A powerful feature embedded in the Cisco MARS (Monitoring Analysis and Reporting System) appliances is Distributed Threat Mitigation (DTM). This is one of three device-related actions that a MARS appliance can take when either a system-defined or user-defined rule is triggered, the other two being syslog and SNMP. This post will briefly explore the background behind this intended, but underutilized, capability.
Cisco Intrusion Prevention System (IPS) sensors, appliances, and the embedded function of the router have all used a signature-based method as the primary detection scheme. Briefly defined, a signature is a pattern of packet header or data information, which, when matched causes an alarm and/or other action to occur. Since the advent of software release IPS5.0 in 2005, Cisco has been migrating all of their IPS systems to use an XML reporting and configuration format. Support for the XML signature format was introduced with Cisco IOS 12.4(11)T code.
As the document referenced at the end of this article illustrates, an auto-update mechanism was introduced along with the support for the XML file format. Although I was unable to find any documentation as to how to use this capability to enable DTM with MARS, it would seem that this would be a critical functional component.
Shown below is a screenshot of the MARS GUI whereby DTM is configured:
As noted above, the network administrator can establish which actions the IPS should take in the future after the XML incremental signature is dynamically “pushed” by MARS to the IOS IPS via DTM. Since this screen is configurable on a “per-rule” basis, the actions configured would be chosen appropriately to the severity of the incident.
Again, with the CCO documentation all but absent on this topic, it is reasonable to assume that the “sessionization” feature of MARS would provide the IOS-IPS the necessary attacker, victim, protocol, source port, and destination port information in the XML update. It is left to me to speculate about whether the DTM function would operate on both syslog and netflow triggered events.
An interesting possibility with MARS rules that are matched with syslog events is that these can be configured for matching character strings within the data portion of the packet. This character string could then be pushed via DTM to the router for a specific string-based signature. It remains to be seen if the possibilities for DTM presented here will either be fully documented or expanded to include the appliance-based or module-based IPS sensors as well.
Author: Doug McKillip
- Cisco IPS 6.x Devices and Virtual Sensors
- IPS 5.x Signature Format Support