourly or daily, see below..

Two types of failures can occur, and they are identified in the Status field of the IPS Signature Dynamic Update Settings page:

• Failure to download the package. Verify that the MARS Appliance has connectivity to the specified destination and that it is using the correct username and password.

• Failure to install. Indicates a problem with the package itself, possibly corrupted during the download.

Another thing to check is the Autoupdate process, in the MARS CLI....

This is the process that handles the IPS Signature updates, you can see its status, via a pnstatus.

How do i check the version of update, i have on my MARS Appliance? This is done, by going to Help/About...

New Events/Rules related to the IPS Feature. I have listed some of the new events below, that relate to the IPS Feature, you will get an incident fired, if say your IPS update was not successful..

Lastly, there are some important considerations in a GC/LC environment. In a Global Controller-Local Controller deployment, you should configure the dynamic signature URL and all relevant settings on the Global Controller.

When the Global Controller pulls the new signatures from CCO, all managed Local Controllers download the new signatures from the Global Controller.

You may get communication failures if your GC and LC`s are running different versions of the IPS update files.

No comments: