Custom IPS Signature Events

In Part 3 of the Cisco IPS Custom Signatures Article, after discussion with someone i cant remember,I made the following statement....

"An important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten."

Now this is not strictly true, as i have found, whilst doing some custom parser work. When defining event parsers i noticed that an event was in the list (Confidential File.....), from a Cisco IPS custom signature i imported a while back...

Now events here can be deleted, so i thought i`d try it...

Sure enough, the Custom IPS Signature Event was listed, with the Cisco IPS Custom Sig ID of 60000/0, and the Groups and Inspection Rules it belongs too. So i went ahead and deleted.

Now i did a quick check on the Custom IPS Signature upload page, to see if anything untoward had happened here...

And i also did a check, whether or not the Event had actually gone. So a quick search of Events for device Cisco IPS 6.x, showed it had indeed been deleted.

Great stuff, so to be sure, so i uploaded a second custom parser event....

And sure enough, the event appeared under the Custom Parser Event Types, and thus can be slightly edited like any custom parser event.. (the description edited below)

And these changes do stick, as a quick event query for Cisco IPS6.x events shows.


NB: This is my own findings, and to my knowledge not in the MARS Userguide. So before you go deleting events as above, i`d check with TAC, that you are not going to explode your MARS box or anything :-)

Custom Parsing Gotcha

I`m in the process of finishing a custom parser, to share with the user group. Have a look at the image above, everything looks fine, the message has been successfully parsed.

But on closer inspection the Matched Strings and Parsed Strings for the Source and Destination Addresses are different.

Why is this? Well in this particular case, the device sending the syslog to MARS was "zero-padding" the syslog messages, so in the case of an ip address 10.10.10.10 this would appear as 010.010.010.010. Cisco MARS then treated that incoming syslog as an Octal number.

"Octal numerals can be made from binary numerals by grouping consecutive digits into groups of three (starting from the right). For example, the binary representation for decimal 74 is 1001010, which groups into 001 001 010 — so the octal representation is 112." - http://en.wikipedia.org/wiki/Octal

All is not lost though, as it is possible to include regex to elimate the leading zero. In my case the solution was a little simpler. Luckily the appliance i was creating the parser for, had the option to disable the option for zero padded IP Addresses in the Syslog. :-)

Firewall Issues

Sometimes i get asked, about the Rule "System Rule: Operational Issue: Firewall", and what kinds of events would trigger this.

"This rule detects operational errors (e.g. bad network connectivity, failover errors, internal software/hardware errors) reported by a firewall - this may indicate that the firewall is not functioning properly."

Well one such event, is "URL Server not responding".

In this example the customer was running Websense for their URL filtering, and basically the server died. Hence the following rule fired. This includes the IP of the Filtering Device, in this case an ASA, and the Filtering Server IP.

Now in that particular case, Internet Access would cease to function for everyone, configured to be be assesed via the Filtering Service (the default action). So you would probably be aware, something was a miss on the network.

But with the Cisco PIX/ASA, there are some other options, that can be configured in the event of the URL Filtering Solution failing.

We can configure "Allow outbound HTTP traffic when URL Server is down", great to keep Internet Access going, but not so great that users can then access any malware ridden side they please.

So another event to look out for is "URL Server not responding, ENTERING ALLOW mode"

MARS 25, 25R and 55 on the Horizon

I noticed on CDW that pricing for the new Cisco MARS 25, 25R and 55 models was available.

•CS-MARS-25R-K9

•CS-MARS-25-K9

•CS-MARS-55-K9

To my knowledge these new 1U, Gen2 based models are not yet released, but looking on Cisco.com, information on the models is starting to slip out...

The information above, taken from the 5.3 install guide. Interesting to note that the 55 model, has a field replaceable hot swappable drives.

More info on these models, soon.

So what else is new? Well... the Cisco MARS User Group, now has over 700 members, this is great.

I also noticed a new voicemail feature that google were pushing for blogger, but it was only available to US members. So i`ve created my own via skype. Any comments, requests for articles etc, leave me a voicemail!

Custom IPS Signatures with Cisco MARS Demo

Ok as promised the link to a new Demo i`ve created for Demolabs.co.uk now with sound! :-)

This demo created for a seminar, shows creating a custom signature in Cisco IPS, and the process for MARS to understand the event, with a little scenario around remote users downloading confidential files.

Note: The demo does not imply that custom signatures should be used wisely on the network for this purpose!, as there are more relevant products such as websense data security suite that could meet this objective.

SSL VPN Event Reporting

A customer asked me the other day "I`ve no access to the firewall, and Person X claims they are working at home today. Can i check with MARS if they`ve actually used the VPN."

Not exactly, a major security event i know, but that data is in MARS. A quick look at the known WEBVPN events for the Cisco ASA, shows over 66, that MARS understands.

So i basically set up a RAW event query on the ASA device, with a keyword of Webvpn, to see what events i could build a query from.


The event i chose to build the query on, was "Webvpn User Authentication Successful".


The query was set to display event data for the last 7 days, i selected to display the data, as "Reported User Ranking", results format. Once happy with the results being shown, i saved the query as a report.

We can schedule how often we require reports to be run, in which i selected every hour.

And, one cool thing, is that we can customise which reports we want to display under Summary/My Reports..


Now i didnt, just leave it there, with this particular customer. Seeing who has been using the VPN is good, but its also important to see who has been failing to authenticate with the VPN...


And maybe some resource usage...


That completes this article, but look out tomorrow for a new demo, i`ve created for www.demolabs.co.uk, on using Custom IPS Signatures with MARS. This is from a Cisco Security Seminar that Satisnet, have been giving in London over the last week.