Wednesday, January 16, 2008

Gen1 and 2 - Cisco IPS Part 2

Following on from yesterdays article, i`m going to move onto adding Cisco IPS Custom Signatures into MARS.

As you will probably already know, if you create a Custom IPS Sig, and this Signature is fired, with an alert to MARS, this will appear as an "Unknown Device Event Type"

Why is this? Well simply put, MARS does not understand this Event, as its not defined in the MARS database, unlike all the other Cisco IPS signatures.

So how can we tell MARS about our Custom IPS Signatures? We can create an XML file, with the details of the Custom Sigs, and upload it to MARS, see below....

Ok I`ve created a Custom Signature below to fire when a JPG is detected (nothing too exciting i know! ;-p )

Using the Service HTTP Engine, with some simple Regex...

I`ve tested the Custom Signature Works..

And now i`m ready to create an XML file, with its details. I wont go into too much detail, as there is a write up in the User Guide, but the contents on my XML file (for a 5.32 OS) are below, with the important customizable fields in bold.

Its important to Note, this XML file should be saved with the format...—Where X is an integer . Start with 1 and increment for each additional signature (for example, This number indicates the version number of the custom signature package. Subsequent updates must increment this version number. (Its not documented but i`ve found that this number should match the Version number in the XML)

MARS uses this number to ensure that the Local Controllers are synchronized with the Global Controller.

The Event Type attribute value identifies either an existing MARS event type or a new MARS event type.

If it is a new MARS event type, it should be in the range of 90000000-9049000. This value range is reserved for custom signature IDs.

Note If the ID maps to a previously used custom ID, information for that custom event is updated with the data in this XML file. If ID maps to a system event type, the information is not updated.

The event priority value should match the severity of the firing signature as configured on the Cisco IPS device.

The DEVICE_ET attribute of this element identifies the IPS custom signatureId/subId. For example, if the IPS signature has sigID=60001 and subID=0 then DEVICE_ET=NR-60001/0. The prefix "NR-" is required for all values in this attribute.

The Event Type Group element must be an existing MARS event type group. You can map MARS event types to more than one event type group. ie..

EventTypeGroup ET_GROUP_NAME="Penetrate/BufferOverflow/Web"/
EventTypeGroup ET_GROUP_NAME="Penetrate/All"/

Ok we can now upload this XML file, and MARS will create the new Events..

As you will notice from the above pic, you have to give the MARS box a few seconds after the upload, to apply the changes. (It says version 0 above)

When done, the Custom Signature Update version will display the correct value. This can be confirmed by going to Help/About..

If all goes well, you can see via Management, Event Management, that the new Event is defined..

And we can see the details..

And now MARS will correctly categorize the event when fired by the IPS.

Just one more thing to add that i have found, but its not mentioned in the documentation, so i`m unsure if supported. You can add strings in the XML file for Recommended Actions and False Positve Conditions, and these will be picked up...

I`ll carry the Custom IPS theme on, in the next article, with how to add more than one Custom Sig at a time, and some troubleshooting.

1 comment:

Anonymous said...

Hello, I wanna know if I can see all the logs of each device registered in MARS, I mean for example, to see all the logs that a checkpoint device reports to the MARS. or.. How do I know that MARS is receiving Logs from the Checkpoint device?
Thanks a Lot