i am using MARS, and using IME (ips manager express) to monitor the network. i found that the alerts reporting from MARS are almost totally different from what the IME reporting. I thought they are using the same signature?? for example, IME reports an high alert on "tcp hijack"; but MARS is not repoting this...so do other many signatures. I thought they at least reporting similar events...am i missing anything here?
You are comparing oranges with apples here. IME is just an event viewer to consolidate 'events' from a maximum of 5 IPS boxes to one console.
MARS on the other hand is a correlation tool, it does not display each IPS as an 'Incident'. In fact it filters the good from the bad (as in the false alarms and the true ones). You can run a raw event query in MARS to view all events reported by the IPS.
That's no the question, as I read it. The question is why are the signatures reported differently? I often see the same thing. "low" rated events from the IPS will trigger a "RED" alert on MARS. This makes no sense.
yes, that's my point. Their signature seems so different that they are not even close. Which tool we should rely on? i understand the fact that mars is a more enhanced-feature analysis tool than IMS; but it doesn't make sense the basic report output are so different. Sometime it makes you wonder are they all false-positive?
As I said, IME has no built-in intelligence into it. It just displays the signatures in one place. How accurate the signatures are, has no relation with IME. Those are defined by the Cisco IPS signature team and are downloaded on the sensors themselves.
MARS takes 'those' events from IPS boxes and filters them out based on its own set of rules.
I would highly recommend MARS 6.x, check the forum, but I haven't seen to many upgrade issues personally. Depends on how extensive your current build it (how many devices).
Why does it have to be either/or? I use both!
MARS collects syslogs from all of your firewalls and IPS events from the sensors, and gives you the Big Picture for whats happening across your network.
IME collects -just- IPS events for (at most) 5 sensors. However when I'm trying to tune a rule in MARS, I find it easier to go into IME and run a bunch of queries to figure how if/how I want to tune the rule. Then I'll go into MARS and tune the rules, or go into CSM and tune the IPS signature.
Same thing with ASDM and CSM, actually: CSM is great for the Big Picture, but ASDM let you get right on the device and see whats going on, real-time.