cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
0
Helpful
6
Replies

MARS and IPS Reports

dvergau
Level 1
Level 1

Currently we are using VMS to run daily reports on our severity high events on our IPS sensors. We are holding out on going to CSM until we get this style report moved onto our MARS appliance. Has anyone created a report in MARS for severity high events that includes, source ip and port, destination ip and port, timestamp, and event type that can be exported to csv? I tried all matching sessions with custom columns and that will output html correctly but I hit a bug when you try to output .csv. (Cisco states the bug should be fixed by year end)

I am open to any thoughts or recommendations for using MARS to generate reports to give to SOX auditors in regards to IPS events.

Thanks

6 Replies 6

mhellman
Level 7
Level 7

This shouldn't be difficult, so maybe I'm not understanding what you need. I just created a "custom columns ranked by time" report that shows only IPS red severity with csv output and it looks fine. Here is the format of my results:

Id,EventSourceAddress,EventSourcePort,EventDestinationAddress,EventDestinationPort,Protocol,ReceiveTime

34891055456,206.195.198.21,2803,162.131.63.109,80,6,"Aug 24, 2007 8:29:42 AM CDT"

hmmm...just noticed something. No event type. The CSV output has always been a little odd, because it includes different fields than the HTML output (different that what was selected too). I'll try again.

Yeah thats the bug (now they are calling it a feature request) I am hitting. The HTML output has everything I need however we output to CSV for archiving for SOX. Thanks

It's all coming back to me. I think there's been issues with the CSV output for a long time...I vaguely remember looking at the CSV output and thinking "hmmm, totally different columns than the HTML". I didn't care at the time because we didn't use it CSV output. feature request? yeah, okay. What kind of design results in different row-level data when switching output format from HTML to CSV? You could use the raw data if MARS didn't ALSO have a bug where it completely horked up IPS raw messages.

FWIW, we process/massage HTML reports from MARS on an external system. There are lots of tools that do this (we use Perl) but it wasn't too difficult.

Thanks for the suggestion. I think we are going to look at other options since MARS can't seem to do what we want.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: