MARS Signatures

Our CS-MARS 50 is at 4.2.6. Is it possible to update the signatures on it?

Yes, you need to apply the latest patches. They're not cumulative, so they all have to applied. So, 4.2.7, 4.2.8, 4.3.1, 4.3.2, 4.3.3, 4.3.4. At some point (4.3.1 maybe?) MARS does get separate update functionality for Cisco IDS/IPS signatures only...but you may as well get updated all the way.
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars

Similar Messages

Bad PGP/GPG signatures for all Win32 Mozilla firefox partial.mar files

I checked the .asc signature for the Mozilla 12.0 update firefox-11.0-12.0.partial.mar and came up with:
Signature made Fri, Apr 20, 2012 21:24:01 EDT using DSA key ID C52175E2
BAD signature from "Mozilla Software Releases <[email protected]>"
The MD5, SHA1 and SHA512 checksums come back OK.

An interesting interpretation of the facts...
Cygwin, an OpenSource project of Red Hat Inc., (available at http://cygwin.com) is:
• a collection of tools which provide a Linux look and feel environment for Windows.
• a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality.
Now, using these tools, specifically the ''rsync'' tool (which uses the rsync TCP/IP protocol), I downloaded the update MAR file from the OFFICIAL site using the Rsync address:
rsync://releases-rsync.mozilla.org::mozilla-releases/firefox/releases/12.0/update/win32/en-US/firefox*.mar*
(This is equivalent to: http://releases.mozilla.org/pub/mozilla.org/firefox/releases/12.0/update/win32/en-US/)
This retrieved:
firefox-11.0-12.0.partial.mar 
firefox-11.0-12.0.partial.mar.asc 
firefox-12.0.complete.mar 
firefox-12.0.complete.mar.asc 
The '''''.asc''''' extension is short for ASCII (alternatively, this could be, by convention, '''''.sig''''',) and contains the digital signature generated using the "Mozilla Software Releases" PGP'/GPG key, DSA key ID C52175E2. '''''PGP'''''/'''''GPG''''' are authentication tools that use the RSA encryption algorithm to generate digital signatures that guarantee the veracity of a file or message. The signature for firefox-11.0-12.0.partial.mar does NOT verify. The output of GPG is:
+ gpg --verify firefox-11.0-12.0.partial.mar.asc firefox-11.0-12.0.partial.mar 
... 
gpg: Signature made Fri, Apr 20, 2012 21:24:01 EDT using DSA key ID C52175E2 
gpg: BAD signature from "Mozilla Software Releases " 
Official MD5, SHA1 and SHA512 checksums are also available for this file and its signature. They DO verify properly. For example:
+ md5sum -c .md5sum (.md5sum is extracted from MD5SUMS) 
... 
update/win32/en-US/firefox-12.0.complete.mar: OK 
update/win32/en-US/firefox-12.0.complete.mar.asc: OK 
update/win32/en-US/firefox-11.0-12.0.partial.mar: OK 
update/win32/en-US/firefox-11.0-12.0.partial.mar.asc: OK 
Would someone, please, check why a bad PGP/GPG signature for this file is being distributed? All the Mozilla12.0 partial.mar signatures I've checked (en-{GB,US,ZA}, zh-{CN,TW}) are bad.

How to convert Cisco IPS signatures to a MARS events - no keyword search

I am trying to run a scheduled report looking for the new Microsoft exploit under the IPS S411 release, SIGID 19339.0 and I am trying to form the query looking for the event this falls under without using a keyword search on the SIGID. Does anyone know how to correlate an IPS signature to a MARS event?
Thanks,
Mike

With the help of On-box local event correlation technology you can correlate. On-box local event correlation technology not only enables detection, but actually blocks multi-event attacks and malware in real time, complementing security incident management software such as the Cisco Security Monitoring, Analysis, and Reporting System (Cisco Security MARS) that correlate events across multiple devices.
Integrates with the Cisco Security Manager to correlate security events with the configured firewall rules and intrusion prevention system (IPS) signatures that can affect the security event

EOL for mars 20 signature updates?

The EOL/EOS document for the MARS 20 does not mention when signature updates will end.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/end_of_life_notice_c51-470242.html
The EOL notice for the newer devices lists the date as June 2, 2014
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/eol_c51-636888.html
Does the MARS 20 use the same file, and will updates continue to be available until June 2, 2014? If not, what is the date when this will end?
Thanks
H

FYI: I opened a tac case on this and got the following response
"new MARS20 signature files will be available for automatic download from that URL until June 2 2014, assuming the MARS has a valid support contract and that contract is associated to the CCO account used by MARS box to log in to that URL."

MARS: IPS Signature Dynamic Update Failed

Hello all,
I checked the signature update on the MARS system and it has no update for over 6 months. My bad. I should checked this regularly.
So I tested the connectivity and it said successful. Did the update now and failed:
Download Failed: CS-MARS could not download IPS Signature file - IPS-CS-MARS-Sig-S482.zip
at Apr 09, 2010 11:51:42 AM EDT
It seems it does see the new signature out there but the down load failed not sure why. I manually down load the signature and SSH to
the box manually did the pnupgrade using ftp and also got error:
CSMARS Upgrade...........[1126]
Loading..................[IPS-CS-MARS-Sig-S481.zip]
    User.................[myID]
    Protocol.............[ftp]
    Host.................[x.xx.xx.xx]
    Path.................[CiscoIOS/IPS-CS-MARS-Sig-S481.zip]
    Modified.............[Thu, 08 Apr 2010 13:19:11 GMT]
    Size.................[632711]
######################################################################## 100.0%
[Alert][get_pkg_info/223]: no IPS-CS-MARS-Sig-S481.zip package info.
[Alert][main/265]: fail to find IPS-CS-MARS-Sig-S481.zip version info.
Strip Meta Data..........[IPS-CS-MARS-Sig-S481.zip]
Decrypt Package..........[IPS-CS-MARS-Sig-S481.zip]
[Error][decrypt_pkg/181]: fail to decrypt IPS-CS-MARS-Sig-S481.zip(2).
So from there may be file was corrupted so I did the same for S480, S479, S478 and got same error.
Checked the thread in the community and follow the same step that in the threat and I am still geting no where.
Case is opened and still going no where.
If anyone ran into this problem before and had a solution for this is appreciated.
Thank you.

It does not support manually downloading the file and perform the update.
Please use either local web server or direct connection to cisco.com site from the MARS as follows to update the IPS signature:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chIpsCisoc6x.html#wp440709
Hope that helps.

Mars box MARS box v4.3.5 (2838) IPS Signature Version 330 upgrade

Hi, I have the software MARS box v4.3.5 (2838) IPS Signature Version 330
Is there any upgrade available for it?
Where can I found info for upgarding the software and IPS Signature on Cisco Web Site?
I also want to integrate CiscoWorks, LMS 2.6 to sent SNMP Trap Notification to the MARS box v4.3.5 (2838) IPS Signature Version 330. Is it possible and what would be the port # on the MARS box?

You are already running the latest software for the Generation 1 MARS appliances. You can find newer updates here:
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
For IPS, it is better to turn on automatic updates. Just go to:
Admin >> System Setup >> IPS Signature Dynamic Update Settings
The URL is already set there, just put your CCO username/password and click 'Update Now' then hit 'Submit'. I think the current Signature release is 352. You can manually downlaod them from here if you like:
http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup
Please rate if helpful.
Regards
Farrukh

Using IPS 6.3 customized signatures in CS MARS

A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
Thanks in advance

The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
You can start here:
http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

IOS required for signatures to send to MARS

I understand there is IOS that contains security signatures that can send syslog messages back to MARS for signatures alerts. Are these signatures in IP Base or is there another train required? I tried doing the software advisor tool but couldn't find anything. Thanks!
Mike.

You do not get the IDS/IPS features in the IP Base IOS. The feature you're looking for is IDS and/or IPS. It is included in the Enhanced Security and FW/IDS IOS releases. Please note there are significant changes between pre and post 12.4.11T IOS releases (mostly the diference between ver 4.x and ver 5.x signatures).
If you want reporting data fed into CSM, you will get more data fields if the signature event stream is SDEE rather than Syslog.

IPS Signature Update Support on MARS?

Hello,
Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-4.2.6.2458.pkg update. I have to believe I'm missing something something here.
Thanks in advance for the assistance.
Regards,
Chad

That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...
Thanks for the answer!
Regards,
Chad

Crash: ID: 6db3244b-003c-437c-ae9b-ac4262130301 Signature: d3d11.dll@0xe6314 01-Mar-2013 23:53

I am running firefox on windows 7 64-bit
Firefox started crashing this morning after a windows update yesterday/last night 27-Feb-2013 (USA time). The updates installed:
* Platform Update for Windows 7 x64-Edition (KB2670838), Installation date: ‎27-‎Feb-‎2013 22:16
* Security Update for Windows 7 for x64-based Systems (KB2799494), Installation date: ‎14-‎Feb-‎2013 12:01
It is unlikely that the 14-Feb update was a problem as I was happily able to run Firefox until I rebooted.
After my trouble and many many crashed. I tried to install the v21 Aurora -- same failures. I went back to v19 again with a clean install. But some how both installs remembered add-ins.
I think deleted the folders and installed v18 -- Same persistent crash behaviour.
Finally for this bug report. I rebooted, checked everythign is not installed. Deleted the firefox folders. I then emptied the recycle bin. I rebooted and ran chkdisk to establish that it wasn't some disk problem,
After reboot I reinstalled the v18 download (this error report's version) with out the maintenance program.
* Firefox Setup 18.0b7.exe
There are no add-ins except programmatic ones:
* zonealarm
* bytecode optomiser
* feedback
See troubleshooting installation information below.
Safe mode appears to function, so my guess something else must happen. ZoneAlarm hasn't been updated recently. It worked last night (which incidentally was the 28-Feb here in Australia).
As a clean install, you can't get a clearer picture than that, that here is a problem that should NOT happen. Of if it 'does' happen -- It should not happen IN THIS WAY.
For example, safe mode or some intermediate debugging mode should allow me to select add-ins one by one to enable and to test that way which one is going kaput.
Secondly. I didn't have the internet on when I started FireFox. Deliberately because I know some add-in will get updated when Firefox begins and I didn't want that.
I didn't install the maintenance program for two reasons. One is it might update something before I'd had a chance to do tests -- As it turned out Firefox crashes immediately. So there were no other tests to undertake. The second reason is that the installer doesn't ask for a path folder to install the maintenance program. I think that's an oversight.
That's all ... my email is [email protected]
Please send a comment if you know what the problem is. I'm now two days behind so I won't be too much help as an experimental subject. Ask all the same I'm happy to install a patch or test a fix, or run a diagnostic script, etc. Just it may not come back immediately.
Cheers,
Will

Heya,
if you can get a Firefox window open, go to Tools > Options. Click the Advanced tab, select General, then uncheck ''Use hardware acceleration when available'' and click OK.

Multiple digital signatures in one file

I have a client who wants me to combine 4 different forms into one--then--require a digital signature by the same person after each independent form. So that would be 4 digital signatures total. And all identical. I'm using a different name per each field so there's no conflict.
It appears to work fine until I have it submit dynamically with a PHP script via email inbox.
When I open the PDF (having crunched the info back in from an FDF) the data is there EXCEPT the digital signatures.
Can someone point me to a tutorial?
Best regards,
Mare

Hi Mare,
You cannot merge files and expect that the digital signatures will be preserved. When you sign a file you are signing all of the bytes in that file, and only that file. Once you combine files you are creating a new unsigned file. If someone were to sign the new file they are signing all of the bytes in the new file, not just some of the bytes. There is no "page level" signing in PDF files, only whole file signing.
You can however put the signed files into a Portfolio file. A Portfolio keeps the files separate. Think of a Portfolio like a file cabinet in the physical world. Just because you put different files into the file cabinet drawer, they don't merge.
Steve

IPS Signature Updates with no Internet Access

Hi all,
I've got a bit of an interesting dilemma that I'm hoping that someone could help with. I have two distinct networks: A "regular" network, along with a "secure" network. I've not been involved in the setup/configuration, but I've been handed some work to do now that has me puzzled.
The two networks are separated with a pair of ASA devices with IPS modules installed. User access to the secure side works by using Cisco VPN client, terminating on the ASA's, and once connected applications are delivered via Citrix. Management of the ASA's involves connecting via management VPN to the "external" ASA interface, connecting to a management server via Citrix and from there, management via MARS, ASDM & IME.
My issue is that I have been asked to configure auto-updates for the IPS modules. However, there is no internet access from the secure network. Servers on the secure side can request files, etc, from the regular side but there is no direct access can be initiated from the regular side back to the secure network. There are no ASA devices that are contactable/manageable from the regular side.
I've read that it's possible to somehow download updates from cisco.com via FTP or similar, but I fail to see how I can automate the process. What I originally thought to do was to install another copy of IME on the regular network, set up a dummy device and there on configure auto-updates, but unfortunately the IPS needs to be contactable for that to work.
Can anybody think of a solution that could make this work for me?

Hi Jennifer,
Thanks for that, but the instructions in that document appear to be related to updating a sensor from an FTP server where the updates have already been copied to it.
I have searched and searched, but I'm unable to locate the relevant location to download the signatures direct via FTP/SCP. I have attempted to locate them on ftp.cisco.com, but with no luck.
Regards,
James

Multiple Digital Signatures in one Form

Hello
I have an Interactive Forms that requires the digital signing of 6 different users. There is a control under the Web Dynpro Native named : Signature : Sign and Lock which allows multiple signatures but I am not able to use it correctly.
I need to associate text fields in the form to a certain signature so when the user signs them they are locked BUT but I need to be able to have other text fields open so another user can sign the form. It is only when the second user signs the form that the remaining text fields are locked
Any idea ?
Eyal

Hi Mare,
You cannot merge files and expect that the digital signatures will be preserved. When you sign a file you are signing all of the bytes in that file, and only that file. Once you combine files you are creating a new unsigned file. If someone were to sign the new file they are signing all of the bytes in the new file, not just some of the bytes. There is no "page level" signing in PDF files, only whole file signing.
You can however put the signed files into a Portfolio file. A Portfolio keeps the files separate. Think of a Portfolio like a file cabinet in the physical world. Just because you put different files into the file cabinet drawer, they don't merge.
Steve

SAP Digital signature solution in Invoice output PDF document

Hi,
We are trying to POC SAP Digital signature solution for Invoice output pdf document based on the OSS note 700495 implemengtation guide.
- Defining the log structure and database table.
- Defining signature single step and authorization group and assignment.
- Completed the configuration steps including system signature with authorization by SAP user id and password.
- Release strategy and Archiving NOT implemented for this solution as they are not required as of now.
Checked the above settings using DSIG_BOOKING_EX sample program and the same executed successfully without any errors and we can see the result 'Signature process was successfully completed by user XXXXXX'. Also we can view the signature log in DSAL Transaction.
Similar to the sample program code, Implemented the signature call in user exit ZXMCVU05(EXIT_SAPLMCS6_001) for Invoice output digital signature during VF01 create transaction.
In the process signature call processed successfully but the output PDF document does not have any signature.
Please let me know why digital signature NOT applied to invoice output pdf file. Is there any other process that need to be done?
Also if you have implemented any similar solution, please provide me the details on the same.
Thanks!

Ritwika,
Are the User Name and Password correct? Is the User assigned to the SAP_XMII_User role in Netweaver? On the iCommand's Security screen, is the SAP_XMII_User assigned as a Reader role?
Have you checked the Netweaver log? There may be more detailed information there.
Kind Regards,
Diana
Edited by: Diana Hoppe on Mar 3, 2011 9:50 AM

IDS/IPS signatures to monitor streaming audio/video applications

Hi folks,
Can someone advise on the names or signatures that could be successfully used to monitor the usage of streaming applications on the network. The plan is to feed them to MARS and then create reports on streaming applications utilization to use it later for creation a security policy preventing bandwidth stealing.
Perhaps any suggestions on how to create a custom signature to monitor audio and video streams would be appreciated.
Eugene

Hi Blayne,
I really appreciate your answers and time you spent. I wish this would be helpful not to me only. I'm still confused by all the intrinsic details of how to make a good custom signature. Is there any good guide? May be TAC has its internal guide on how to troubleshoot and create custom signatures based on regex and content type. I'm looking at the TCP packets of the capture made while watching youtube video and this is what comes from the server:
HTTP/1.1 200 OK
Date: Mon, 05 Jul 2010 23:58:12 GMT
Server: wiseguy/0.6.2
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Set-Cookie: watched_video_id_list=5097f00beb9a2acf9d11293e6452d9adWwMAAABzCwAAAE9UeklpcE45UGg4cwsAAABvOS1VX0l2ME83OHMLAAAAS0V4c0FTRDAtOTg=; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
X-YouTube-MID: pcVY4SnBmeDVtZHpoUkNiVkVOZmpxQzR4SDZFZXMwOWxYeFk3QXk4TVhpWjRKRkNUX2I5U1lB
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 17503
q2Lz6;>
}-yXBYycO1`'ky]\P,$E`:wH)U~UZ_kk;o)#zLV19V^&X]~I7T/?L}s^\16o?}H7|2;B77z9%,$(T_%?s'cUd0nTr$l4N~&uHzG@D9kJhaa l,gIs)u2C_%iA+0JII,Q{1'Ih`T1\z7{X+/cy&2z%NvKW4awwIhT
d@,#LBOqz}r+Su8*I86f(6
^odcJ8uaIab0xH|{*JkZD3>,%iU/ux51B>UNhnHyX*4t}!eXfEh!j>mJ|s}p}0f&H6K3#:)1N5bMRvQItU2_64,swb(=P`~Km
I tried to make TCP String based signature and match it against \.[Yy][Oo][Uu][Tt][Uu][Bb][Ee]\.[Cc][Oo][Mm]\. No luck
Then I tried to create HTTP String based signature and by looking at the HTTP portion of the packet which looks like:
GET /watch?v=OTzIipN9Ph8&feature=related HTTP/1.1
Host: www.youtube.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://www.youtube.com/watch?v=o9-U_Iv0O78&playnext_from=TL&videos=PhuEJ6wyeKs&feature=rec-LGOUT-real_rev-rn-3r-7-HM
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: watched_video_id_list=8c0482051639fa5ffa488173dfe5001aWwIAAABzCwAAAG85LVVfSXYwTzc4cwsAAABLRXhzQVNEMC05OA==; GEO=fb0890c2d1c0f42b3dc126c2e6b9f771cwsAAAAzQ0EYVCBMTDJvAA==; PREF=f1=40000000; VISITOR_INFO1_LIVE=DM3zU9wKOmE; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
Connection: keep-alive
I enabled Header Regex to match against [Hh][Oo][Ss][Tt]\:.\.[Yy][Oo][Uu][Tt][Uu][Bb][Ee]\.[Cc][Oo][Mm]\. and still no luck
I intentionally used Header regex as I assume that HTTP header portion starts after the first CRLN (\r\n) and ends with CRLNCRLN (\r\n\r\n)
Eugene

MARS Signatures

Similar Messages

Maybe you are looking for