CS-MARS and custom IPS Isignatures

Unanswered Question
Nov 13th, 2007


Has anyone an idea how to get CS-MARS to properly parse custom signatures from an IPS 6.x? MARS seems to disregard both the name of the signature,severity and the new-to-version6 MARS category and regard everything as "Unknown event". Not much of an advantage to create a MARS category flag for custom signatures if MARS can't understand it.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
pmccubbin Tue, 11/13/2007 - 08:43

Hi Fredik,

I'm not sure if this is a help and I haven't used it myself to date. Though I was wondering if you had the correct software version installed to give it a try.

"Dynamic Signature Update capability provides Cisco Security MARS with the ability to recognize events that are generated by a Cisco IPS device in versions 5.x and 6.x. Beginning in release 4.3.1 and 5.3.1, Cisco Security MARS can discover the new signatures and correctly process and categorize received events that match those signatures. These updates provide event normalization and event group mapping, and they enable the Cisco Security MARS to parse Day Zero signatures from the Cisco IPS device. The downloaded update information is an XML file that contains the Cisco IPS signatures. This feature set provides improved security by way of automation and ease of use to the user.

The Dynamic IPS Update feature is not enabled by default. Now there are two ways to get the updates. One is automatically (via a schedule) from Cisco, where a valid username and password is required. (ie, CCO Account). The second is to download the files manually from CCO, and place these on a server that MARS will have access too.

Once MARS gets the update file, The MARS Appliance performs an auto-activate to load signature information.

If this feature is not configured, the events appear as unknown event type in queries and reports, and MARS does not include these events in inspection rules."

The MARS appliance checks for Updates on a configurable schedule, which can be hourly or daily."

Hope this helps. Please let the forum know if this has been useful.



hoffa2000 Tue, 11/13/2007 - 08:53

The feature you are describing allows the MARS to stay current with the Cisco release of signatures applied on the IPS, thats true. This does however not solve my problem since my signatures are created locally on the IPS and not connected to Cisco


mhellman Tue, 11/13/2007 - 09:28

There is no way to map the event for custom IPS alarms. The best you can do is to create an inspection rule or rules with a keyword matching the sigid-subsigid. so:


In the rules themselves you would describe the alarm.

hoffa2000 Tue, 11/13/2007 - 11:30

That is an approach I've considered and tested. However I can't seem to get the rules/events to fire with any severity higher that green. Any suggestions?


mhellman Tue, 11/13/2007 - 11:37

Can't be fixed unfortunately, because that's the severity level of the "unknown device event" event type. Incidents have the severity level of the event with the highest severity contained in within them.

hoffa2000 Wed, 11/14/2007 - 04:14

Then it falls back to the question why MARS can't parse custom signatures correctly.


This Discussion