Re: CS-MARS and ISS Proventia G

l_p_f2006 · ‎11-06-2006

I have some difficulty getting CS-MARS to recognise SNMP trap sent by ISS Proventia G400 to MARS.

The MARS 4.2.x user guide mentioned RealSecure 7.0, but I tried to configured a G400 device as a reporting device with "device type" set to RealSecure 7.0, and generated a few SNMP trap from the G400 IPS to MARS. But when I tried use the query page to retrieve the events, no events were returned.

Anybosy know if I can set G400 as "RealSecure 7.0" device ??

Or do I need to use the User Defined Log Parser Templates for ISS G400 ?

Anyone have an example to define a template for SNMP trap ? The user guide only give us the example for syslog mdg, not SNMP trap.

mhellman · ‎11-07-2006

I don't know about the RealSecure 7.0 vs. G400. Aren't they different devices(IDS vs. IPS)? I wouldn't expect that the latter is supported (and I wouldn't hold my breathe waiting for Cisco to add support).

In any case, I would recommend the following as a way to troublshoot the reporting device:

login to the CLI on the csmars and use tcpdump to verify that the snmp-traps are being received by the CSMARS.

If they are, go into CSMARS and run an "Event Raw Messages" query for that device only. This should show all raw events, regardless of whether they were correctly parsed by CSMARS. If they aren't being correctly parsed, you will see that in the results.