CS-MARS extracts the logs from Cisco IPS 5.x and 6.x devices and modules using SDEE. SDEE communications are secured with Secure Sockets Layer/Transport Layer Security (SSL/TLS). Therefore, CS-MARS must have HTTPS access to the Cisco IPS sensor. This requires configuration of the Cisco IPS sensor as well as CS-MARS.
To allow access, HTTPS access must be enabled on the Cisco IPS sensor, and the IP address of CS-MARS must be defined as an allowed host, one that can access the sensor to pull events. In addition, an administrative account to be used by CS-MARS should be configured locally on the Cisco IPS sensor. As a best practice, this account should be set with a user role of viewer to ensure only the minimum necessary access privileges are granted. This account should not be used for any other purposes.
Event Data Collected from Cisco IPS
There three types of event data that CS-MARS may extract from a Cisco IPS sensor:
Event alerts
Trigger packet data
Packet data (IP logging)
Verify that CS-MARS Pulls Events from a Cisco IPS Device
The first step for verifying if CS-MARS can pull events from a Cisco IPS sensor is to confirm both are able to communicate. To that end, select the test connectivity option under the Cisco IPS device configuration (Admin > System Setup > Security and Monitor Devices). A "Connectivity Successful" message indicates both systems are able to communicate.
The second step is to perform an action to knowingly trigger a signature on the Cisco IPS sensor. As an example, type the following URL on a browser, replacing x.x.x.x by the IP address or hostname of a web server located on a subnet monitored by the Cisco IPS sensor.
ttp://x.x.x.x/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
This action should be interpreted as a WWW IIS unicode directory traversal attack, triggering Cisco IPS signatures numbers 5114 and 5081.
