I have a case open for this, but not making progress (been about a month now). I hoping someone with the CSMARS and IPS v5 can verify that they don't see this same behavior. The short story is that in every conceivable configuration, our CSMARS box completely fails to collect certain events from a v5 sensor. We have rebuilt the MARS box, we have rebuilt the sensor. The only time these events showed up was when the sensor was running v4. I have only validated this with two signatures (6131 and 6194), but I assume I didn't stumble upon the only two.

Here is a snippet from my last email to TAC:

----------------------------------

The problem still exists. Reproduced by doing the following:

Sensor model 4255. Rebuilt as follows:

Install IPS-4255-K9-sys-1.1-a-5.0-2.img (via tftp rmon-break procedure)

Install IPS-K9-sp-5.0-4.pkg

Install IPS-sig-S190-minreq-5.0-1.pkg

Ran CLI setup command to configure basic settings.

Manually configured all interfaces to 100/Full as per our standard.

Configured sensing interfaces (added to virtual sensor)

Verified that sensor was generating events

Added the sensor into MARS and verified that MARS was receiving events.

Installed vulnerable windows server (using ipsec to limit access only from metasploit system)

Installed Metasploit 2.4 on notebook running Redhat ES 4.

Launched Metasploit against the vulnerable windows machine (did this twice)

Exploit: Microsoft PnP MS05-039 Overflow

Target: 0 - Windows 2000 SP0–SP4

Payload: win32_bind

Triggered /etc/passwd signature on sensor to make sure MARS still receiving events.