Gen1 and 2 - Cisco IPS Part 3

Okay Dokey, how do you add more than one Custom Signature at a time?

This again is not documented, so i`ve experimented with a test box i have, and basically copied the format that the dynamic IPS updates use.

Consider the example below, 2 Custom Sigs are in the XML file, one in RED and one in BLUE, with the remaining XML headers in bold.

And this works fine..


Troubleshooting

Now an important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten.

Now you can tell when you have been successful with an update, since the uploaded version and updated Version numbers will be the same. (plus you will be able to see the events under Event Management)

But what can you do, when you get this error?

Well for a start i`d check for the format of the XML file is correct!, but also there may be some tell tale signs in the Backend Log. This can be viewed by pnlog show backend from the CLI or Admin/System Maintenance/View Log Files from the GUI.

You will also receive an incident from MARS, notifying that you have not been successful.

Incidently if you are successful the backend log will look something like this..


I hope this helps.

Gen1 and 2 - Cisco IPS Part 2

Following on from yesterdays article, i`m going to move onto adding Cisco IPS Custom Signatures into MARS.

As you will probably already know, if you create a Custom IPS Sig, and this Signature is fired, with an alert to MARS, this will appear as an "Unknown Device Event Type"

Why is this? Well simply put, MARS does not understand this Event, as its not defined in the MARS database, unlike all the other Cisco IPS signatures.

So how can we tell MARS about our Custom IPS Signatures? We can create an XML file, with the details of the Custom Sigs, and upload it to MARS, see below....

Ok I`ve created a Custom Signature below to fire when a JPG is detected (nothing too exciting i know! ;-p )

Using the Service HTTP Engine, with some simple Regex...

I`ve tested the Custom Signature Works..

And now i`m ready to create an XML file, with its details. I wont go into too much detail, as there is a write up in the User Guide, but the contents on my XML file (for a 5.32 OS) are below, with the important customizable fields in bold.

Its important to Note, this XML file should be saved with the format...

x.custom.inc.xml—Where X is an integer . Start with 1 and increment for each additional signature (for example, 1.custom.inc.xml) This number indicates the version number of the custom signature package. Subsequent updates must increment this version number. (Its not documented but i`ve found that this number should match the Version number in the XML)

MARS uses this number to ensure that the Local Controllers are synchronized with the Global Controller.

The Event Type attribute value identifies either an existing MARS event type or a new MARS event type.

If it is a new MARS event type, it should be in the range of 90000000-9049000. This value range is reserved for custom signature IDs.

Note If the ID maps to a previously used custom ID, information for that custom event is updated with the data in this XML file. If ID maps to a system event type, the information is not updated.

The event priority value should match the severity of the firing signature as configured on the Cisco IPS device.

The DEVICE_ET attribute of this element identifies the IPS custom signatureId/subId. For example, if the IPS signature has sigID=60001 and subID=0 then DEVICE_ET=NR-60001/0. The prefix "NR-" is required for all values in this attribute.

The Event Type Group element must be an existing MARS event type group. You can map MARS event types to more than one event type group. ie..

EventTypeGroup ET_GROUP_NAME="Penetrate/BufferOverflow/Web"/
EventTypeGroup ET_GROUP_NAME="Penetrate/All"/

Ok we can now upload this XML file, and MARS will create the new Events..

As you will notice from the above pic, you have to give the MARS box a few seconds after the upload, to apply the changes. (It says version 0 above)

When done, the Custom Signature Update version will display the correct value. This can be confirmed by going to Help/About..

If all goes well, you can see via Management, Event Management, that the new Event is defined..

And we can see the details..

And now MARS will correctly categorize the event when fired by the IPS.

Just one more thing to add that i have found, but its not mentioned in the documentation, so i`m unsure if supported. You can add strings in the XML file for Recommended Actions and False Positve Conditions, and these will be picked up...

I`ll carry the Custom IPS theme on, in the next article, with how to add more than one Custom Sig at a time, and some troubleshooting.

Gen2: Cisco IPS Features - Part 1

One of the things i`m always asked is , what are the differences between then Gen1 and Gen2 appliances, as well as hardware changes?

Well one difference, is the way that the MARS Box can integrate with Cisco IPS.

If you are a Cisco IPS user, you will know, that you can Log IP packets associated with a Signature thats fired.

You can view the trigger packets and IP log data associated with incidents reported by Cisco IDS 4.x and Cisco IPS 5.x and 6.x devices, whether they are sensor appliances or modules.

And quote from the Manual "MARS includes two event types that focus on the these two data types:

•Trigger packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. The trigger packet provides a single data packet—the data packet that caused the alarm to fire.

•Packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. Although the amount of data contained in an IP log varies based on sensor configuration, by default an IP log contains 30 seconds of packet data. To view this data, you must enable the Pull IP Logs option on the Cisco IPS device under Admin > System Setup > Security and Monitor Devices."

MARS is also able to pull the IP log data from Cisco IDS and IPS devices, and this is where the Gen1 and Gen2 appliances differ.....

Consider the following, on a MARS Gen2 Box, i`ve created a RULE in MARS, to fire, when the ICMP Echo Request signature is hit in Cisco IPS. Not a very exciting example i know!, but it will demonstate the point.

So an Incident is created in MARS..


And this is the Event, on the Cisco IPS Box..

Now this is where the differences lie, in MARS between Gen1 and Gen2 appliances, with the representation of that data in MARS.

A Gen1 box will give the following, with a couple of lines of packet data if your lucky..


And the Gen2 box will give the following..

Notice, how the RAW Message from the Cisco IPS Sensor has all the IDS Alert info, and how there are now 2 extra RAW Message, links available.

The View Decode, will give you a RAW view of the capture, and the Download Decode, will let you download the IP Log in PCAP format to open and view with Ethereal or Wireshark etc..

View Decode


Download Decode



I believe this is possible due to some design changes on the Gen2 boxes, where 500 bytes limit has been increased to 1.5MB.

Cisco Give works of caution with IP Logs "Configuring IP logging and verbose alerts on the sensor is system intensive and does affect the performance of your sensor. In addition, it affects the performance of your MARS Appliance. Because of these effects, you be cautious in configuring signatures to generate IP logs."

In the next part of this series i`ll show you how to update your MARS box (Gen1 or 2) with your Custom IPS Signatures.

SANS Reading Room Paper

I came across this paper below the other day, that`s worth a read to MARS newbies, in the SANS reading room.

Entitled "Configuring and Tuning Cisco CS-MARS", this paper was produced by John Jarocki, for his GCIA Qualification.

The paper is based on an older version of MARS, so note there have been some improvements like Dynamic IPS Updates since its creation.

On another note, if you have something to share with the MARS community, or would like create a guest article for the Blog please get in touch, or join the Cisco MARS user Group, where we have over 620 users now.

End-of-Sale and End-of-Life

Happy new year to you all.

Some news that appeared mid Dec 07, if you have not seen this already..

Cisco have announced the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) models 100, 100e, 200, GCm, and GC.

Full info available here.

Ok following the trend of other blogs, my prediction for 2008! I predict Cisco MARS will get some new and very long awaited (overdue!) features :-)

I am going to start my CCIE Security studies this month. If you have had any success with building a lab with QEMU/PEMU, and Dynamips let me know!