I missed seeing the âask the expert sessionâ in time to ask these question Garry. Can any one help me answer these questions?
1) Could MARS suggest an IPS device as a mitigation device? Is there a way to edit a signature without cross launching CSM (what if, if the customer doesn't have CSM).
2) We use MARS to monitor other IPS devices as well, but unfortunately MARS doesn't understand âblockedâ events by Non Cisco IPS devices (in my experience). For reporting purposes, we use keywords such as âblockedâ or âblocked-countâ, but MARS doesn't always seems to parse in those fields properly to make it available for query. For some events, if I examine the SNMP trap from the non Cisco IPS device, the âBlocked-countâ is there, but it is not available in MARS, if I check the raw events.. Looks like a parsing issue to me. Back to the question, is there a way to make MARS understand a given attack is blocked by a non Cisco IPS device? (To move it to system determined false positive?)
3) Summarization - MARS doesn't seem to correctly parse and report the actual number of the summarized events for an IPS device (Non Cisco and Cisco). Even though the raw events show the number of events actually happened during that session, MARS just takes it as one event. This will mess up the metrics and reports to the upper management. One of my customers uses MARS and they have a non Cisco IPS architecture, which reports the summarized event numbers properly for their product, but if I use MARS to generate the same reports, the numbers wouldn't add up and it is considered unreliable for that reason by the customer. Anybody has experienced this issue? Is there a work around to deal with the summarized events?