11-04-2008 11:44 AM - edited 03-10-2019 04:21 AM
What is the best way to identify that a specific signature has fired on IDS/IPS 6.x that is feeding into a CS-MARS appliance?
Would the easiest way to match "ANY" for Event Type and then do a keyword match? If so, what is it matching on, the signature name or the signature description (I suppose I could configure the custom signature to include the name in the description)?
I am just unsure how CS-MARS can identify custom signatures in the IDS engines that are doing TCP string, multi-string, and meta-signature matches but do not necessarily fall under one of the default "event types" when creating a notification or drop rule.
I realize CS-MARS has the ability to correlate many rules together to provide an attack but I am looking to just notify/drop based on the matching on one or more custom signatures within one or more IDS sensors.
Any assistance on clarifying the integration between CS-MARS and the IDS events would be greatly appreciated. Thanks in advance!
Ray
11-10-2008 01:45 PM
To reduce false positives-By identifying events for the same session and by analyzing the topological path taken by an attack from the source to the destination, Cisco Security MARS can identify whether an attack actually reached the intended destination or was dropped by an intermediate device such as a firewall or an intrusion prevention system (IPS).
Look at the URLs here for more information on IPS configuration with CS-MARS rules:
11-12-2008 09:21 AM
So after looking at this section regarding CS-MARS 4.3.x appliances:
The guide says I should goto Admin->System Setup->IPS Custom Signature Update to download the custom XML mappings. However I do not see this option on the LC interface, I only see IPS Dynamic Signature Update Settings.
Is this because I have an incompatible CS-MARS version that does not support custom IPS signature to CS-MARS event mappings? Any help would be appreciated. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide