Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I am running 6.0.3 MARS, Data Package Version: 32, Signature Version: 396. We have recently stood up a Enterasys Dragon 7.2.3. I followed the instructions for adding the device type for a Dragon 6.x device and with some differences on the Enterasys ...
Is there any way to export raw logs from CS-MARS or is the Query option (or the syslog relay) the only way to interrogate against any log data that is collected by CS-MARS?So for instance, I wanted to dump either all (or part based on date/time range...
Is there any way to perform a NOT on a regular expression match. For instance, in PCRE it would be !"/[A-Z]+/i". I cannot determine if there is a valid way to do this on a Cisco IDS regex string. Any help or info would be greatly appreciated.
What is the best way to identify that a specific signature has fired on IDS/IPS 6.x that is feeding into a CS-MARS appliance?Would the easiest way to match "ANY" for Event Type and then do a keyword match? If so, what is it matching on, the signatur...
I have done a previous search and realize that there is no good way to convert Snort signatures to Cisco IDS/IPS custom signatures. I was wondering if anyone has ever converted the Snort "state-based" TCP string matched signature into something that...
I am able to pull out the raw messages for the Cisco IDSM events that are stored on CS-MARS however the text has a lot of junk characters and does not seem to use standard delimeters. Although a lot of the text is readable it is littered with random ...
So after looking at this section regarding CS-MARS 4.3.x appliances:http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgidsn.html#wp1222674The guide says I should goto Admin->System Setup->IPS Custo...
But how about against an entire expression. Such as I want to say match on expression "BLAH\:[A-Z]+\n" then do a NOT on it. So match if not equal to the entire expression.thanks.
I believe I have figured out that this is possible using a Meta Engine match on multiple signatures - at least looking at one of the pre-defined signatures such as 5748.
