Here is my current situation. I am running MARS application version 4.2.1 I have a test environment of 1 - 2821 Router with IPS module version 12.4T, 1 - 2621 Router with net flow running version 12.2, 1 - 2950 OS Switch and a stand alone MARS Server. When I run the scenario to test the response time (the time it takes MARS to notify me of the attack) it takes any where from 1/2 hour to and 1 hour before the alarm show up in the event Dash board is there a way to improve the response time? Secondly, I see the IPS signatures in the syslog but I do not see them on my MARS application when investigating an attack. If I run a query for real time I see everything but can't investigate the attack.
I would question the usefulness of a POC if you're not running the latest version of the software. Cisco should provide the latest update to you. The DST issue, for example, caused some major problems for us.
Run a real-time event query to determine if the events you are generating are being "collected" immediately. If they are, what are the events? What rule are you expecting to fire? Here is a description of the rules should work (they should fire right away before any throttling starts).