CS-MARS extracts the logs from Cisco IPS 5.x and 6.x devices and modules using SDEE. SDEE communications are secured with Secure Sockets Layer/Transport Layer Security (SSL/TLS). Therefore, CS-MARS must have HTTPS access to the Cisco IPS sensor. This requires configuration of the Cisco IPS sensor as well as CS-MARS.
To allow access, HTTPS access must be enabled on the Cisco IPS sensor, and the IP address of CS-MARS must be defined as an allowed host, one that can access the sensor to pull events. In addition, an administrative account to be used by CS-MARS should be configured locally on the Cisco IPS sensor. As a best practice, this account should be set with a user role of viewer to ensure only the minimum necessary access privileges are granted. This account should not be used for any other purposes.
Event Data Collected from Cisco IPS
There three types of event data that CS-MARS may extract from a Cisco IPS sensor:
Trigger packet data
Packet data (IP logging)
Verify that CS-MARS Pulls Events from a Cisco IPS Device
The first step for verifying if CS-MARS can pull events from a Cisco IPS sensor is to confirm both are able to communicate. To that end, select the test connectivity option under the Cisco IPS device configuration (Admin > System Setup > Security and Monitor Devices). A "Connectivity Successful" message indicates both systems are able to communicate.
The second step is to perform an action to knowingly trigger a signature on the Cisco IPS sensor. As an example, type the following URL on a browser, replacing x.x.x.x by the IP address or hostname of a web server located on a subnet monitored by the Cisco IPS sensor.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...