I have an IDSM and a MARS 50. On the IDSM I've created two custom signatures triggering on Request Regexp for webMSN and webICQ respectively. Both signatures are triggered OK and visible in the IDS event viewer.
I've also managed to import both as custom signatures into the MARS.
My problem is that the webICQ signature is parsed as "Unknown device event" while the webMSN signature is parsed correctly.
Both events seems to be tied to the correct IDS signature ID (60003 and 60004) but only one event is parsed ok.
If you want an incident in csmars whenever this signature fires an alarm, you will need to create a rule with a keyword to trigger on the alarms for that custom signature. custom signatures will be mapped as an "unknown device event type" in csmars. If the signature was 60005-0, you could create a rule that looks for a keyword of "NR-60005".
The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
My "problem" seems to have solved itself. Very strange. What I did at my first attempt was to clone several custom signatures from a single custom rule in the IDSM. First rule worked in MARS but not the the others, only difference was that the later rules were created as subsignatures and imported into MARS as such. When that didn't work I tried to created the IDS rules as separate rules instead of subsignatures and reimport them into MARS, no luck there either.
I removed my custom signatures from the IDSM and left everything for the weekend. When I returned this Monday and reentered the signatures into the IDSM and tried them out MARS managed to parse them correctly, even put them into the correct event group.
I've no idea what I've done differently but it's all working fine now
It could be you forgot to hit the 'Activate' key after making the changes (if such an action is required)? Even tough in newer MARS versions its easier to Activate the settings into running memory as the button automatically goes Red when changes are made.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :