CS-MARS rules with custom IDS signatures

Unanswered Question
Nov 4th, 2008

What is the best way to identify that a specific signature has fired on IDS/IPS 6.x that is feeding into a CS-MARS appliance?

Would the easiest way to match "ANY" for Event Type and then do a keyword match? If so, what is it matching on, the signature name or the signature description (I suppose I could configure the custom signature to include the name in the description)?

I am just unsure how CS-MARS can identify custom signatures in the IDS engines that are doing TCP string, multi-string, and meta-signature matches but do not necessarily fall under one of the default "event types" when creating a notification or drop rule.

I realize CS-MARS has the ability to correlate many rules together to provide an attack but I am looking to just notify/drop based on the matching on one or more custom signatures within one or more IDS sensors.

Any assistance on clarifying the integration between CS-MARS and the IDS events would be greatly appreciated. Thanks in advance!

Ray

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Mon, 11/10/2008 - 13:45

To reduce false positives-By identifying events for the same session and by analyzing the topological path taken by an attack from the source to the destination, Cisco Security MARS can identify whether an attack actually reached the intended destination or was dropped by an intermediate device such as a firewall or an intrusion prevention system (IPS).

Look at the URLs here for more information on IPS configuration with CS-MARS rules:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/global_controller/appmars.html

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/cfgidsn.html

redray8 Wed, 11/12/2008 - 09:21

So after looking at this section regarding CS-MARS 4.3.x appliances:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgidsn.html#wp1222674

The guide says I should goto Admin->System Setup->IPS Custom Signature Update to download the custom XML mappings. However I do not see this option on the LC interface, I only see IPS Dynamic Signature Update Settings.

Is this because I have an incompatible CS-MARS version that does not support custom IPS signature to CS-MARS event mappings? Any help would be appreciated. Thanks.

Actions

This Discussion