Cs-MARS and the option "Pull IP logs"

Unanswered Question
Nov 22nd, 2007

Hi

The manual describes the performance implications of using this feature and how it enables you to view the offending packet data in MARS. But as I understand after some three months usage it's the alert action "produce verbose alert" on the IDSM that produce the trigger packet and context packet...not the "Pull IP logs" option. I've been trying this option out a few times but it gives me no difference.

Anyone has a better understanding of this function? I sort of hoped MARS would download a pcap file and include it as a link i the raw packet view but it seems that was wishful thinking.

/Fredrik

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Wed, 11/28/2007 - 10:14

"Pull IP logs" feature only takes the logs of "IP logging" from the repective device and includes it in its own logs. Turn IP logging off, i.e. uncheck the box for 'Pull IP Logs' for the ids configuration. Click Activate, and check if the events show up. Make sure you are seeing events on the IDS.

hoffa2000 Wed, 11/28/2007 - 10:35

Yes I know, but how is this extra feature presented in the MARS interface? Have you been able to use the IP logging feature in the MARS interface? The option to turn on the feature is there but no example of how it's used. I see the event on the IDS and it has recorded an IP log, I also see the event or matching incident in the MARS interface but no reference to the IP log stored on the IDS.

I think clarification is needed here

ghalleen Wed, 11/28/2007 - 21:31

When IP logs are pulled from the Cisco IPS devices, they appear in the logs the same as Trigger packet data. When you click on the raw event data icon, it shows the text version of the pcap. To open this into your favorite packet decoder (Sniffer, ethereal, whatever), you'll need to copy this to a text file and use text2pcap to convert it to a capture file.

hoffa2000 Wed, 11/28/2007 - 23:59

I'd very much like to see a print screen of this feature in action. No matter how I try I can't get it to work on my MARS and IDSM setup. The only packet capture I get is the capture provided by the IDSM "verbose alert"-feature.

/Fredrik

mhellman Thu, 11/29/2007 - 06:13

Hi Gary. We've never tested this functionality because of concerns over issues it might cause on the Mars side. FWIW, I absolutely don't want to see the packets decoded in the Mars interface. I want the trace so that I can load it into my favorite analyzer and do analysis.

A far simpler and better solution IMHO would be to provide a link to the pcap file on the sensor itself. The URL is already exposed and the iplog is in the alarm:

https://SENSOR/cgi-bin/iplog-server?ipLogId=LOGIDFROM ALARM

Another option would be to have Mars download the pcap file and hyperlink to it locally.

sigh. Sometimes I wonder if Cisco bothers to stop and ask customers what they want and then think before they code. Perhaps some customers want thousands of packets decoded as ascii text in Mars. I certainly do not. I will get off my soapbox now and thanks for listening to me rant;-)

hoffa2000 Thu, 11/29/2007 - 06:40

I agree totally, a link to the pcap file would be an excellent solution. What annoys me even more is that in some forums this feature is discussed like it's working as expected and everyone is happy and when you question the results all you get is a reference to the pages in the manual.

Like you say, Cisco hasn't really though this through. In my opinion the next release would either remove the reference to the feature entirely OR make it a working one.

/Fredrik

ghalleen Thu, 11/29/2007 - 10:46

I agree with you, and this is something we're working towards. I'm sorry I can't give you a timeline.

It wouldn't necessarily work to provide a link to the pcap on the sensor, though. As I'm sure you're aware, access-lists provide restrictions on who can access the sensor. For this feature to work as you want, that access-list would have to be dramatically increased on most customers' networks so that a large number of addresses would be able to pull the logs. I think a better solution would be to pull the iplog to the MARS appliance, but make it available as a pcap file rather than a text file.

mhellman Thu, 11/29/2007 - 11:42

"access-list would have to be dramatically increased on most customers' networks so that a l"

I think you'd find that on many of your customer networks, the same folks accessing the MARS also have access to the sensors already. Adding the link is just a quick and simple solution that would probably satisfy many customers. I agree that saving the logs locally on the Mars is the better solution.

thanks for the followup.

Actions

This Discussion