10-11-2010 09:16 AM
I would like to know if we can customize CS MARS to receive and understand logs from Tippingpoint IPS.
I would like create a drop rule or customized rule that says that anything followed by the event "dropped package by IPS" is system determined false positive or just drop it to reduce false positives.Is this possible and please correct me if the idea is correct because according to below link, when Cisco IPS and CS MARS integrate, it identifies all dropped packages by IPS as false positive incident and i think that will decrease the number of incidents considering the number of blocked traffic by Tippingpoint IPS?!
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap11.html
Thank you
Solved! Go to Solution.
10-13-2010 04:59 AM
Nora;
Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap. You can read more about creating custom devices here:
System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident. You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database. You can read more about CS-MARS rules here:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html
Scott
10-13-2010 04:59 AM
Nora;
Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap. You can read more about creating custom devices here:
System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident. You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database. You can read more about CS-MARS rules here:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: