Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CS-MARS rules with custom IDS signatures

What is the best way to identify that a specific signature has fired on IDS/IPS 6.x that is feeding into a CS-MARS appliance?

Would the easiest way to match "ANY" for Event Type and then do a keyword match? If so, what is it matching on, the signature name or the signature description (I suppose I could configure the custom signature to include the name in the description)?

I am just unsure how CS-MARS can identify custom signatures in the IDS engines that are doing TCP string, multi-string, and meta-signature matches but do not necessarily fall under one of the default "event types" when creating a notification or drop rule.

I realize CS-MARS has the ability to correlate many rules together to provide an attack but I am looking to just notify/drop based on the matching on one or more custom signatures within one or more IDS sensors.

Any assistance on clarifying the integration between CS-MARS and the IDS events would be greatly appreciated. Thanks in advance!


Community Member

Re: CS-MARS rules with custom IDS signatures

To reduce false positives-By identifying events for the same session and by analyzing the topological path taken by an attack from the source to the destination, Cisco Security MARS can identify whether an attack actually reached the intended destination or was dropped by an intermediate device such as a firewall or an intrusion prevention system (IPS).

Look at the URLs here for more information on IPS configuration with CS-MARS rules:

Community Member

Re: CS-MARS rules with custom IDS signatures

So after looking at this section regarding CS-MARS 4.3.x appliances:

The guide says I should goto Admin->System Setup->IPS Custom Signature Update to download the custom XML mappings. However I do not see this option on the LC interface, I only see IPS Dynamic Signature Update Settings.

Is this because I have an incompatible CS-MARS version that does not support custom IPS signature to CS-MARS event mappings? Any help would be appreciated. Thanks.

CreatePlease to create content