Friday, January 18, 2008

Gen1 and 2 - Cisco IPS Part 3

Okay Dokey, how do you add more than one Custom Signature at a time?

This again is not documented, so i`ve experimented with a test box i have, and basically copied the format that the dynamic IPS updates use.

Consider the example below, 2 Custom Sigs are in the XML file, one in RED and one in BLUE, with the remaining XML headers in bold.

And this works fine..


Troubleshooting

Now an important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten.

Now you can tell when you have been successful with an update, since the uploaded version and updated Version numbers will be the same. (plus you will be able to see the events under Event Management)

But what can you do, when you get this error?

Well for a start i`d check for the format of the XML file is correct!, but also there may be some tell tale signs in the Backend Log. This can be viewed by pnlog show backend from the CLI or Admin/System Maintenance/View Log Files from the GUI.


You will also receive an incident from MARS, notifying that you have not been successful.

Incidently if you are successful the backend log will look something like this..


I hope this helps.

4 comments:

Hoffa said...

It seems to me that this feature only applies to the 5.3 version of MARS. I've tried to get the XML to be accepted by my 4.3.2 without success. Log continues to show "Autoupdate: XMLparse EMPTY ETDesc". This field isn't supplied in the 5.3 manual or on this blog

Chris Durkin said...

Have you used the correct header format for 4.3.2 ?

Hoffa said...

Where would I find documentation on the 4.3.2 headers?

Chris Durkin said...

www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgidsn.html#wp1222674

4.3.2 ...

encoding="ISO-8859-1"

5.3.2 ...
encoding="UTF-8"