Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

csmars and ips

Hello everyone,

I I will appreciate if you can share your experience implementing csmars. we got m20 box recently.In our network we have IPS 4215 which is configured in csmars as a reporting device. IPS can be used as a mitigating device too. what we did is run a nmap scan connecting to the same switch where IPS is running in inline mode and csmars connected. we cd see the incidents reported in csmars. but csmars isn't showing ips a mitigating devices. logically i understand IPS should be detected as mitigating device but looking the attack diagram I cant see it. Have you used IPS as a mitigating device, if so are we missing anything to configure.

Note: csmars version is 3.1




Re: csmars and ips

Hi Munaf!

I've had good success implementing CS-MARS for our clients and recommend it as part of a layered security approach.

A couple of questions:

1. Why haven't you upgraded the code on the MARS box? 4.2.2 is the latest and you don't necessarily have to do a sequential upgrade if you don't mind starting over with a clean ISO image. Otherwise, you have 4-6 hours of sequential upgrades before you.

2. Have you included any networking devices like routers and switches that would help MARS learn the topology of your network?

There is a good reference book from Cisco Press written by Dale Tesch that will help you implement MARS and further understand how using an IPS as a mitigating device will work.

Hope this helps.



Community Member

Re: csmars and ips

Hi Paul,

Thanks for the reply

well i shall upgrade the image as suggested.with the current version , we have added few devices like routers and switches, ips, pix and can also see events, incidents.

wht we cant get is how csmars decides the mitigated i mentioned before we did nmap scan and cd see the alerts from IPS in csmars but csmars doesnt see tht device as a mitigated device in the path. this is wht i see No enforcement devices found, although i think it shd see IPS as the mitigating device


Re: csmars and ips

Do you have SNMP configured on your network? MARS uses SNMP to read configuration data from routers and switches in order to make mitigative recommendations. It also uses it for topology discovery.

Three follow-up questions:

1. How long has this MARS box been on your network? (If it has been less than 4 days and Netflow is not turned on then let MARS continue its topology discovery.)

2. Do you have Cisco Netflow turned on? (MARS needs a minimum of a week to normalize Netflow traffic.)

3. Do you have a syslog server? (Syslog NG and Kiwi are the only two that are supported.)

CreatePlease to create content