Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
1
Replies

MARS and Tippingpoint

Go to solution
nora.taleb
Level 1
Level 1

‎10-11-2010 09:16 AM

I would like to know if we can customize CS MARS to receive and understand logs from Tippingpoint IPS.

I would like create a drop rule or customized rule that says that anything followed by the event "dropped package by IPS" is system determined false positive or just drop it to reduce false positives.Is this possible and please correct me if the idea is correct because according to below link, when Cisco IPS and CS MARS integrate, it identifies all dropped packages by IPS as false positive incident and i think that will decrease the number of incidents considering the number of blocked traffic by Tippingpoint IPS?!

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap11.html

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎10-13-2010 04:59 AM

Nora;

  Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap.  You can read more about creating custom devices here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident.  You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database.  You can read more about CS-MARS rules here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html

Scott

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎10-13-2010 04:59 AM

Nora;

  Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap.  You can read more about creating custom devices here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident.  You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database.  You can read more about CS-MARS rules here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents