Log pair packets with MARS

Unanswered Question
Dec 21st, 2008
User Badges:

i have IPS 6.2 , added in MARS 6.0 .

the mars polls events from the IPS normally , &no problem with that.

but my issue : i configured some P2P signatures in the IPS with the actions (deny packet inline , produce alert , log pair packets). in the IPS device manager i can see in the events tap that the these flows dropped by the IPS as i need , & in the IP Logging tap i can see the dropped packets logs which is normal,

but my issue is that "i want a report or query from the MARS to show me the denied packets by the IPS " .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ivillegas Fri, 12/26/2008 - 06:30
User Badges:
  • Silver, 250 points or more

System Rule: Resource Issue: CS-MARS.

This rule detects resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.


Resource Issues: CS-MARS - All Events.

This report lists event details for all events related to resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.


MARS is able to pull the IP log data from Cisco IDS and IPS devices, however, this operation is system intensive. Therefore, you should select the set of signatures that generate IP log data carefully.


When configuring the active signatures on a Cisco IDS or IPS device, you must specify the alert action and the action that generates the desired data.


To view IP logs, you must enable the alert or "produce-verbose-alert" action and the "log-pair-packets" action. "


It seems that the "log-pair-packets" is only an option to give you "IPlog" information on the MARS.


Actions

This Discussion