CS-MARS rules with custom IDS signatures

Unanswered Question
Nov 4th, 2008
User Badges:

What is the best way to identify that a specific signature has fired on IDS/IPS 6.x that is feeding into a CS-MARS appliance?

Would the easiest way to match "ANY" for Event Type and then do a keyword match? If so, what is it matching on, the signature name or the signature description (I suppose I could configure the custom signature to include the name in the description)?

I am just unsure how CS-MARS can identify custom signatures in the IDS engines that are doing TCP string, multi-string, and meta-signature matches but do not necessarily fall under one of the default "event types" when creating a notification or drop rule.

I realize CS-MARS has the ability to correlate many rules together to provide an attack but I am looking to just notify/drop based on the matching on one or more custom signatures within one or more IDS sensors.

Any assistance on clarifying the integration between CS-MARS and the IDS events would be greatly appreciated. Thanks in advance!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Mon, 11/10/2008 - 13:45
User Badges:
  • Bronze, 100 points or more

To reduce false positives-By identifying events for the same session and by analyzing the topological path taken by an attack from the source to the destination, Cisco Security MARS can identify whether an attack actually reached the intended destination or was dropped by an intermediate device such as a firewall or an intrusion prevention system (IPS).

Look at the URLs here for more information on IPS configuration with CS-MARS rules:



redray8 Wed, 11/12/2008 - 09:21
User Badges:

So after looking at this section regarding CS-MARS 4.3.x appliances:


The guide says I should goto Admin->System Setup->IPS Custom Signature Update to download the custom XML mappings. However I do not see this option on the LC interface, I only see IPS Dynamic Signature Update Settings.

Is this because I have an incompatible CS-MARS version that does not support custom IPS signature to CS-MARS event mappings? Any help would be appreciated. Thanks.


This Discussion