View Detailed Event Data For Cisco Ips Devices - Cisco CS-MARS-20-K9 - Security MARS 20 User Manual

Chapter 6 Configuring Network-based IDS and IPS Devices
c.
d.
To select the networks that are attached to the device, click the Select a Network radio button.
a.
b.
c.
Step 4 To save your changes, click Submit.
To enable MARS to start sessionizing events from this module, click Activate.
Step 5

View Detailed Event Data for Cisco IPS Devices

You can view the trigger packets and IP log data associated with incidents reported by Cisco IDS 4.x
and Cisco IPS 5.x devices, whether they are sensor appliances or modules. This information is useful
when an in-depth understanding of the attack method is desired. MARS includes two event types that
focus on the these two data types:
•
•
MARS does not collect this data for Cisco IDS 3.x devices.
Note
For the correct signature settings required to generate this data, see
Actions, page
If the IP log feature is enable for the reporting Cisco IPS device, these event types are combined as part
of the incident data. You can view this data by drilling down in an incident, expanding the desired event
type (either Packet Data or Trigger Packet Data), selecting an event, and clicking on the RAW Events
for this Session icon under the Reporting Device column of that event. The source, destination, and other
data displayed for these events matches that of the original alert. In addition, this data appears
hexadecimal and binary format.
The trigger packet and IP log data is stored using a base64-encoded format in the MARS database.
Note
Therefore, keyword search does not work on it if you just provide the search string.
78-17020-01
Click Add to move the specified network into the Monitored Networks field.
Repeat as needed.
Select a network from in the Select a Network list.
Click Add to move the selected network into the Monitored Networks field.
Repeat as needed.
Trigger packet data. Identifies the data that was being transmitted on the network the instant an
alarm was detected. You can use this information to help diagnose the nature of an attack. The
trigger packet provides a single data packet—the data packet that caused the alarm to fire.
Packet data. Identifies the data that was being transmitted on the network the instant an alarm was
detected. You can use this information to help diagnose the nature of an attack. Although the amount
of data contained in an IP log varies based on sensor configuration, by default an IP log contains 30
seconds of packet data. To view this data, you must enable the Pull IP Logs option on the Cisco IPS
device under Admin > System Setup > Security and Monitor Devices.
6-6.
Cisco IDS 4.0 and IPS 5.x Sensors
Enable the Correct Signatures and
User Guide for Cisco Security MARS Local Controller
6-9