Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MARS and Tippingpoint

I would like to know if we can customize CS MARS to receive and understand logs from Tippingpoint IPS.

I would like create a drop rule or customized rule that says that anything followed by the event "dropped package by IPS" is system determined false positive or just drop it to reduce false positives.Is this possible and please correct me if the idea is correct because according to below link, when Cisco IPS and CS MARS integrate, it identifies all dropped packages by IPS as false positive incident and i think that will decrease the number of incidents considering the number of blocked traffic by Tippingpoint IPS?!

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap11.html

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: MARS and Tippingpoint

Nora;

  Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap.  You can read more about creating custom devices here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident.  You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database.  You can read more about CS-MARS rules here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html

Scott

1 REPLY
Cisco Employee

Re: MARS and Tippingpoint

Nora;

  Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap.  You can read more about creating custom devices here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident.  You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database.  You can read more about CS-MARS rules here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html

Scott

398
Views
0
Helpful
1
Replies
CreatePlease to create content