Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Been a while since I've looked at this stuff, so hopefully I don't butcher the terminolgy too bad. Back in the old days, we defined event action filter variables and policies directly on an IPS sensor. These two items provided overlapping functiona...
We use Cisco appliances primarily in monitoring mode. We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc). Is it even possible to use either of these featu...
We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide ...
1) It appears you can only add 4.x WLC's in version 5.x of MARS.We're running WLC 5.x and some of the events are not being parsed. Cananyone confirm that this is fixed in MARS 6.x? Can you actually addthe device as a 5.x device?2) Does 6.x receive a...
I have a simple batch query for the last 24 hours shows total sessions by reporting device type. When I select "Total View" and "Last Run Time" and "display report" I get totally different results that when I select "CSV" and "Last Run Time" and "di...
Unless you concerned about your internal users attacking external websites, you should create an event action filter for these when sourced from your own network. If you don't, you will see a ton of them in normal traffic (Yahoo is a big one that ha...
BUMP. Anyone? Is there a way in CSM to push down these variables independent from the event action filters so that the locality reflects some meaningful network description?
Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet". Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still work...
I applaud you for doing this, you're a whole lot braver than I. We use real Snort where we want Snort rules. We have pretty much default configurations and the sensors crash-and-burn during normal signature updates from CSM. Heck, ALL of the sensor...
