IDSM-2 & MARS

Having problems getting IDSM-2 to report to MARS. Running IDSM 6.0.1 and MARS 4.3. What is the basic setup to make this work?

Check if the clock of both devices are matching. If possible configure NTP because the MARS usually misses the logs if the time stamps donot match.

Similar Messages

  • IDSM-2 Version Change in MARS 4.3.1

    I just upgraded MARS to 4.3.1. I have had my IPS devices (4200s and IDSM-2) running on 6.x for sometime. In my MARS configuration, I had listed the IPS devices as 5.x. Now that MARS 4.3.1 supports 6.0, I am trying to change the version each of the IPS devices. I changed the 4200s with little trouble. I have not been able to find how to change the version of the IDSM-2. MARS does not give the option to 'change version' for the IDSM-2 directly from the admin/security and monitor page. I have tried to 'change version' of my 6500 in the hopes of being able to change the IDSM-2 (no success). I have tried to 'edit' the 6500 then 'edit' the IDSM-2 but have not found a 'change version' for the IDMS-2.
    At this point I suspect I will have to delete and add a new IDSM-2 module.
    Any other ideas?

    I don't know for IDSM, but for other cards in our 6500, I have a button called "discover". Maybe worth a check ?
    With version 4.3.1, I have a problem : MARS can't create the subscription on our IDS. But that's a known caveat.
    jF

  • IDSM-2 and MARS

    My MARS device will not detect my IDS modules, error reports to make sure 443 is open but as far as I can see it is..

    Check if the clock of both devices are matching. If possible configure NTP because the MARS usually misses the logs if the time stamps donot match.

  • License For Mars 55 Question??

    Hi every one.i have some question about mars license:
    1-do we have get a license and install on mars to get it operational?
    2-if we dont have license can we download ips signature updates with cco account and then install it on mars?
    3-if we dont install signature updates then if an attack happend on idsm-2 and idsm-2 detect that and send alert to mars then can mars display any information about thst attack suppose that mars doesnt have that attack update?
    thanks.

    1) MARS won't let you get into the GUI unless you have a valid license AFAIR. You might be able to get a evaluation VMWARE image from your Cisco account team tough...But you will always have this if you buy from Cisco.
    2) See 1...
    3) Software updates have signature updates coupled with them. So if by chance the signature that is fired is already present in MARS, it will generate an incident (or atleast know how to parse it). If its not, it will be considered an unknown event.
    Regards
    Farrukh

  • Trouble Installing license on IDSM-2

    Hi,
    I got my license for an IDSM-2 that I am installing (used serial number of IDSM to get it). When I go to install it, whether via the CLI or through the web interface I am informed that the license in no good...
    Here's the message from the CLI:
    Error: setLicenseKey : The license key on the system is invalid.
    Here's the output from the "show version" command:
    pcsd-suth-ids# sho ver
    Application Partition:
    Cisco Intrusion Prevention System, Version 5.0(2)S152.0
    OS Version 2.4.26-IDS-smp-bigphys
    Platform: WS-SVC-IDSM2-BUN
    No license present
    Sensor up-time is 7 min.
    Using 236765184 out of 1983660032 bytes of available memory (11% usage)
    system is using 17.3M out of 29.0M bytes of available disk space (59% usage)
    application-data is using 28.7M out of 166.8M bytes of available disk space (18
    usage)
    boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
    application-log is using 530.5M out of 2.8G bytes of available disk space (20%
    sage)
    MainApp 2005_Mar_04_14.23 (Release) 2005-03-04T14:35:11-0600 Run
    ing
    AnalysisEngine 2005_Mar_29_16.33 (Release) 2005-03-29T16:45:11-0600 Run
    ing
    CLI 2005_Mar_04_14.23 (Release) 2005-03-04T14:35:11-0600
    Upgrade History:
    IDS-K9-sp-5.0-1.2- 14:00:00 UTC Thu Mar 17 2005
    Maintenance Partition Version 2.1(2)
    Recovery Partition Version 1.1 - 5.0(2)
    Any ideas as to where to start? is there any chance that the license file could be no good? I double-checked that it was not modified after receiving it in e-mail...
    Thanks,
    Tim

    This URL should help you:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf52f.html

  • Detecting non-standard ftp usage (!= tcp 21) using IDSM2 5.0 & CN-MARS v3.4

    Hello,
    We recently installed our IDSMs and a MARS box to monitor our core traffic. I'm trying to set up a MARS "User Inspection Rule" to notify me when there is FTP traffic on a port other than port 21. Is there an easy way to do this?
    I don't see any IPS sigs that will trigger on normal FTP events(e.g. open data connection success, STOR and RETR request, etc.) I'm sure someone out there has already set up something like this before? Any help is appreciated.
    Ryan

    Take a look at sig 3171 to get a feel for how a custom signature might look, then create your own. To be honest, I've not done a lot of custom sigs...but looking on every port for ftp-like behavior seems like it might put quite a burden on your sensor.

  • CS-MARS 4.2.1 support for NM-CIDS

    I'm currently trying to setup a CS-MARS 4.2.1 to monitor my network devices. I have seen in the configuration guide that it supports cisco swithces and ASA IPS modules, what about a router IPS module? (NM-CIDS)
    I'am already added the IPS module to MARS as a standalone IPS 5.x device, tested connectivity and MARS is receiving events from the IPS.
    The problem is that all those events are shown as "unkown device" on the reporting device column.
    Could this behaviour be related with NM-CIDS not being supported by MARS? Any other idea?

    It appears that the NM-CIDS is supported.
    This was in the documentation on CCO:
    http://www.cisco.com/en/US/partner/products/ps6241/products_configuration_example09186a008067a2b0.shtml#wp15514
    If the link doesn't work do a search on
    Configuring Distributed Threat Mitigation in Cisco Security MARS.
    Hardware and Software Requirements
    Static IPS Devices
    Cisco IPS 4200 Series appliances using Cisco IPS Sensor Software v5.1.1 or greater
    Cisco ASA 5500 Series appliances with the Advanced Inspection and Protection module using Cisco ASA Software v5.0 or greater
    Cisco IDSM-2 sensor blades for the Cisco Catalyst 6500 Series using Cisco IPS Sensor Software v5.1.1 or greater
    Cisco NM-CIDS Network Module (with Cisco IPS Sensor Software v5.1.1 or greater) for Cisco 2600XM, 2800, 3700, and 3800 series routers
    Hope this helps.

  • MARS and FWSM NAT translation

    Greetings
    I've been running CS-MARS along with an FWSM and IDSM for about a year now and has always wanted to know one thing.
    If the IDSM send an alert originating from the FWSM global IP I 'sometimes' get a translation into the internal NATed IP address. It's about a 10% success ratio.
    All systems are set with NTP to an internal server and I see no special pattern to it.
    Any ideas?
    Best regards
    Fredrik

    You need to check the NAT rules to find out which rule is working and changing the IP. After this scan the network traffic and determine at which particular traffic this happens.

  • MARS and IDSM2 logs

    Hi All,
    I have MARS version 6.0.3 (3188) 32, when i try to add IDSM2 to it as a device i can't find the version of the IDSM2 in the MARS.
    version of IDSM2 is  7.0.4(E4).
    can anyone help me in this issue please.
    Thanks in advance,
    Ayman

    Ayman;
    CS-MARS will successfully parse signature events for your IDSM-2
    running 7.0 software. However, CS-MARS will have no understanding of
    the global correlation details which are new to the 7.0 release. If you
    wish to be able to query/report on global correlation details within
    CS-MARS, you will need to upgrade.
    Once you upgrade, you can simply select the IDSM-2 in the 'Security
    and Monitor Devices' list and click the "Change Version" button.
    Scott

  • How to update CS-MARS to accept new IPS certificate

    I recently updated one of our IDSM-2 modules with a new certificate. Now MARS is complaining "CS-MARS Detected Conflicting SSL Certificate Jul 24, 2007 3:44:24 PM PDT noc15 <153> %MARS-3-100031 CS-MARS module: csips detected a conflicting certificate for device with IP: <address removed>"
    How do I get mars to accept the new cert?

    This is actually quite simple.
    In the admin tab, click on the security and monitor devices.
    search for the name of the device that the cert changed for.
    edit the device.
    On the bottom, click test connectivity. It will then go out and try to connect to this device. A new screen will pop up asking you to accept the new cert. Click ok on the new cert. It will then bring you back to the edit screen. Click submit. Once that is completed, you must click the activate button. *Note: if you don't activate, the change will not take.

  • Happy with IDSM-2?

    We' re about to acquire IDSM-2 and wondering what seasoned idsm-2 admins have to share about it.
    So far, i've had comments ranging from complaints to quite satisfied admin experiences:
    -It's hard to make signatures tunings
    -Even when signature tunning has been accomplished (to certain level) , quantity of false alarms are outrageous
    -Dependency on cisco mars to obtain meaningful reports
    Some questions:
    What are your general opinion about IDSM-2
    Is Cisco IPS Manager Express enough for your reporting needs on a daily basis?
    Thanks
    DJY

    The IDSM-2 isn't really that different from any of the other Cisco IDS/IPS platforms.  They all run the same system software and management clients, and generally have a standard set of features.  As for the comments you've gotten (difficult to tune, false alarms, poor built-in reporting) - those issues are not specific to the IDSM-2.  If someone has those kinds of complaints, they would have them with any of the Cisco IDS/IPS products.
    Are you definitely getting the IDSM-2?  Or is your company still in the decision-making process?
    BTW - in my opinion, the design/deployment phase is critical in getting the most out of your IDSM-2 - even moreso than with a dedicated appliance or ASA module.  You have to be thorough when choosing how to configure it (inline/passive, placement, etc), and ensuring you're going to see the right traffic.  Be sure to take the time to do it right.

  • MARA-GEWEI is not overtaken during creation of material from cdesk

    Hi, we work in ENV SAP R3 4.71 and create material in background out from
    cdesk.
    Therefore we defined in the customizing of CAD Desktop that in case of
    creation of material MARA-GEWEI determination type = constant and
    determination parameter is "ST" for "piece"
    Every other parameter works fine during creation of material ==> as soon as
    we fill a weight into the corresponding fields SAP tells us a message
    "ENTER the unit of weight for the net weight" ==> if you press "continue action then" SAP ends creation of material an nothing happens....
    ANY ideas?
    (will enter this message for sure as well into the oss....)

    Hi  Gerhard,
    have u put
    EXP_MARA-BRGEW           Gross weight
    EXP_MARA-NTGEW            Net weight
    from Inv side in config...
    Also check in cdesk_cus under create material
    <b>Base Unit of Measure               Constant     ST
    Net Weight               File Attribute     Physical_Properties_MassValue</b>
    hope this helps

  • In PDF to Excel conversion dates like 03/12/15 convert to Dec 3rd 2015 not the correct date of Mar 12th 2015 whereas date 03/13/2015 converts correctly as March 13th 2015

    In PDF to Excel conversion dates like 03/12/15 convert to Dec 3rd 2015 not the correct date of Mar 12th 2015 whereas date 03/13/2015 converts correctly as March 13th 2015

    Hi DirTech,
    Are both of these dates in the same Excel file? If they're in different files, are you choosing the same language for OCR (optical character recognition)?
    If they are in the same PDF file, how was that PDF file created? Was it created from a third-party application (rather than an Adobe application)? If it was created by a third-party application, it could be that it wasn't written to spec, and that's why you're seeing some oddities in the PDF > Excel conversion.  (See Will Adobe ExportPDF convert both text and form... | Adobe Community.)
    Best,
    Sara

  • Virgo Tools for Eclipse Luna and Mars

    Hi all,
    I tried to install the Virgo Tools both in Eclipse Luna and in Mars (JEE packages), from this update site:
    "Virgo IDE Releases" - http://download.eclipse.org/virgo/release/tooling
    - Eclipse Virgo Tools 1.0.1.201302270038-RELEASE
    but I got errors (see below).
    Instead all il working well with Kepler.
    Some suggestions?
    Thank you very much.
    Vincenzo
    ================================================
    Cannot complete the install because of a conflicting dependency.
    Software being installed: Eclipse Virgo Tools 1.0.1.201302270038-RELEASE (org.eclipse.virgo.ide.feature.feature.group 1.0.1.201302270038-RELEASE)
    Software currently installed: Eclipse IDE for Java EE Developers 4.5.0.20150621-1200 (epp.package.jee 4.5.0.20150621-1200)
    Only one of the following can be installed at once:
    OSGi System Bundle 3.8.1.v20120830-144521 (org.eclipse.osgi 3.8.1.v20120830-144521)
    OSGi System Bundle 3.10.100.v20150529-1857 (org.eclipse.osgi 3.10.100.v20150529-1857)
    Cannot satisfy dependency:
    From: Eclipse IDE for Java EE Developers 4.5.0.20150621-1200 (epp.package.jee 4.5.0.20150621-1200)
    To: org.eclipse.epp.package.jee.feature.feature.group
    Cannot satisfy dependency:
    From: EPP Java EE IDE Feature 4.5.0.20150621-1200 (org.eclipse.epp.package.jee.feature.feature.group 4.5.0.20150621-1200)
    To: org.eclipse.m2e.feature.feature.group 0.0.0
    Cannot satisfy dependency:
    From: Maven Integration for Eclipse 1.6.0.20150526-2032 (org.eclipse.m2e.core 1.6.0.20150526-2032)
    To: bundle org.eclipse.osgi 3.10.0
    Cannot satisfy dependency:
    From: m2e - Maven Integration for Eclipse (includes Incubating components) 1.6.0.20150526-2032 (org.eclipse.m2e.feature.feature.group 1.6.0.20150526-2032)
    To: org.eclipse.m2e.core
    Cannot satisfy dependency:
    From: Eclipse Virgo Tools 1.0.1.201302270038-RELEASE (org.eclipse.virgo.ide.feature.feature.group 1.0.1.201302270038-RELEASE)
    To: org.eclipse.virgo.ide.manifest.core [1.0.1.201302270038-RELEASE]
    Cannot satisfy dependency:
    From: Eclipse Virgo IDE (Manifest Core) 1.0.1.201302270038-RELEASE (org.eclipse.virgo.ide.manifest.core 1.0.1.201302270038-RELEASE)
    To: bundle org.eclipse.virgo.kernel.artifact 0.0.0
    Cannot satisfy dependency:
    From: Virgo Kernel Artifact Integration 3.6.0.RELEASE (org.eclipse.virgo.kernel.artifact 3.6.0.RELEASE)
    To: package org.eclipse.virgo.nano.serviceability [3.6.0,3.7.0)
    Cannot satisfy dependency:
    From: Virgo Nano Core 3.6.0.RELEASE (org.eclipse.virgo.nano.core 3.6.0.RELEASE)
    To: package org.eclipse.osgi.internal.baseadaptor 0.0.0

    Sorry, I have to correct myself: today I retried with a brand new Mars/JEE+Java8 and a brand new workspace:
    the error is related to missing org.json bundle.
    Cannot complete the install because one or more required items could not be found.
    Software being installed: Eclipse Virgo Tools 1.0.1.201506260038-SNAPSHOT (org.eclipse.virgo.ide.feature.feature.group 1.0.1.201506260038-SNAPSHOT)
    Missing requirement: Eclipse Virgo IDE (Server Core) 1.0.1.201506260038-SNAPSHOT (org.eclipse.virgo.ide.runtime.core 1.0.1.201506260038-SNAPSHOT) requires 'bundle org.json 0.0.0' but it could not be found
    Cannot satisfy dependency:
    From: Eclipse Virgo Tools 1.0.1.201506260038-SNAPSHOT (org.eclipse.virgo.ide.feature.feature.group 1.0.1.201506260038-SNAPSHOT)
    To: org.eclipse.virgo.ide.runtime.core [1.0.1.201506260038-SNAPSHOT]
    seems like Mars/JEE doesn't contain org.json ... which is quite strange ...
    With Mars/JEE+Java7 instead the detailed error is:
    Cannot complete the install because one or more required items could not be found.
    Software being installed: Eclipse Virgo Tools 1.0.1.201506260038-SNAPSHOT (org.eclipse.virgo.ide.feature.feature.group 1.0.1.201506260038-SNAPSHOT)
    Missing requirement: OSGi Framework Editor UI (Incubation) 0.2.0.201206060754 (org.eclipse.libra.framework.editor.ui 0.2.0.201206060754) requires 'bundle org.eclipse.zest.core [1.0.0,2.0.0)' but it could not be found
    Missing requirement: OSGi Framework Editor UI (Incubation) 0.3.0.201212132137 (org.eclipse.libra.framework.editor.ui 0.3.0.201212132137) requires 'bundle org.eclipse.zest.core [1.0.0,2.0.0)' but it could not be found
    Missing requirement: OSGi Framework Editor UI (Incubation) 0.3.0.201305070844 (org.eclipse.libra.framework.editor.ui 0.3.0.201305070844) requires 'bundle org.eclipse.zest.core [1.0.0,2.0.0)' but it could not be found
    Missing requirement: OSGi Framework Editor UI (Incubation) 0.3.0.201305151323 (org.eclipse.libra.framework.editor.ui 0.3.0.201305151323) requires 'bundle org.eclipse.zest.core [1.0.0,2.0.0)' but it could not be found
    Missing requirement: OSGi Framework Editor UI (Incubation) 0.3.0.201305311343 (org.eclipse.libra.framework.editor.ui 0.3.0.201305311343) requires 'bundle org.eclipse.zest.core [1.0.0,2.0.0)' but it could not be found
    Missing requirement: OSGi Framework Editor UI (Incubation) 0.3.1.201405141436 (org.eclipse.libra.framework.editor.ui 0.3.1.201405141436) requires 'bundle org.eclipse.zest.core [1.0.0,2.0.0)' but it could not be found
    Cannot satisfy dependency:
    From: Eclipse Virgo Tools 1.0.1.201506260038-SNAPSHOT (org.eclipse.virgo.ide.feature.feature.group 1.0.1.201506260038-SNAPSHOT)
    To: org.eclipse.virgo.ide.runtime.ui [1.0.1.201506260038-SNAPSHOT]
    Cannot satisfy dependency:
    From: Eclipse Virgo IDE (Server UI) 1.0.1.201506260038-SNAPSHOT (org.eclipse.virgo.ide.runtime.ui 1.0.1.201506260038-SNAPSHOT)
    To: bundle org.eclipse.libra.framework.editor.ui 0.0.0
    With Luna/JEE SR2 instead all is working well, both with Java7 and Java8
    Vincenzo

  • Can not store data to append structure in mara

    Hi
    after make the following steps, I have problem, please give me some tips. thanks
    1, Append structure Zcode in MARA.
    2, Created a ZMGD1 via SE80 copy from function group MGD1.
    3, modify screen 0001, put this Zcode in this screen and FC MARA-Zcode.
    4, change SPRO, specify new program SAPLZMGD1 for this screen 0001.
    after these steps, I can find out this new field (Zcode) appear in MM02.
    but, the data of Zcode can not be store in MARA.

    Hi:
    the exactly problem is I don't know how to read this screen field value, and how to transfer to wmara-Zcode.
    anybody can help me?
    thanks
    Henry

Maybe you are looking for

  • Mail and iPhoto integration not working

    Very frustrating! I am using OS 10.4.5, iPhoto 5.0.4 and Mail 2.0.7. When I select a picture on a slideshow in Mail to send to iPhoto, it looks like it's being sucked up and iPhoto opens but the picture does not appear in the Library of the iPhoto ap

  • List /trnsaction where i can get "average inspection duration in material"

    Hello Experts, I want to have a list where i can view all the materials with their corresponding "average inspection duration" entry in the material master. Is it possible?What transaction do i need to use? Tnx Amid

  • ISE and Node Groups

    Hi, Does anyone know if node groups are purely for policy server nodes behind a load balancer such as ACE.  If you have a pair of policy server nodes at a site with no load balancer, and both nodes configured in all NAS's can these be in a node group

  • I have been looking for 5 hours today not including yesterday

    i have being looking for 5 hours could someone help please i know you got this question lots but how do you creat a jar file i have my classes in c:\jdk1.3.1\jre\classes where do i input jar cf gcat.jar gcatcars2.class at the msdos prompt??????? i di

  • Getting returned mail messages for emails I did not send

    I've recently started getting returned mail messages for emails I did not send. Why is this happening and how can I stop it?