Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
4
Replies

Custom signature event not parsed

hoffa2000
Level 3
Level 3

‎05-22-2008 07:25 AM

Hi folks

I have an IDSM and a MARS 50. On the IDSM I've created two custom signatures triggering on Request Regexp for webMSN and webICQ respectively. Both signatures are triggered OK and visible in the IDS event viewer.

I've also managed to import both as custom signatures into the MARS.

My problem is that the webICQ signature is parsed as "Unknown device event" while the webMSN signature is parsed correctly.

Both events seems to be tied to the correct IDS signature ID (60003 and 60004) but only one event is parsed ok.

Has anyone see something like this before?

Regards

Fredrik

Labels:
0 Helpful
4 Replies 4

ebreniz
Level 6
Level 6

‎05-28-2008 12:44 PM

If you want an incident in csmars whenever this signature fires an alarm, you will need to create a rule with a keyword to trigger on the alarms for that custom signature. custom signatures will be mapped as an "unknown device event type" in csmars. If the signature was 60005-0, you could create a rule that looks for a keyword of "NR-60005".

The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.

You can start here:

http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

0 Helpful

hoffa2000
Level 3
Level 3
In response to ebreniz

‎05-28-2008 11:09 PM

That's one solution I've considered. The down side is that you cannot set the security level on custom rules, all incidents will be flagged as green.

/Fredrik

0 Helpful

hoffa2000
Level 3
Level 3
In response to hoffa2000

‎05-29-2008 05:05 AM

My "problem" seems to have solved itself. Very strange. What I did at my first attempt was to clone several custom signatures from a single custom rule in the IDSM. First rule worked in MARS but not the the others, only difference was that the later rules were created as subsignatures and imported into MARS as such. When that didn't work I tried to created the IDS rules as separate rules instead of subsignatures and reimport them into MARS, no luck there either.

I removed my custom signatures from the IDSM and left everything for the weekend. When I returned this Monday and reentered the signatures into the IDSM and tried them out MARS managed to parse them correctly, even put them into the correct event group.

I've no idea what I've done differently but it's all working fine now

/Fredrik

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to hoffa2000

‎05-30-2008 05:26 AM

It could be you forgot to hit the 'Activate' key after making the changes (if such an action is required)? Even tough in newer MARS versions its easier to Activate the settings into running memory as the button automatically goes Red when changes are made.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents