cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1650
Views
33
Helpful
12
Replies

IPS 6.0 Security Monitor

info
Level 1
Level 1

Will the 6.0 sensors work with SecMon? And please don't tell me I will be forced to use CS MARS. So will there be an update to SecMon to allow it to work with 6.0?

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

SecMon monitoring an IPS version 6.0 was tested. The existing SecMon version Can monitor IPS 6.0, but will only show the fields in the alerts that existed in IPS 5.1. SecMon will not show the new fields that are only seen in IPS 6.0.

Also understand that the corresponding IPS MC does Not support IPS 6.0.

SecMon and IPS MC are part of VMS.

VMS has been replaced by CSM.

The current version of CSM is Not able to configure IPS 6.0; a new version of CSM will be released next year that Will support configuration of an IPS 6.0 sensor.

CSM does not contain a utility for viewing IPS alerts. So for viewing IPS alerts you will either need to continue using SecMon from VMS, or use IEV, or another alert viewing tool.

At this time there is no plan to modify SecMon to support the new fields in IPS 6.0 as VMS has been replaced by CSM that does not contain SecMon.

SecMon can be used to monitor an IPS 6.0 sensor, but will only show the fields that were available in 5.x sensors.

NOTE: You do not have to immmediately upgrade to IPS 6.0. The IPS 5.1 version will continue to receive signature updates for at least another year, and likely even a year and a half or more.

View solution in original post

12 Replies 12

marcabal
Cisco Employee
Cisco Employee

SecMon monitoring an IPS version 6.0 was tested. The existing SecMon version Can monitor IPS 6.0, but will only show the fields in the alerts that existed in IPS 5.1. SecMon will not show the new fields that are only seen in IPS 6.0.

Also understand that the corresponding IPS MC does Not support IPS 6.0.

SecMon and IPS MC are part of VMS.

VMS has been replaced by CSM.

The current version of CSM is Not able to configure IPS 6.0; a new version of CSM will be released next year that Will support configuration of an IPS 6.0 sensor.

CSM does not contain a utility for viewing IPS alerts. So for viewing IPS alerts you will either need to continue using SecMon from VMS, or use IEV, or another alert viewing tool.

At this time there is no plan to modify SecMon to support the new fields in IPS 6.0 as VMS has been replaced by CSM that does not contain SecMon.

SecMon can be used to monitor an IPS 6.0 sensor, but will only show the fields that were available in 5.x sensors.

NOTE: You do not have to immmediately upgrade to IPS 6.0. The IPS 5.1 version will continue to receive signature updates for at least another year, and likely even a year and a half or more.

Thank You for the response! It answered all of my questions perfectly. Hopefully they will wise up and incorporate SecMon with the updated version of CSM.

CS MARS is just pointless. Great for log retention though..

I feel for those of you that use VMS and are now being asked to buy 2 separate products(and because VMS was a total POS). CSMARS is a SIM/SEM product though, which VMS never was...so there are some opportunities to do a lot of things better with CSMARS. This assumes of course that you didn't already have a separate SIM/SEM solution.

While I certainly don't think CSMARS is pointless, it most certainly is NOT good at log retention, unless you don't particularly care that the logs are missing critical information(like the tcp 5-tuple), have information inserted that was never in the original message, and are truncated.

CS-MARS is pointless, just tell me the current signature version of the IPS's and the signature version that MARS can support?

SIM/SEM or whatever you want to call it, I just want to say does CS-MARS provide what it's hyped to do?

Does anyone receive any benefit from the time based interval of alerts? Meaning CS-MARS cannot differentiate host within incidents, so if a singular series of event occurs for any duration of time, it will report that one event as multiple incidents...

I believe that enough to state my case and disappointment with CS-MARS. Don't get my wrong; I just want SecMon included in CSM without being forced to use CS-MARS which as you can see does not provide me with the ability to perform any REAL-TIME analysis.

"CS-MARS is pointless, just tell me the current signature version of the IPS's and the signature version that MARS can support?"

This is an unfortunate problem, for sure...and one that should be unecessary given that Cisco owns both products. Frankly, Cisco should be embarrased by how much CSMARS is behind Cisco IPS. It's very obvious based on IPS V6 that they intend to address this eventually. In any event, it's a common issue for all SEM's. They are usually behind, it's a question of how much. You can still alert on the alarms and investigate them just like any other, it's just not as clean as it should be.

"SIM/SEM or whatever you want to call it, I just want to say does CS-MARS provide what it's hyped to do? "

No, and none of the other SEM's do either IMHO.

If you're looking for something to do real-time display of atomic event data(perhaps with grouping), CSMARS just isn't really good at that. If you've got lots of money, you can try Cisco SIMS (Netforensics) and see if they're event viewer suits your needs better.

"If you're looking for something to do real-time display of atomic event data(perhaps with grouping), CSMARS just isn't really good at that."

Nice! So im sure I will be extra happy with my cisco rep and our vendor in a few months after we invest money in deployment of our new MARS100 and it fails to do what they said it would.

"SIM/SEM or whatever you want to call it, I just want to say does CS-MARS provide what it's hyped to do? "

"No, and none of the other SEM's do either IMHO. "

I think this is cisco's mantra. Probably graffiti all over their campus in san jose...that says that..."we only need to be as bad as our competition is." Does jchambers@cisco.com work? I'd love to hear why they set the bar somewhere between mediocre and adequate and have led the way in lowering expectations and standards in general across the information security field.

I will outline several critical needs for any device that will serve as a centralized log analysis vehicle for the IPS/IDS's.

SecMon

1)Real-Time event Alerting - Yes

2)Drill down option - Yes

3)Instant View to Host, Dest, Content - Yes

4)Ability to Handle Custom Sig - Yes

5)Ability to Handle New Sig Release - Yes

CS-MARS

1)Real-Time event Alerting - Nope *Time Interval Incident reporting*

2)Drill down option - Some, but you have to constantly run queries to focus in on your investigation.

3)Instant View to Host, Dest, Content - Nope

4)Ability to Handle Custom Sig - Never!!!, You can make rules to alert on the events, but you cannot add new Security Events to Mars. Yeah that was smart.

5)Ability to Handle New Sig Release - Unless you're happy with seeing that a majority of the events on the MARS box as ***Unknown Security Event*** then by all mean go spend the money on MARS. PS, they never mention this when they sell it to you. Oh yeah and netflow, ask them to actually display netflow logs :-) unless this has been fixed already.

As for Netforensics, I'm not interested in spending even more on a box that does pretty much what Event Viewer does but for more than 5 appliances at once!

Look, I want to use SecMon, I just whish that Cisco extended a hand to the people who use their product for input, I would love to participate in a way that we the end users can have a product that does what we need the most. Now, sadly SecMon which is part of the horrid VMS setup is now going away, seriously I hope Cisco reconsider their decision about SecMon, if anything include a SecMon Functionality in MARS!

So in conclusion, please Cisco, please do not let SecMon disappear.

I hope that fellow users speak up too, Keep SecMon or some form of it!!!

!

I had the same stand as you that I didn't want to have to purchase MARS to replace SECMON, but have since changed my mind since purchasing MARS.

I by far have more real incindents (non-false positives) from firewall syslogs than our IPS sensor provides. I have been able to indentify and resolve more issues (security related or otherwise) since putting MARS on the network than I ever did with just SECMON and IPS sensors.

If you have a host that has a virus that continually tries to connect to a device through your firewall on a port that is being blocked, MARS is able to create an incident using the syslog information of the multiple denies. This would work for day zero outbreaks as well. If the virus tries to use a well known port, MARS can create an incendent on an increase in traffic to that port using netflow.

IMHO MARS is a valuable addition to network security.

I did just read that there is a version of MARS sized and priced to replace secmon in a network.

Cisco Security MARS 20R (CS-MARS-20R-K9)

It is good to hear that MARS is working for you.

My objection to MARS is based on already having much of the functionality offered by MARS being provided by existing systems. I have no desire to replace the existing solutions as they are working well for us. I also do not wish to duplicate functionality by adding MARS to the infrastructure.

SECMON (and VPN/Security Mangement Solution) is functional and meeting our requirements. I am frustrated by being forced into a significantly more complex solution to fix something that is not broken.

Take firewall, router, HIPS, etc. management out of the picture. I am purely interested in a tool to handle IPS/IDS sensor configuration, software updates, and near realtime event analysis. I prefer to do this through one application vs. managing each sensor individually through CLI/IDM. My impression is that MARS/CSM is deploying a framework-style enterprise solution to address what is in my case a very limited-scope requirement.

I am more inclined to find a new IPS solution that can fit in with our existing security procedures and infrastructure than I am to replace all the other infrastructure and procedures to manage the IPS solution. While this will not likely happen in the near term, it will certainly be a consideration when it comes time to expand and/or replace network IPS sensors.

What is Cisco's strategy for selling IPS sensors to customers with an existing security management/monitoring infrastructure? Are you (Cisco) proposing that people adopt MARS+CSM to someone looking to implement 10 IPS sensors? Is IDM the only alternative that will be available?

Thats a fact. CSM wont report IPS probes running 6.0 at all.... I just had to back out my IPS 6.0 installs. Yes I jumped the gun and upgraded from 5.1(4) without checking first :P

Thank you for this clear response. It would be helpful to include this as a note in either the 6.0(1) Release Notes or somewhere in the VMS documentation. I already looked in both for this information.

I would like to also join the petition of requesting that an improved SecMon for IPS events be added to CSM. I already have an event management solution and will not be implementing MARS. SecMon functionality is a heavily utilized tool for realtime monitoring of IPS events in our environment.

To be clear, I am OK with being forced to replace VMS with CSM. I am *not* OK with being forced to replace VMS with CSM + MARS to get the same functionality we have now with VMS.

Quote:

"To be clear, I am OK with being forced to replace VMS with CSM. I am *not* OK with being forced to replace VMS with CSM + MARS to get the same functionality we have now with VMS."

I feel the same way and said the same thing before I was essentially forced into buying MARS. VMS has been barely functional in our environment for the past 12-18 months and the only definitive answers we got from our cisco rep, vendor, VMS engineers, and TAC engineers (honestly who else am I supposed to turn to?) was that VMS sucks and thats why they made CSM and we should move to CSM to resolve our issues. Awesome, so a product we bought is not functioning as it is supposed to and the solution is "use the new version". CSM was free for us because in order to continu monitoring our sensors (minor detail...) we would have to buy MARS. Now im reading here that CSM, the thing that according to everyone at cisco has replaced VMS cant manage (configure) the new version of their sensors?! What a joke their whole IPS solution is.

I couldnt be more disgusted with a company.

Review Cisco Networking for a $25 gift card