Creating Custom MARS IPS Signatures

NetCraftsmen®

MARS and Cisco IPS are synchronized for the official IPS signatures created by Cisco.  This is done through the automatic updates that occur on the IPS side and on the MARS side.  On the IPS side, this done by configuring “Configuration > Sensor Management > Auto/Cisco.com Update” within IPS Manager Express (IME).  This is shown below

Within MARS, this is done through “Admin > System Setup > IPS Signature Dynamic Update Settings”

When these two options are set correctly, signature updates are downloaded from Cisco on a regular basis.  This allows MARS to correctly recognize and take action on Cisco IPS signatures that are pulled from the IPS Appliance via SDEE.

When custom signatures are added to the IPS Appliance, MARS pulls them via SDEE, but it does not know how to interpret them.  There are two ways to configure MARS to understand the custom IPS signatures.  One way is to create an IPS Custom Signature IPS XML file.  Details on how to accomplish this can be seen in the Cisco Device Configuration Guide for Cisco Security MARS, Release 6.x.  This is a great way to add custom IPS signatures if there are a large number of custom IPS signatures to add or if custom IPS signatures are added on a regular basis.  The second method is a manual method for adding individual custom IPS signatures.  This would be a quick method of adding a signature on the MARS appliance when signatures are not regularly added.  The second method is described in this document.

The first step is to gather the information about the IPS signature.  For this example, let’s assume we’re creating a signature to look for a TCP string with value “confidential”.  We’ll create a custom “String TCP” signature with Signature ID “60000” that triggers on the regular expression “confidential”

With that information defined, the MARs custom IPS signature can be completed.

1. Access “Management > Device Type Management”

2. Navigate to the screen with “Cisco IPS 7.x”, select the check to the left of the row, and click “Edit”

3. In the next screen, click “Next”

4. On the right side of the next screen, click “Add”

5. In the next screen, fill in the “Device Event ID” and “Description” as shown in the diagram and then click “Add” to add another create a new event type.

6. In the next screen, complete the Event Type Definition.  Fill in the “Event ID” and “Description”.  Also, assign this Event Type to an Event Type Group.  This is required for queries and reports.  The queries and reports search based on the Event Type Group not on individual Event Types.  To assign this use “Cisco” as the Provider and find the “Info/Misc/IPS” group.  Check the box to the left of the Event Type Group and click the “Add” button.

7.  On the bottom right hand corner of the screen, click “Submit”

8.  After clicking “Submit”, you are brought back to the “Device Event Type for: Cisco IPS 7.x” screen.  Now the “A string with a confidential keyword found” Event type is present.  Click the radio button to the left of the phrase and click the left double arrow to add it as the “Selected Event Type”

9.  On the bottom right of the screen, click “Apply”

10.  On the bottom right of the screen click “Done”

11.  None of the changes that have just been created are actually activated for use yet.  In order to do that, the “Activate” button must be pressed to commit the changes to the database.  On the top right corner, click the “Activate” button

After the “Activate” button is pressed, MARS can now interpret the custom IPS signature.  To test it out, a rule can be created that triggers on the new signature.  The steps below describe that

1.  Access “Rules > Inspection Rules”

2.  Click on “Add” to add a new Rule

3.  Provide a name and description for the Rule and click “Next”

4.  Select “Any” for the following screens to allow any matches for the source IP, destination IP, and service.

5.  For the Event Types, choose “Group: Info/Misc/IPS” from the drop down and click the check box for the “A string with a confidential keyword found” Event and click the left double arrow to add.  Then click “Next”

6.  Select “Any” for the following screens to allow any matches for the device, reported user, IPS ratings, keyword, and severity.

7.  Click “Yes” to say you are done defining the rule conditions

8.  For the Action, either click next, use a previously defined alert or create a new alert, and then click “Next”.  In the screenshot below, I am adding a previously defined email alert that is sent to the “Admin” group.

9.  In the next screen, leave the time range blank to use all times and click “Next”

10.  At this point, the rule is created.  Click “Submit” to complete

11.  Click “Activate” to commit the change to the database

To test out the newly created rule, trigger the rule by using a web browser and access a website and add the URI “confidential” to the name.  For example, access http://www.google.com/confidential.  Through IME, right click on the 60000/0 signature, that was created earlier and click “Show related events > Last 10 minutes…”. 

This should show events triggered from the website access

Now access MARS and click on the “Incidents” tab

In the drop down menu, above the table, select the “Confidential Strings Found” rule we created.  An incident, created from the rule we made, should appear.

If you created an email alert, based on the rule, that should also appear in your email box

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.