Filter
Top Products
69-30
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
• Viewing CS-MARS Events for an IPS Signature, page 69-30
Viewing CS-MARS Events for an IPS Signature
When an IPS or IOS IPS device detects and reports a network intrusion by comparing incoming traffic
to a configured signature, a syslog message is generated on the device. If the device is monitored by
CS-MARS, an incident is generated in CS-MARS after the log associated with the signature is obtained
from the device. Looking up the events associated with a specific signature lets you quickly identify
attacks and tune your device configuration to minimize or prevent intrusions.
To view reported network intrusion events in CS-MARS, you can select one or more entries in the
Signatures policy for a device in Security Manager and navigate to the CS-MARS Query page to view
real-time and historical events.
When you look up real-time events for a signature, the query is run automatically and the results
displayed in CS-MARS. However, when you look up historical events for a signature, the values sent by
Security Manager to CS-MARS are used to populate the query fields. You can modify the query fields
as desired, and then run the query, or save it for later use.
Security Manager provides the following signature information to CS-MARS as query criteria:
• Device details—General information about the device, such as host name, domain name,
management IP address, and display name.
• Keyword—Signature ID, subsignature ID, and virtual sensor name, if applicable.
For virtual sensors, the name of the sensor is included as a keyword criterion along with other device
information and signature parameters.
Related Topics
• Looking Up CS-MARS Events for a Security Manager Policy, page 69-27
• Viewing CS-MARS Events for an Access Rule, page 69-28
Step 1 (Device view) With an IPS or IOS IPS device selected, select IPS > Signatures > Signatures to display
the Signatures Page, page 38-4.
Step 2 Right-click the desired entry in the signatures table, or select multiple entries before right-clicking one
of them, and choose one of the following commands from the Show Events menu:
• Realtime—To view real-time query results in CS-MARS for events matching this signature; results
begin scrolling within five seconds. Use this option to view raw events as they stream to CS-MARS.
You can change the query criteria in the CS-MARS Query Results window at any time, applying
new parameters to alter the real-time results.
• Historical—Opens the historical query criteria page in CS-MARS with fields populated based on
the signature parameters. Edit the parameters and query criteria as desired, and click Apply to
continue. Next, in the Query window, you can submit the query or save it for later submission and
re-use. You can edit the query and save it as a report if you want to run it again later.
Tips:
• If a signature is disabled, you are warned and asked if you want to proceed to event lookup.
• If the device is monitored by multiple CS-MARS controllers, you are prompted to select the
CS-MARS instance to be used.