Creating Custom MARS IPS Signatures


MARS and Cisco IPS are synchronized for the official IPS signatures created by Cisco.  This is done through the automatic updates that occur on the IPS side and on the MARS side.  On the IPS side, this done by configuring “Configuration > Sensor Management > Auto/ Update” within IPS Manager Express (IME).  This is shown below

Within MARS, this is done through “Admin > System Setup > IPS Signature Dynamic Update Settings”

When these two options are set correctly, signature updates are downloaded from Cisco on a regular basis.  This allows MARS to correctly recognize and take action on Cisco IPS signatures that are pulled from the IPS Appliance via SDEE.

When custom signatures are added to the IPS Appliance, MARS pulls them via SDEE, but it does not know how to interpret them.  There are two ways to configure MARS to understand the custom IPS signatures.  One way is to create an IPS Custom Signature IPS XML file.  Details on how to accomplish this can be seen in the Cisco Device Configuration Guide for Cisco Security MARS, Release 6.x.  This is a great way to add custom IPS signatures if there are a large number of custom IPS signatures to add or if custom IPS signatures are added on a regular basis.  The second method is a manual method for adding individual custom IPS signatures.  This would be a quick method of adding a signature on the MARS appliance when signatures are not regularly added.  The second method is described in this document.

The first step is to gather the information about the IPS signature.  For this example, let’s assume we’re creating a signature to look for a TCP string with value “confidential”.  We’ll create a custom “String TCP” signature with Signature ID “60000” that triggers on the regular expression “confidential”

With that information defined, the MARs custom IPS signature can be completed.

1. Access “Management > Device Type Management”

2. Navigate to the screen with “Cisco IPS 7.x”, select the check to the left of the row, and click “Edit”

3. In the next screen, click “Next”

4. On the right side of the next screen, click “Add”

5. In the next screen, fill in the “Device Event ID” and “Description” as shown in the diagram and then click “Add” to add another create a new event type.

6. In the next screen, complete the Event Type Definition.  Fill in the “Event ID” and “Description”.  Also, assign this Event Type to an Event Type Group.  This is required for queries and reports.  The queries and reports search based on the Event Type Group not on individual Event Types.  To assign this use “Cisco” as the Provider and find the “Info/Misc/IPS” group.  Check the box to the left of the Event Type Group and click the “Add” button.

7.  On the bottom right hand corner of the screen, click “Submit”

8.  After clicking “Submit”, you are brought back to the “Device Event Type for: Cisco IPS 7.x” screen.  Now the “A string with a confidential keyword found” Event type is present.  Click the radio button to the left of the phrase and click the left double arrow to add it as the “Selected Event Type”

9.  On the bottom right of the screen, click “Apply”

10.  On the bottom right of the screen click “Done”

11.  None of the changes that have just been created are actually activated for use yet.  In order to do that, the “Activate” button must be pressed to commit the changes to the database.  On the top right corner, click the “Activate” button

After the “Activate” button is pressed, MARS can now interpret the custom IPS signature.  To test it out, a rule can be created that triggers on the new signature.  The steps below describe that

1.  Access “Rules > Inspection Rules”

2.  Click on “Add” to add a new Rule

3.  Provide a name and description for the Rule and click “Next”

4.  Select “Any” for the following screens to allow any matches for the source IP, destination IP, and service.

5.  For the Event Types, choose “Group: Info/Misc/IPS” from the drop down and click the check box for the “A string with a confidential keyword found” Event and click the left double arrow to add.  Then click “Next”

6.  Select “Any” for the following screens to allow any matches for the device, reported user, IPS ratings, keyword, and severity.

7.  Click “Yes” to say you are done defining the rule conditions

8.  For the Action, either click next, use a previously defined alert or create a new alert, and then click “Next”.  In the screenshot below, I am adding a previously defined email alert that is sent to the “Admin” group.

9.  In the next screen, leave the time range blank to use all times and click “Next”

10.  At this point, the rule is created.  Click “Submit” to complete

11.  Click “Activate” to commit the change to the database

To test out the newly created rule, trigger the rule by using a web browser and access a website and add the URI “confidential” to the name.  For example, access  Through IME, right click on the 60000/0 signature, that was created earlier and click “Show related events > Last 10 minutes…”. 

This should show events triggered from the website access

Now access MARS and click on the “Incidents” tab

In the drop down menu, above the table, select the “Confidential Strings Found” rule we created.  An incident, created from the rule we made, should appear.

If you created an email alert, based on the rule, that should also appear in your email box

Leave a Reply