02-26-2009 08:11 AM
i am using MARS, and using IME (ips manager express) to monitor the network. i found that the alerts reporting from MARS are almost totally different from what the IME reporting. I thought they are using the same signature?? for example, IME reports an high alert on "tcp hijack"; but MARS is not repoting this...so do other many signatures. I thought they at least reporting similar events...am i missing anything here?
thanks,
02-26-2009 08:16 AM
r u updating the signature on MARS?
02-27-2009 08:34 AM
yes,
02-27-2009 09:01 AM
6.x Mars and 6.1(2) E3 IPS are being assumed by me, is that correct?
02-27-2009 10:51 AM
using 4.3.x Mars, and 6.2(1)E3 IPS.
03-01-2009 11:07 PM
You are comparing oranges with apples here. IME is just an event viewer to consolidate 'events' from a maximum of 5 IPS boxes to one console.
MARS on the other hand is a correlation tool, it does not display each IPS as an 'Incident'. In fact it filters the good from the bad (as in the false alarms and the true ones). You can run a raw event query in MARS to view all events reported by the IPS.
Regards
Farrukh
03-02-2009 07:15 AM
That's no the question, as I read it. The question is why are the signatures reported differently? I often see the same thing. "low" rated events from the IPS will trigger a "RED" alert on MARS. This makes no sense.
03-03-2009 01:55 PM
yes, that's my point. Their signature seems so different that they are not even close. Which tool we should rely on? i understand the fact that mars is a more enhanced-feature analysis tool than IMS; but it doesn't make sense the basic report output are so different. Sometime it makes you wonder are they all false-positive?
03-03-2009 09:46 PM
As I said, IME has no built-in intelligence into it. It just displays the signatures in one place. How accurate the signatures are, has no relation with IME. Those are defined by the Cisco IPS signature team and are downloaded on the sensors themselves.
MARS takes 'those' events from IPS boxes and filters them out based on its own set of rules.
Regards
Farrukh
03-02-2009 08:22 AM
I would highly recommend MARS 6.x, check the forum, but I haven't seen to many upgrade issues personally. Depends on how extensive your current build it (how many devices).
03-03-2009 07:19 AM
Why does it have to be either/or? I use both!
MARS collects syslogs from all of your firewalls and IPS events from the sensors, and gives you the Big Picture for whats happening across your network.
IME collects -just- IPS events for (at most) 5 sensors. However when I'm trying to tune a rule in MARS, I find it easier to go into IME and run a bunch of queries to figure how if/how I want to tune the rule. Then I'll go into MARS and tune the rules, or go into CSM and tune the IPS signature.
Same thing with ASDM and CSM, actually: CSM is great for the Big Picture, but ASDM let you get right on the device and see whats going on, real-time.
03-03-2009 09:41 PM
One can use both, I personally enjoy both apples and oranges :)
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide