Tuesday, January 15, 2008

Gen2: Cisco IPS Features - Part 1

One of the things i`m always asked is , what are the differences between then Gen1 and Gen2 appliances, as well as hardware changes?

Well one difference, is the way that the MARS Box can integrate with Cisco IPS.

If you are a Cisco IPS user, you will know, that you can Log IP packets associated with a Signature thats fired.

You can view the trigger packets and IP log data associated with incidents reported by Cisco IDS 4.x and Cisco IPS 5.x and 6.x devices, whether they are sensor appliances or modules.

And quote from the Manual "MARS includes two event types that focus on the these two data types:

•Trigger packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. The trigger packet provides a single data packet—the data packet that caused the alarm to fire.

•Packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. Although the amount of data contained in an IP log varies based on sensor configuration, by default an IP log contains 30 seconds of packet data. To view this data, you must enable the Pull IP Logs option on the Cisco IPS device under Admin > System Setup > Security and Monitor Devices."

MARS is also able to pull the IP log data from Cisco IDS and IPS devices, and this is where the Gen1 and Gen2 appliances differ.....

Consider the following, on a MARS Gen2 Box, i`ve created a RULE in MARS, to fire, when the ICMP Echo Request signature is hit in Cisco IPS. Not a very exciting example i know!, but it will demonstate the point.

So an Incident is created in MARS..


And this is the Event, on the Cisco IPS Box..

Now this is where the differences lie, in MARS between Gen1 and Gen2 appliances, with the representation of that data in MARS.

A Gen1 box will give the following, with a couple of lines of packet data if your lucky..


And the Gen2 box will give the following..


Notice, how the RAW Message from the Cisco IPS Sensor has all the IDS Alert info, and how there are now 2 extra RAW Message, links available.

The View Decode, will give you a RAW view of the capture, and the Download Decode, will let you download the IP Log in PCAP format to open and view with Ethereal or Wireshark etc..

View Decode


Download Decode



I believe this is possible due to some design changes on the Gen2 boxes, where 500 bytes limit has been increased to 1.5MB.

Cisco Give works of caution with IP Logs "Configuring IP logging and verbose alerts on the sensor is system intensive and does affect the performance of your sensor. In addition, it affects the performance of your MARS Appliance. Because of these effects, you be cautious in configuring signatures to generate IP logs."

In the next part of this series i`ll show you how to update your MARS box (Gen1 or 2) with your Custom IPS Signatures.


2 comments:

mathias said...

Thanks for all the usefull information regarding MARS and IPS posted so far!

Hoffa said...

Will the difference between Gen1 MARS and Gen2 be equalized through software updates or are we early customers stuck with an obsolete appliance?