What is the best way to identify that a specific signature has fired on IDS/IPS 6.x that is feeding into a CS-MARS appliance?
Would the easiest way to match "ANY" for Event Type and then do a keyword match? If so, what is it matching on, the signature name or the signature description (I suppose I could configure the custom signature to include the name in the description)?
I am just unsure how CS-MARS can identify custom signatures in the IDS engines that are doing TCP string, multi-string, and meta-signature matches but do not necessarily fall under one of the default "event types" when creating a notification or drop rule.
I realize CS-MARS has the ability to correlate many rules together to provide an attack but I am looking to just notify/drop based on the matching on one or more custom signatures within one or more IDS sensors.
Any assistance on clarifying the integration between CS-MARS and the IDS events would be greatly appreciated. Thanks in advance!
To reduce false positives-By identifying events for the same session and by analyzing the topological path taken by an attack from the source to the destination, Cisco Security MARS can identify whether an attack actually reached the intended destination or was dropped by an intermediate device such as a firewall or an intrusion prevention system (IPS).
Look at the URLs here for more information on IPS configuration with CS-MARS rules:
The guide says I should goto Admin->System Setup->IPS Custom Signature Update to download the custom XML mappings. However I do not see this option on the LC interface, I only see IPS Dynamic Signature Update Settings.
Is this because I have an incompatible CS-MARS version that does not support custom IPS signature to CS-MARS event mappings? Any help would be appreciated. Thanks.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...