Cisco IDS 4.0 and IPS 5.x Sensors
Enable the Access Protocol on the Sensor
The configuration of the sensor depends on the version of the software that is running on the sensor. The
following topics identify the requirements of each version:
•
•
Cisco IDS 4.x Software
For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over SSL. Therefore, MARS must have
HTTPS access to the sensor. To prepare the sensor, you must enable the HTTP server on the sensor,
enable TLS to allow HTTPS access, and make sure that the IP address of MARS is defined as an allowed
host, one that can access the sensor and pull events. If the sensors have been configured to allow access
from limited hosts or subnets on the network, you can use the
netmask command to enable this access.
Cisco IPS 5.x Software
For Cisco IPS 5.x devices, MARS pulls the logs using SDEE over SSL. Therefore, MARS must have
HTTPS access to the sensor. To prepare the sensor, you must enable the HTTP server on the sensor,
enable TLS to allow HTTPS access, and make sure that the IP address of MARS is defined as an allowed
host, one that can access the sensor and pull events. If the sensors have been configured to allow access
from limited hosts or subnets on the network, you can use the
command to enable this access.
Enable the Correct Signatures and Actions
If the signature actions are correctly configured, MARS can display the trigger packet information for
the first event that fires a signature on a Cisco IDS or IPS device. MARS is also able to pull the IP log
data from Cisco IDS and IPS devices, however, this operation is system intensive. Therefore, you should
select the set of signatures that generate IP log data carefully.
When configuring the active signatures on a Cisco IDS or IPS device, you must specify the alert action
and the action that generates the desired data:
•
•
Configuring IP logging and verbose alerts on the sensor is system intensive and does affect the
Caution
performance of your sensor. In addition, it affects the performance of your MARS Appliance. Because
of these effects, you be cautious in configuring signatures to generate IP logs.
Add and Configure a Cisco IDS or IPS Device in MARS
To add and configure a Cisco IDS or IPS device in MARS, follow these steps:
Click Admin > System Setup > Security and Monitor Devices > Add.
Step 1
Do one of the following:
Step 2
User Guide for Cisco Security MARS Local Controller
6-6
Cisco IDS 4.x Software, page 6-6
Cisco IPS 5.x Software, page 6-6
To view trigger packets, you must enable the "produce-verbose-alert" action.
To view IP logs, you must enable the alert or "produce-verbose-alert" action and the
"log-pair-packets" action.
Chapter 6
Configuring Network-based IDS and IPS Devices
accessList ipAddress
ip_address/netmask
access-list
ip_address
78-17020-01