Page 1 User Guide for Cisco Security MARS Local Controller Release 4.2.x December 2006 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: Text Part Number: 78-17020-01...
Page 2 You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
Page 3 1-20 Reporting and Mitigation Devices Overview C H A P T E R Levels of Operation Selecting the Devices to Monitor Understanding Access IP, Reporting IP, and Interface Settings Access IP User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 4: Table Of Contents
Understanding NetFlow Anomaly Detection 2-30 How MARS Uses NetFlow Data 2-31 Guidelines for Configuring NetFlow on Your Network 2-32 Enable Cisco IOS Routers and Switches to Send NetFlow to MARS 2-32 Configuring Cisco CatIOS Switch 2-34 Enable NetFlow Processing in MARS 2-34...
Page 5 Enable SNMP Administrative Access Enable Telnet Administrative Access Enable SSH Administrative Access Enable FTP-based Administrative Access Configure the Device Running Cisco IOS 12.2 to Generate Required Data Enable Syslog Messages Enable SNMP RO Strings Enable NAC-specific Messages Enable SDEE for IOS IPS Software...
Page 6 Bootstrap the Cisco Firewall Device Enable Telnet Access on a Cisco Firewall Device Enable SSH Access on a Cisco Firewall Device Send Syslog Files From Cisco Firewall Device to MARS Device-Side Tuning for Cisco Firewall Device Syslogs Logging Message Command...
Page 7 Enable the Correct Signatures and Actions Add and Configure a Cisco IDS or IPS Device in MARS Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File View Detailed Event Data for Cisco IPS Devices...
Page 8 Configure the DPM or EFP 6-33 Host-side Configuration 6-34 Configure the syslog on the UNIX host 6-34 MARS-side Configuration 6-34 Add Configuration Information for the Enterasys Dragon 6-34 Add a Dragon NIDS Device 6-35 User Guide for Cisco Security MARS Local Controller viii 78-17020-01...
Page 9 Configure ePolicy Orchestrator to Generate Required Data Add and Configure ePolicy Orchestrator Server in MARS 8-12 Cisco Incident Control Server 8-13 Configure Cisco ICS to Send Syslogs to MARS 8-14 Add the Cisco ICS Device to MARS 8-15 Define Rules and Reports for Cisco ICS Events...
Page 10 Configure the MARS to Pull or Receive Windows Host Logs 10-9 Windows Event Log Pulling Time Interval 10-11 Define Vulnerability Assessment Information 10-12 Identify Network Services Running on the Host 10-14 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 11 14-3 Configure Cisco Secure ACS to Generate Logs 14-3 Define AAA Clients 14-5 Configure TACACS+ Command Authorization for Cisco Routers and Switches 14-7 Install and Configure the PN Log Agent 14-7 Upgrade PN Log Agent to a Newer Version 14-10...
Page 12 Bootstrapping Cisco Security Manager Server to Communicate with MARS 16-12 Add a Cisco Security Manager Server to MARS 16-13 Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS 16-14 Network Summary 17-1 C H A P T E R...
Page 13 Procedures for Layer 2 Path and Mitigation 19-19 Add the Cisco Catalyst 5000 with SNMP as the Access Type. 19-19 Add the Cisco Catalyst 6500 with SNMP as Access Type (Layer 2 only). 19-20 Add the Cisco 7500 Router with TELNET as the Access Type 19-21...
Page 14 View a Query Result in the Report Tab 20-19 Perform a Batch Query 20-20 Reports 20-23 Report Type Views: Total vs. Peak vs. Recent 20-24 Creating a Report 20-25 Working With Existing Reports 20-25 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 15 21-27 Add, Modify, and Delete a Report Group 21-30 Display Incidents Related to a Rule Group 21-32 Create Query Criteria with Report Groups 21-33 Using Rule Groups in Query Criteria 21-34 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 16 User Management 23-8 Add a New User 23-9 Add a Service Provider (Cell phone/Pager) 23-11 Search for a User 23-11 Edit or Remove a User 23-12 Create a User Group 23-12 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 17 Correlating Hard Drive Slots to RAIDSTATUS Command Physical Port Numbers 24-16 Hotswap Procedure To Remove and Add a Hard Drive 24-18 Hotswap CLI Example 24-19 Procedures for the MARS RAID Utility 24-20 24-25 User Guide for Cisco Security MARS Local Controller xvii 78-17020-01...
Page 18 B-14 Back References B-15 Assertions B-16 Lookahead Assertions B-17 Lookbehind Assertions B-17 Using Multiple Assertions B-18 Conditional Subpatterns B-19 Comments B-20 Recursive Patterns B-20 Subpatterns as Subroutines B-21 Callouts B-22 User Guide for Cisco Security MARS Local Controller xviii 78-17020-01...
Page 19 System Rules and Reports A P P E N D I X List of System Rules List of System Reports D-13 L O S S A R Y N D E X User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 20 Contents User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 21 Preface Introduction Thank you for purchasing the Cisco Security Monitoring, Analysis, and Response System (MARS) Local Controller. appliance. This guide will help you get the most value from your MARS Appliance. The information in this document referring to a “MARS appliance” also applies to MARS use as Local Note Controller in a Global Controller architecture.
Page 22: About This Manual
Chapter 16, “Policy Table Lookup on Cisco Security Manager” explains how to integrate with • Cisco Security Manager and use the policy lookup features in MARS. Chapter 17, “Network Summary” covers the Summary pages which includes the Dashboard, the •...
Page 23 The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the HTML documentation and some of the PDF files found on the Cisco website at this URL: http://www.cisco.com/univercd/home/home.htm...
Page 24: Documentation Feedback
Preface Documentation Feedback Ordering Documentation You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL: http://www.cisco.com/go/marketplace/docstore If you do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 25 URL: http://www.cisco.com/en/US/support/index.html Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 26 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 27 Information about Cisco products, technologies, and network solutions is available from various online and printed sources. The Cisco Online Subscription Center is the website where you can sign up for a variety of Cisco • e-mail newsletters and other communications. Create a profile and then select the subscriptions that you would like to receive.
Page 28 Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking “What’s New in Cisco Documentation” is an online publication that provides information about the • latest documentation releases for Cisco products. Updated monthly, this online publication is organized by product category to direct you quickly to the documentation for your products.
Page 29 Identify how you want to block detected attacks: block them temporarily or permanently, block • them using MARS-generated rules, using custom rules defined by security operations team, etc. Your remediation policy should: User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 30 1-1). Figure 1-1 Cisco Security Wheel The spokes of the Cisco Security Wheel represent network security as a continual process consisting of four steps: Secure your system. Monitor the network for violations and attacks against your security policy and respond to them.
Page 31 Selecting the Devices to Monitor, page 2-2 • Levels of Operation, page 2-1 • Deployment Planning Guidelines, page 2-1 in Install and Setup Guide for Cisco Security Monitoring, • Analysis, and Response System Device Inventory Worksheet, page 1-18 • User Guide for Cisco Security MARS Local Controller...
Page 32 2-1, in Install and Setup Guide for Cisco Security Monitoring, • Analysis, and Response System Supporting Devices, page 2-1, in Install and Setup Guide for Cisco Security Monitoring, Analysis, and • Response System Required Traffic Flows, page 2-2, in Install and Setup Guide for Cisco Security Monitoring, Analysis, and •...
Page 33 • Supported Reporting and Mitigation Devices, page 3 • • Bootstrap Summary Table, page 2-12 • The log settings sections of the user guides for your reporting devices and mitigation devices User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 34 For example, if you want to add an IPS module to a Cisco ASA device, you must first define the Cisco ASA device and then define the IPS module as a component of that device.
Page 35 Based on this information, MARS generates the list of top signatures that are firing on the network so that Cisco IOS Routers running the DTM feature set can query MARS for the list of signatures they should be running.
Page 36 Result: MARS understands more about the hosts on your network and the services that they run. For more information, see: Host and Device Identification and Detail Strategies, page 2-36 • Device Inventory Worksheet, page 1-18 • IP Management, page 23-3 • Service Management, page 23-7 • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 37 Appliance-side Tuning Guidelines, page 1-17 • Configuring Logging Policies on Firewall Devices in User Guide for Cisco Security Manager 3.0 • Checklist for Monitoring Phase After you complete the provisioning phase, you must configure MARS to help you realize your broader security goals and requirements.
Page 38 Strategies for Monitoring, Notification, Mitigation, Remediation, and Audit, page 1-16 • Case Management, page 18-1s • User Management, page 23-8 • , page 23-13 • User Role Worksheet, page 1-20 • User Guide for Cisco Security MARS Local Controller 1-10 78-17020-01...
Page 39 MARS MIB Format, page 2-54 • Inspection Rules, page 21-4 • Working with System and User Inspection Rules, page 21-17 • Setting Alerts, page 21-23 • Sending Alerts and Incident Notifications, page 22-1 • User Guide for Cisco Security MARS Local Controller 1-11 78-17020-01...
Page 40 Adding User Defined Log Parser Templates, page 15-1 • Inspection Rules, page 21-4 • Working with System and User Inspection Rules, page 21-17 • Setting Alerts, page 21-23 • • Sending Alerts and Incident Notifications, page 22-1 User Guide for Cisco Security MARS Local Controller 1-12 78-17020-01...
Page 41 For more information, see: Queries and Reports, page 20-1 • Queries, page 20-1 • Perform a Batch Query, page 20-20 • Reports, page 20-23 • • Creating a Report, page 20-25 User Guide for Cisco Security MARS Local Controller 1-13 78-17020-01...
Page 42 Rule and Report Groups, page 21-24 • Event Groups, page 23-2 • • Case Management, page 18-1 • The False Positive Page, page 19-8 Retrieving Raw Messages, page 24-3 • User Guide for Cisco Security MARS Local Controller 1-14 78-17020-01...
Page 43 A-30 • Setting Runtime Logging Levels, page 24-1 Viewing the MARS Backend Log Files, page 24-2 • Viewing the Audit Trail, page 24-3 • Retrieving Raw Messages, page 24-3 • User Guide for Cisco Security MARS Local Controller 1-15 78-17020-01...
Page 44 • Mitigation involves responding to suspicious activity to prevent the spread of anomalies across your network. • Remediation involves responding to successful exploits to clean infected hosts on your network. User Guide for Cisco Security MARS Local Controller 1-16 78-17020-01...
Page 45 For releases 4.2.3 and earlier of MARS, you cannot define drop rules for a NetFlow-based event. Note For these releases, tuning of NetFlow events must be performed on the reporting device. User Guide for Cisco Security MARS Local Controller 1-17 78-17020-01...
Page 46 Tunable. Identifies whether you can perform device-side tuning of the log generation. • Notify. Identifies whether this device can receive notifications from MARS. • Notification format. Identifies the format for any notifications that are sent to this device. • User Guide for Cisco Security MARS Local Controller 1-18 78-17020-01...
Page 47 Table 1-1 Device Inventory Worksheet Management Role in Reporting IP IP Address/ Username/ System/ Required Log Settings/ Tunable Notify Notification Device Name Address Account Password Segment Protocols SNMP RO Community (y/n) (y/n) Format...
Page 48 Reports/Queries. Identifies any reports and queries required to meet the needs of this user role. You must ensure that the user can access these reports and queries. Optionally, you may want to notify the user when scheduled reports are generated. User Guide for Cisco Security MARS Local Controller 1-20 78-17020-01...
Page 49 Chapter 1 STM Task Flow Overview User Role Worksheet Table 1-2 User Role Worksheet MARS Notification Device User Name User Role Account/Role Settings Ownership Inspection Rules Reports/Queries User Guide for Cisco Security MARS Local Controller 1-21 78-17020-01...
Page 50 Chapter 1 STM Task Flow Overview User Role Worksheet User Guide for Cisco Security MARS Local Controller 1-22 78-17020-01...
Page 51 After you complete the initial configuration of Local Controller as described in Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, you must determine a monitoring strategy to use for your network. You must also determine a mitigation strategy, if you chose to take advantage of the MARS mitigation features.
Page 52 To enable basic operation, you must complete the initial configuration of the MARS Appliance as described in Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. In addition, you must specify the device name and...
Page 53 Table 2-2 identifies the device types, describes what information they can provide, and recommends how to configure these devices within your network. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 54 Forwarding tables, used to map IP address to MAC address. Administrative access for mitigation push • Device status and resource utilization, such as memory, CPU, and interface/port statistics. NetFlow data 802.1x logs generated during NAC sessions User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 55 Device status information. Identifies whether the device is operational, which allows prediction of possible spread of potential attacks and worms. • SNMP RO Community strings User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 56 IDS and it is reported to MARS, MARS can supported by MARS. either launch a targeted scan using Nessus, or query a vulnerability assessment system that helps determine whether the target was vulnerable. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 57 URLs and also filtering...regulatory compliance. Database Login/logout to determine the actual user (query report tab on the data). Privilege escalation, brute force crack type stuff, or maybe we want to do regulatory compliance. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 58 (e.g., NetCache appliances). In addition, not all devices require the definition of interfaces. This section discusses the following three addresses and their relationship to other settings: Access IP, page 2-9 • Reporting IP, page 2-9 • Interface Settings, page 2-10 • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 59: Reporting Ip
NetFlow and syslog, you must ensure that both message formats are bound to the same source IP address (the reporting IP). In Cisco IOS devices, this common association is not the default so you must change either the syslog or the NetFlow reporting IP address to match the other. If the message types do not originate from a common IP address, one of them is seen as originating from an unreported device and MARS does not parse those events correctly.
Page 60: Interface Settings
NAT and ARP tables. In addition, if you select the FTP access type for device types, such as Cisco ASA and FWSM, you can only discover settings for the admin context. This access method is the least preferred and most limited access method. To enable configuration discovery using FTP access, you must place a copy the device’s configuration file on an FTP server...
Page 61: Configure Snmp Access For Devices In Mars
In the Password field, enter the password associated with the username specified in the Login field. Step 2 Step 3 If this device supports an enable mode, enter that password in the Enable Password field. User Guide for Cisco Security MARS Local Controller 2-11 78-17020-01...
Page 62: Configure Ssh Access For Devices In Mars
Bootstrap Summary Table Table 2-3 summaries the settings that you must configure for reporting devices and mitigation devices. It also provides links to any required agent downloads and to detailed configuration information. User Guide for Cisco Security MARS Local Controller 2-12 78-17020-01...
Page 63 Define the log settings to push the correct events to the defined host. Install the policies. VPN Devices Cisco VPN Cisco VPN 3000 Concentrator, page 5-1 Concentrator User Guide for Cisco Security MARS Local Controller 2-13 78-17020-01...
Page 64 Cisco Network IDS Enable RDEP for IDS modules. Cisco IDS 3.1 Sensors, page 6-1 Cisco IDSM Configure the following signature actions: Cisco IDS 4.0 and IPS 5.x Sensors, page 6-5 Alert • (Optional) To view trigger packets, enable the •...
Page 65 Information Server Install and Configure the Snare Agent for IIS, page 12-1 Sun iPlanet — HTTP (from MARS Agent) Install and Configure the Web Agent on UNIX or Linux, page 12-7 User Guide for Cisco Security MARS Local Controller 2-15 78-17020-01...
Page 66: Adding Reporting And Mitigation Devices
Generic SNMP Server Enable SNMP access by MARS Appliance. Adding Generic Devices, page 10-1 Other Cisco Security Manager Enable HTTPS access by MARS Appliance Checklist for Security Manager-to-MARS Integration, page 16-6 Bootstrapping Cisco Security Manager Server to Communicate with MARS, page...
Page 67: Add Reporting And Mitigation Devices Individually
Cisco Security MARS Local Controller 4.2.x and 5.2.x document. Devices are added to this list on an ongoing basis via software upgrade packages. See Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System for details on how to upgrade your MARS Appliance.
Page 68: Edit A Device
NetScreen ScreenOS • For example, you could change the settings for the device type Cisco PIX 6.1 to Cisco PIX 7.0 without having to delete the device and add it again. The benefit of matching the version setting to the deployed device is that it allows MARS to correlate any event types introduced in the more recent version.
Page 69: Delete A Device
Select one of the following pages: Step 1 Admin > Security and Monitoring Devices • Management > IP Management • Check the box next to each device you want to delete. Step 2 User Guide for Cisco Security MARS Local Controller 2-19 78-17020-01...
Page 70: Delete All Displayed Reporting Devices
Admin > System Setup > Security and Monitoring Devices page to fine-tune the device manually. In addition, you must Activate the devices that you add using a seed file (see Activate the Reporting and Mitigation Devices, page 2-27). User Guide for Cisco Security MARS Local Controller 2-20 78-17020-01...
Page 71: Devices That Require Custom Seed Files
IntruShield Manager, page 6-22. • Cisco Security Agent. While MARS can learn of the CSA agents dynamically, you can also import the initial list of agents using a custom seed file. For more information, see Export CSA Agent Information to File, page 7-6.
Page 72 MARS does not support the following characters in the SNMP RO community string: ' (single quote), " (double quote), < (less than symbol), and > (greater than symbol). Column C EMPTY Empty placeholder column. Column D EMPTY Empty placeholder column. User Guide for Cisco Security MARS Local Controller 2-22 78-17020-01...
Page 73 : for Cisco FWSM 2.3 • FWSM 3: for Cisco FWSM 3.1 • FWSM : for Cisco PIX 6.0, 6.1, 6.2, and 6.3 devices • • : for Cisco PIX 7.0 devices PIX7X • : for Cisco IOS 12.2 (default) •...
Page 74: Load Devices From The Seed File
Once add a device, you must click Activate for MARS to correctly process events received from that Step 4 device. For more information, see Activate the Reporting and Mitigation Devices, page 2-27. User Guide for Cisco Security MARS Local Controller 2-24 78-17020-01...
Page 75: Adding Reporting And Mitigation Devices Using Automatic Topology Discovery
Once a device is listed under Monitoring and Reporting Devices, it may be rediscovered, but it will not be added again unless it has been properly deleted (see Delete a Device, page 2-19). User Guide for Cisco Security MARS Local Controller 2-25 78-17020-01...
Page 76: Verify Connectivity With The Reporting And Mitigation Devices
Cisco Switch IOS • Cisco IDS • Cisco IDSM • Cisco FWSM • Cisco Security Manager server • Cisco VPN Concentrator 4.x • • Check Point Extreme ExtremeWare 6.x • NetScreen • User Guide for Cisco Security MARS Local Controller 2-26 78-17020-01...
Page 77: Run A Reporting Device Query
The Submit action stores the device details in the database. Once you click Submit, your work is saved, even if you drop the administrative connection before clicking Activate. Once you have all of the devices desired for this administrative session, click Activate. Step 2 User Guide for Cisco Security MARS Local Controller 2-27 78-17020-01...
Page 78: Data Enabling Features
MARS can collect additional data from a select set of reporting devices, which is used to provide reports about CPU utilization, memory utilization, and device saturation. This data can be helpful in detecting anomalies as well in network capacity planning. User Guide for Cisco Security MARS Local Controller 2-28 78-17020-01...
Page 79: Layer 2 Discovery And Mitigation
With dynamic vulnerability scanning, the MARS probes the networks that you have specified for weaknesses. These automatic scans commence after a rule has fired that indicates an attack is in progress. Once an attack is underway, these scans accomplish the following: User Guide for Cisco Security MARS Local Controller 2-29 78-17020-01...
Page 80: Select A Network For Scanning
Step 3 Understanding NetFlow Anomaly Detection NetFlow is a Cisco technology that supports monitoring network traffic and is supported on all basic IOS images. NetFlow uses an UDP-based protocol to periodically report on flows seen by the Cisco IOS device. A flow is a Layer 7 concept that consists of a session set up, data transfer, and session teardown.
Page 81: How Mars Uses Netflow Data
The data provided by NetFlow packets is similar to that provided by SYSLOG, SNMP, or Checkpoint LEA as reported by enterprise-level firewalls, such as Cisco PIX, NetScreen ScreenOS, and Checkpoint Firewall-1. The difference being that NetFlow much more efficient. To receive comparable syslog data from a firewall device, the syslog logging level on the firewall must be set to DEBUG, which degrades firewall throughput at moderate to high traffic loads.
Page 82: Guidelines For Configuring Netflow On Your Network
88ed.html Before you configure NetFlow from MARS, you must first configure it on the router or switch. To enable NetFlow on a Cisco IOS router or switch and to push those events to the MARS Appliance, follow these steps: User Guide for Cisco Security MARS Local Controller...
Page 83 Chapter 2 Reporting and Mitigation Devices Overview Data Enabling Features Log in to the Cisco IOS router or switch with administrator’s privileges. Step 1 Enter the following commands: Step 2 Command Purpose Turn on enable mode. enable Enter global configuration mode.
Page 84: Configuring Cisco Catios Switch
Configuring Cisco CatIOS Switch Some Cisco Catalyst switches support a different implementation of NetFlow that is performed on the supervisor. With the cache-based forwarding model, which is implemented in the Catalyst 55xx running the Route Switch Module (RSM) and NetFlow Feature Card (NFFC), the RSM processes the first flow and the remaining packets in the flow are forwarded by the Supervisor.
Page 85 (see Enable Cisco IOS Routers and Switches to Send NetFlow to MARS, page 2-32. Also, verify you have enabled this traffic to flow between the router or switch and the MARS Appliance on any intermediate gateways, such as routers and firewalls.
Page 86: Host And Device Identification And Detail Strategies
MARS. This open allows you to provide vulnerability assessment information to assist in the reduction of false positives. For more information on adding hosts manually, see Add a Host, page 23-5. User Guide for Cisco Security MARS Local Controller 2-36 78-17020-01...
Page 87: Configuring Layer 3 Topology Discovery
To add a community string for an IP range, follow these steps: To open the Community Strings and Networks page, click Admin > Community Strings and Step 1 Networks. Click the IP Range radio button. Step 2 User Guide for Cisco Security MARS Local Controller 2-37 78-17020-01...
Page 88: Add Valid Networks To Discovery List
2-39. However, you can also initiate an on-demand discovery. To perform an on-demand discovery, follow these steps: Click Admin > Valid Networks to open the Valid Networks page. Step 1 User Guide for Cisco Security MARS Local Controller 2-38 78-17020-01...
Page 89: Scheduling Topology Updates
This feature also allows you to pull data from those devices that require interval-based polling. The list to devices that require such polling are: Qualys QualysGuard • eEye REM • FoundStone FoundScan • Check Point log servers • Figure 2-1 Example Scheduled Update for eEye REM User Guide for Cisco Security MARS Local Controller 2-39 78-17020-01...
Page 90: Schedule A Network Discovery
Daily and the Time of Day • Weekly, the Time of Day, and the Days • Monthly, the Time of the Day, and the Dates • Click Submit. Step 5 User Guide for Cisco Security MARS Local Controller 2-40 78-17020-01...
Page 91: To Delete A Scheduled Topology Discovery
In addition, you must select Yes in the Monitor Resource Usage box of the General tab for each supported reporting device. Once configured, MARS uses SNMP to poll the device every 5 minutes for the following SNMP OIDs: Bytes in/out of every interface on the device (Cisco IOS, Cisco PIX) • •...
Page 92: Enabling The Required Snmp Oids For Resource Monitoring
System Rule: Resource Issue: Network Device • Enabling the Required SNMP OIDs for Resource Monitoring Table 2-5 lists the OIDs to enable, on a per device basis, for the supported model and versions. User Guide for Cisco Security MARS Local Controller 2-42 78-17020-01...
Page 93 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-43 78-17020-01...
Page 94 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-44 78-17020-01...
Page 95 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-45 78-17020-01...
Page 96 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-46 78-17020-01...
Page 97 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-47 78-17020-01...
Page 98 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-48 78-17020-01...
Page 99 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-49 78-17020-01...
Page 100 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-50 78-17020-01...
Page 101 DEVICE_RES_OID_INTERFACE_NUMBER .1.3.6.1.2.1.2.1.0 DEVICE_RES_OID_INTERFACE_IN_BYTES .1.3.6.1.2.1.2.2.1.10.i DEVICE_RES_OID_INTERFACE_OUT_BYTES .1.3.6.1.2.1.2.2.1.16.i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH .1.3.6.1.2.1.2.2.1.5.i DEVICE_RES_OID_INTERFACE_IN_ERROR .1.3.6.1.2.1.2.2.1.14.i DEVICE_RES_OID_INTERFACE_OUT_ERROR .1.3.6.1.2.1.2.2.1.20.i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET .1.3.6.1.2.1.2.2.1.11.i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.12.i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET .1.3.6.1.2.1.2.2.1.17.i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET .1.3.6.1.2.1.2.2.1.18.i DEVICE_RES_OID_INTERFACE_DESCRIPTOR .1.3.6.1.2.1.2.2.1.2.i DEVICE_RES_OID_INTERFACE_IN_DISCARDS .1.3.6.1.2.1.2.2.1.13.i DEVICE_RES_OID_INTERFACE_IN_UNKNOWN_PROTOS .1.3.6.1.2.1.2.2.1.15.i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS .1.3.6.1.2.1.2.2.1.19.i User Guide for Cisco Security MARS Local Controller 2-51 78-17020-01...
Page 102: Configuring Network Admission Control Features
MARS supports the NAC initiative by storing and reporting about the NAC-based events generated by the various reporting devices on your network. The devices include:. Cisco Trust Agent. While CTA does not report to MARS, it does report discovered settings to the •...
Page 103 System Rule: Security Posture: Infected - Network Wide • System Rule: Security Posture: Infected - Single Host System Rule: Security Posture: Quarantine - Network Wide • System Rule: Security Posture: Quarantine - Single Host • User Guide for Cisco Security MARS Local Controller 2-53 78-17020-01...
Page 104: Integrating Mars With 3 Rd -Party Applications
(System Rule: Sudden Traffic Increase To Port) fired and caused red Incident 204368256, starting from Wed Mar 14 12:28:14 2007 to Wed Mar 14 12:28:14 2007" SNMPv2-SMI::enterprises.16686.3.0 "sudden traffic increase to ports: 445 " User Guide for Cisco Security MARS Local Controller 2-54 78-17020-01...
Page 105 Chapter 2 Reporting and Mitigation Devices Overview Integrating MARS with 3 -Party Applications Notifications are sent only from the Local Controller. Note User Guide for Cisco Security MARS Local Controller 2-55 78-17020-01...
Page 106: Relaying Syslog Messages From 3Rd-Party Syslog Servers
MARS. Currently, MARS parses the syslog messages generated by the following devices: Cisco PIX, Cisco IOS, Cisco CatOS, Cisco ICS, Cisco ASA, Cisco FWSM, Cisco VPN 3000, Cisco Secure ACS, Snort IDS, Juniper/Netscreen firewalls, Solaris, Linux, and Microsoft Internet Information Server (ISS), Microsoft Windows running the SNARE agent.
Page 107: Configure Kiwi Syslog Server To Forward Events To Mars
Select Admin > System Setup > Security and Monitor Devices > Add. Do one of the following: Step 2 Select Add SW Security apps on a new host from the Device Type list, and continue with Step 3 • User Guide for Cisco Security MARS Local Controller 2-57 78-17020-01...
Page 108: Add Devices Monitored By Syslog Relay Server
MARS Appliance. In the MARS web interface, you should still configure the reporting devices so that MARS can discover their settings and to perform any mitigation operations. User Guide for Cisco Security MARS Local Controller 2-58 78-17020-01...
Page 109: Cisco Router Devices
Cisco IOS Software release 12.2 or later. The type of access that you must enable depends on whether modules are installed in your Cisco router or switch and the role of the device in your network. MARS uses this administrative access to discover the device’s configuration and, at times, to make changes to the device’s running configuration.
Page 110: Enable Snmp Administrative Access
Configuring Router and Switch Devices Cisco Router Devices Before you add a Cisco router to MARS, make sure that you have enabled SNMP, Telnet, SSH, or FTP access to the router. The following sections provide guidance on configuring each supported access...
Page 111: Configure The Device Running Cisco Ios 12.2 To Generate Required Data
Router(config)#logging <IP address of MARS Appliance> Enable SNMP RO Strings To enable SNMP RO strings for topology discovery on the Cisco IOS device, you must enable the SNMP server and define the RO community. To configure the SNMP RO string settings, follow these steps:...
Page 112: Enable Nac-Specific Messages
RADIUS requests to the ACS. To configure the NAC Phase I data on a Cisco router to work with MARS, you must allow EAP over UDP and allow an IP address in the AAA station-id field of the packets. (Cisco Secure ACS includes this detail in its logs.
Page 113 Cisco Switches NAC Phase II enables Cisco switches to act as network access devices. To support this new feature, you must configure the Cisco switch to initiate 802.1x authentication when the link state changes from down to up and periodically if the port remains up but unauthenticated. NAC requires that hosts use 802.1x supplicants, or clients, to authenticate to the Cisco Secure ACS server before gaining access to network services.
Page 114: Enable Sdee For Ios Ips Software
Configuring Router and Switch Devices Cisco Router Devices After you configure the switch to act as proxy and it is defined as a AAA client in Cisco Secure ACS, you must ensure that the authentication messages are sent to the MARS Appliance. For 802.1x accounting records, you must ensure that the audit records are written to the RADIUS log on the Cisco Secure ACS server.
Page 115 Selecting the Access Type, page 2-10. (Optional) To enable MARS to retrieve MIB objects for this reporting device, enter the device’s Step 7 read-only community string in the SNMP RO Community field. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 116 IOS IPS does not refer to an IPS module. It refers to a software feature in the IOS software. The IOS IPS feature is required to enable the DTM functionality in MARS. See Technology Preview: Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS, page 1 more information. Result: The IOS IPS Information page appears.
Page 117: Cisco Switch Devices
Configure the Device Running CatOS to Generate Required Data, page 3-11 • Adding a Cisco switch running to MARS has two distinct steps. First, you add the base module of the switch, providing administrative access to that device. Second, you add any modules that are running in the switch.
Page 118: Enable Snmp Administrative Access
URL: IP Access http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/confg_gd/ip_perm.htm#wp 1019819 Enable SSH Administrative Access To enable configuration discovery using SSH access to the Cisco router or switch, refer to your device documentation or the following URL: IP Access http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/confg_gd/ip_perm.htm#wp 1019819 Enable FTP-based Administrative Access To enable configuration discovery using FTP access, you must place a copy the Cisco router’s or...
Page 119: Configure The Device Running Catos To Generate Required Data
Step 5 switch> (enable) exit Enable Syslog Messages on CatOS To configure a Cisco switch running CatOS to send syslog information to MARS, follow these steps: To enable the syslog server on the switch, enter: Step 1 set logging server enable...
Page 120: Enable L2 Discovery Messages
Enable L2 Discovery Messages To enable L2 discovery on your Cisco switches, you must enable the spanning tree protocol (STP) and provide the SNMP RO community string. All L 2 devices must support SNMP STP MIB (IETF RFC 1493).
Page 121: Add And Configure A Cisco Switch In Mars
If the switch is running any version of CatOS, select Cisco Switch-CatOS ANY from the Device • Type list. If the switch is running Cisco IOS 12.2 or later, select Cisco Switch-IOS 12.2 from the Device Type • list. Step 3 Enter the name of the device in the Device Name field.
Page 122: Adding Modules To A Cisco Switch
Cisco IOS 12.2 To add a module, you must first add the base module, which is the Cisco switch. After the base module is defined in the web interface, you can discover the modules that are installed in the switch (click Add Available Module) or add them manually (click Add Module).
Page 123: Add Cisco Ios 12.2 Modules Manually
Basic guidance for editing these settings can be found in the topics that discuss manually adding these modules. See the following topics for more information: Add Cisco IOS 12.2 Modules Manually, page 3-15 • Cisco Firewall Devices (PIX, ASA, and FWSM), page 4-1 • Cisco IPS Modules, page 6-10.
Page 124 . Step 8 (Optional) To enable MARS to monitor this device for anomalous resource usage, select Yes from the Monitor Resource Usage list. User Guide for Cisco Security MARS Local Controller 3-16 78-17020-01...
Page 125: Extreme Extremeware 6.X
<encrypted community string> configure snmp add community readwrite encrypted <encrypted community string> User Guide for Cisco Security MARS Local Controller 3-17 78-17020-01...
Page 126: Add And Configure An Extremeware Switch In Mars
You can add any L2 or L3 device to the MARS as long as SNMP is enabled on the device. A generic router refers to any L2 or L3 device that is not listed in the Supported Devices and Software Versions for CS-MARS Local Controller 4.1. User Guide for Cisco Security MARS Local Controller 3-18 78-17020-01...
Page 127: Add And Configure A Generic Router In Mars
Any events published by the device to MARS before activation can be queried using the reporting IP address of the device as a match criterion. User Guide for Cisco Security MARS Local Controller 3-19 78-17020-01...
Page 128 Chapter 3 Configuring Router and Switch Devices Generic Router Device User Guide for Cisco Security MARS Local Controller 3-20 78-17020-01...
Page 129: Chapter 4 Configuring Firewall Devices
Configure the Cisco firewall device to accept administrative sessions from MARS (to discover settings). For Cisco ASA, PIX 7.0, and FWSM device types, you configure the admin context to accept these sessions. User Guide for Cisco Security MARS Local Controller...
Page 130: Bootstrap The Cisco Firewall Device
Configuring Firewall Devices Cisco Firewall Devices (PIX, ASA, and FWSM) To be monitored by MARS, the Cisco ASA, PIX 7.0, and FWSM device types have the following Note two requirements: each context requires a unique routable IP address for sending syslog messages to MARS, and each context must have a unique name (hostname+ domain name).
Page 131 In addition to configuring specific event types and administrative access, syslog messages should be sent to the MARS Appliance. To prepare the Cisco firewall device to send these messages to the MARS Appliance, you must configure the logging settings associated with each firewall device on your network.
Page 132: Enable Telnet Access On A Cisco Firewall Device
Configuring Firewall Devices Cisco Firewall Devices (PIX, ASA, and FWSM) When monitoring a failover pair of Cisco firewall devices, you should designate the primary Cisco firewall device as the device to be monitored. If failover occurs, the secondary device assumes the IP address of the primary, which ensures that session correlation is maintained after the failover.
Page 133 Refer to PIX debug messages for interesting keywords. Cisco recommends enabling debug for optimal use of your STM solution. If a Cisco firewall device is unable to sustain debug-level messages due to performance reasons, the informational level should be used.
Page 134: Device-Side Tuning For Cisco Firewall Device Syslogs
Cisco Security Appliance System Log Messages, Version 7.2 http://www.cisco.com/en/US/products/ps6120/products_system_message_guide_book09186a0080 610b8b.html Cisco FWSM “Changing the Severity Level of a System Log Message” in Catalyst 6500 Series Switch and Cisco • 7600 Series Router Firewall Services Module Configuration Guide, 3.1 http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_ chapter09186a0080577c3e.html#wp1099894 “Disabling a System Log Message”...
Page 135: List Of Cisco Firewall Message Events Processed By Mars
09186a00804d7356.html List of Cisco Firewall Message Events Processed by MARS The following list of events are processed by MARS. By changing the severity level for these events to ensure they are within the logging level you have selected, you can typically reduce the load on your firewall logging by 5-15%.
Page 136: Add And Configure A Cisco Firewall Device In Mars
To add and configure a Cisco firewall device, follow these steps: Do one of the following: Step 1 If you are adding an FWSM, you must be on the main page of the Cisco switch to which you are • adding it. On that page, click Add Module.
Page 137 Chapter 4 Configuring Firewall Devices Cisco Firewall Devices (PIX, ASA, and FWSM) If you are adding a PIX security appliance or a Cisco ASA, an Select Admin > System Setup > • Security and Monitor Devices > Add. Select one of the following options from the Device Type list.
Page 138 Configure FTP Access for Devices in MARS, page 2-12 • If you select the FTP access type and you are defining a Cisco ASA, PIX 7.0, or FWSM, you cannot Note discover the non-admin context settings. Therefore, this access type is not recommended.
Page 139: Add Security Contexts Manually
Activate the Reporting and Mitigation Devices, page 2-27. Add Security Contexts Manually You can manually define security contexts in PIX 7.0, Cisco ASA, or FWSM. Do one of the following: Step 1 (PIX 7.0 and FWSM) Click Add Context.
Page 140: Add Discovered Contexts
Step 8 Add Discovered Contexts When you select Discover on a Cisco ASA, PIX 7.0 or FWSM, MARS discovers the contexts that are defined for that firewall device. However, you must still manually add discovered contents. User Guide for Cisco Security MARS Local Controller...
Page 141: Edit Discovered Security Contexts
Configuring Firewall Devices Cisco Firewall Devices (PIX, ASA, and FWSM) You cannot discover a module install in a Cisco ASA; you must manually define IPS modules. However, Note the discovered contexts do appear under the Module area on the main page.
Page 142: Netscreen Screenos Devices
Add the Netscreen Device to the MARS web interface. To accomplish these requirements, you must perform two procedures: Bootstrap the NetScreen Device, page 4-15 • Add the NetScreen Device to MARS, page 4-20 • User Guide for Cisco Security MARS Local Controller 4-14 78-17020-01...
Page 143: Bootstrap The Netscreen Device
In the main screen, on the left hand column click Network > Interfaces. Click Edit next to the appropriate interface to configure for MARS to have access to SNMP and Step 3 Telnet/SSH. User Guide for Cisco Security MARS Local Controller 4-15 78-17020-01...
Page 144 Access Type value of Add the NetScreen Device to MARS, page 4-20. Click Apply then click OK. Step 5 Step 6 Configure the SNMP information by selecting Configure > Report Settings > SNMP. User Guide for Cisco Security MARS Local Controller 4-16 78-17020-01...
Page 145 MARS web interface when adding this device. (Optional) If the community string does not match, click New Community to define one that matches Step 9 the on defined in MARS. User Guide for Cisco Security MARS Local Controller 4-17 78-17020-01...
Page 146 Select the AUTH/SEC for Security Facility and LOCAL0 for Facility. Step 14 For NetScreen 5.0, select the Event Log in addition to Traffic Log. Step 15 Step 16 Click Apply. User Guide for Cisco Security MARS Local Controller 4-18 78-17020-01...
Page 147 Policies on the left hand area. Click Edit then Advance and verify that Logging box is checked. Repeat for all policies which events Step 18 need to be sent to MARS. User Guide for Cisco Security MARS Local Controller 4-19 78-17020-01...
Page 148: Add The Netscreen Device To Mars
(Optional) To enable MARS to discover settings from this device, enter the administrative IP address in Step 4 the Access IP field. To learn more about the access IP address, its role, and dependencies, see Understanding Access IP, Reporting IP, and Interface Settings, page 2-8. User Guide for Cisco Security MARS Local Controller 4-20 78-17020-01...
Page 149 IP address of the device as a match criterion. For more information on the activate action, see Activate the Reporting and Mitigation Devices, page 2-27. User Guide for Cisco Security MARS Local Controller 4-21 78-17020-01...
Page 150: Check Point Devices
NGX is also NG AI R60 OPSEC Open Platform for Security An alliance, certification and integration methodology for products and solutions that integrate into a Check Point infrastructure. Check Point Provider-1 — User Guide for Cisco Security MARS Local Controller 4-22 78-17020-01...
Page 151 MDS communicates securely with the CMAs that it houses. The SiteManager-1 system operates much the same as Provider-1; however, it is targeted toward large enterprise customers. The Check Point components are the same as those found in Provider-1. User Guide for Cisco Security MARS Local Controller 4-23 78-17020-01...
Page 152: Determine Devices To Monitor And Restrictions
MARS web interface. The Check Point product line and release, as well as the number of devices managed, determines which tasks you must perform to configure MARS to monitor your Check Point devices. User Guide for Cisco Security MARS Local Controller 4-24 78-17020-01...
Page 153: Bootstrap The Check Point Devices
SIC DN. This SIC DN is the one used by OPSEC applications, including the management server, to validate the MARS Appliance. You specify this client SIC DN in the MARS User Guide for Cisco Security MARS Local Controller 4-25...
Page 154: Add The Mars Appliance As A Host In Check Point
Representing the MARS Appliance in Check Point enables the following supporting tasks: Generate a client SIC DN for the MARS Appliance. • Define policies to allow SIC and syslog traffic between the Check Point components and the MARS • Appliance. User Guide for Cisco Security MARS Local Controller 4-26 78-17020-01...
Page 155 Step 4 Any Check Point policies defined to enable access or send logs to this appliance will reference the appliance by this name. Cisco best practice recommends using the actual hostname of the MARS Appliance. Enter the IP address of the monitoring interface in the MARS Appliance in the IP Address field Step 5 Typically, the monitoring interface is eth0.
Page 156 Add the MARS Appliance as a Host in Step 5 Check Point, page 4-26. Result: This OPSEC application definition is associated with the host that represents the MARS Step 6 Appliance. User Guide for Cisco Security MARS Local Controller 4-28 78-17020-01...
Page 157 Record the contents of the DN field that appears under Secure Internal Communication. Step 13 This value is used to populate the Client Entity SIC Name field of MARS in Add a Check Point Primary Management Station to MARS, page 4-40. User Guide for Cisco Security MARS Local Controller 4-29 78-17020-01...
Page 158 Each management server to which logs are forwarded by remote components. • Each remote log server that does not forward logs to a central management server, either the MDS • or a SmartCenter. Management servers are the following devices: User Guide for Cisco Security MARS Local Controller 4-30 78-17020-01...
Page 159 • The MLM of a Provider-1 or SiteManager-1 NGX (R60) installation. Click Edit. Step 5 The Check Point Host - Management dialog box appears, with the General Properties page selected. User Guide for Cisco Security MARS Local Controller 4-31 78-17020-01...
Page 160 MARS supports only three of the available Check Point authentication mode: CLEAR. Indicates that the traffic is neither authenticated nor encrypted. • • SSLCA. Indicates that the communications need to be authenticated and encrypted using an symmetric key cipher User Guide for Cisco Security MARS Local Controller 4-32 78-17020-01...
Page 161 Such requests will be serviced and the sessions will be neither authenticated nor encrypted. LEA_SERVER port 18187 Check Point uses the following default settings: • For LEA, SSLCA is the authentication method and communications occur over TCP 18184. User Guide for Cisco Security MARS Local Controller 4-33 78-17020-01...
Page 162: Create And Install Policies
If Check Point firewall components reside between the Check Point components (central management Step 2 and log server) and the MARS Appliance monitoring those components, define the security policies that allow management and log traffic between those devices. User Guide for Cisco Security MARS Local Controller 4-34 78-17020-01...
Page 163 Result: The security policies on the target firewall devices are updated, enabling CPMI and LEA traffic flows between the Check Point components and the MARS Appliance. Using the Check Point log viewer, you can verify that the policies were installed successfully. User Guide for Cisco Security MARS Local Controller 4-35 78-17020-01...
Page 164: Verify Communication Path Between Mars Appliance And Check Point Devices
A-56 in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. Reset the OPSEC Application Certificate of the MARS Appliance If you encounter an error when pulling the certificate as part of defining the Check Point devices in the MARS web interface, you must reset the certificate before you can attempt to pull it again.
Page 165 Click the Communication button under Secure Internal Communication. Result: The Communication dialog box appears. Step 6 Click Reset to reset the certificate. Click Close to close the Communication dialog box. Step 7 User Guide for Cisco Security MARS Local Controller 4-37 78-17020-01...
Page 166 Result: The OPSEC Application that represents MARS is defined and associated to the correct host. You also have obtained the activation key and client SIC DN for later use in Add a Check Point Primary Management Station to MARS, page 4-40. User Guide for Cisco Security MARS Local Controller 4-38 78-17020-01...
Page 167: Add And Configure Check Point Devices In Mars
Click Activate in MARS. To add a Check Point device in MARS, you must perform the following procedures: • Add a Check Point Primary Management Station to MARS, page 4-40 User Guide for Cisco Security MARS Local Controller 4-39 78-17020-01...
Page 168: Add A Check Point Primary Management Station To Mars
Select Add SW security apps on existing host from the Device Type list. Select the device to which • you want to add the software application and click Add. Continue with Step Specify values for the following fields: Step 3 User Guide for Cisco Security MARS Local Controller 4-40 78-17020-01...
Page 169 CheckPoint Opsec NG FP3. Select this option for Check Point NG FP3 devices. • • CheckPoint Opsec NG AI. Select this option for Check Point NG AI (R55) and Check Point NGX (R60) devices. User Guide for Cisco Security MARS Local Controller 4-41 78-17020-01...
Page 170 SSLCA and data is passed on port 18190. For more information on this setting, see Select the Access Type for LEA and CPMI Traffic, page 4-32. User Guide for Cisco Security MARS Local Controller 4-42 78-17020-01...
Page 171 Otherwise, an error message appears. After the initial pull, the MARS Appliance pulls based on the schedule that you define. For more information, see Scheduling Topology Updates, page 2-39. User Guide for Cisco Security MARS Local Controller 4-43 78-17020-01...
Page 172: Station
To manually define a child enforcement module that is managed by the primary management station or a log server to which either the primary management station or a child enforcement module publishes its audit and security logs, follow these steps: User Guide for Cisco Security MARS Local Controller 4-44 78-17020-01...
Page 173 Step 4 The Access Information page appears. Click Add under Firewall & Log Server Settings. Step 5 Result: The list of available hosts appears. Do one of the following: Step 6 User Guide for Cisco Security MARS Local Controller 4-45 78-17020-01...
Page 174 Monitoring Device list. (Optional) To enable MARS to retrieve MIB objects for this reporting device, enter the child Step 8 enforcement module’s read-only community string in the SNMP RO Community field. User Guide for Cisco Security MARS Local Controller 4-46 78-17020-01...
Page 175: Add A Check Point Certificate Server
This procedure assumes you have been refer to it, and that you are in the middle of defining a primary Note management station or child enforcement module. To define a certificate server, follow these steps: User Guide for Cisco Security MARS Local Controller 4-47 78-17020-01...
Page 176: Edit Discovered Log Servers On A Check Point Primary Management Station
SIC communication settings. To edit a discovered log server, follow these steps: User Guide for Cisco Security MARS Local Controller 4-48 78-17020-01...
Page 177 SIC DN of the MDS that manages the CMA. Click Submit to save your changes to this log server. Step 5 Repeat Step 1 through Step 5 for each discovered log server. Step 6 User Guide for Cisco Security MARS Local Controller 4-49 78-17020-01...
Page 178: Edit Discovered Firewall On A Check Point Primary Management Station
To provide this information, you must define the routes manually in the MARS web interface. You will need a list of the routes for all interfaces in the firewall before you attempt to enter this information. User Guide for Cisco Security MARS Local Controller 4-50 78-17020-01...
Page 179 Click Submit to add the route to the list of routes Step 3 Repeat • through Step 3 for each route defined on the firewall. Step 4 Click Close to return to the Access Information page. Step 5 User Guide for Cisco Security MARS Local Controller 4-51 78-17020-01...
Page 180: Specify Log Info Settings For A Child Enforcement Module Or Log Server
To specify that the child enforcement module is acting as its own log server, select Self and continue • with Step 3, omitting the Device Name field. User Guide for Cisco Security MARS Local Controller 4-52 78-17020-01...
Page 181 This name is used in topology maps, queries, and as the primary management station in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and User Guide for Cisco Security MARS Local Controller 4-53...
Page 182 MARS before activation can be queried using the reporting IP address of the device as a match criterion. For more information on the activate action, see Activate the Reporting and Mitigation Devices, page 2-27. User Guide for Cisco Security MARS Local Controller 4-54 78-17020-01...
Page 183: Verify Connectivity Between Mars And Check Point Devices
Under Firewall & Log Server Settings, check the box next to the child enforcement module that you want Step 5 to remove. Step 6 Click Remove. Result: The Confirmation screen appears. User Guide for Cisco Security MARS Local Controller 4-55 78-17020-01...
Page 184: Troubleshooting Mars And Check Point
You can view the debug messages using the pnlog showlog cpdebug command at the CLI. For more information on pnlog, see pnlog, page A-30 in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. User Guide for Cisco Security MARS Local Controller 4-56 78-17020-01...
Page 185 Chapter 4 Configuring Firewall Devices Check Point Devices User Guide for Cisco Security MARS Local Controller 4-57 78-17020-01...
Page 186 Chapter 4 Configuring Firewall Devices Check Point Devices User Guide for Cisco Security MARS Local Controller 4-58 78-17020-01...
Page 187: Chapter 5 Configuring Vpn Devices
To configure a Cisco VPN 3000 Concentrator to generate and publish events to the MARS Appliance, you must verify that the correct events are generated in the correct format, and you must direct the Cisco VPN 3000 Concentrator to publish syslog events to the MARS Appliance.
Page 188: Add The Vpn 3000 Concentrator To Mars
To add the VPN 3000 Concentrator to MARS, follow these steps: Select Admin > Security and Monitor Devices > Add. Step 1 Select either Cisco VPN Concentrator 4.0.1 or Cisco VPN Concentrator 4.7 from the Device Type Step 2 list.
Page 189 SNMP RO Community field. MARS uses the SNMP RO string to read MIBs related to the reporting device’s CPU usage and other device anomaly data. Click Discover. Step 8 Click Submit. Step 9 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 190 Chapter 5 Configuring VPN Devices Cisco VPN 3000 Concentrator User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 191: Cisco Ids 3.1 Sensors
• Cisco IDS 3.1 Sensors Before you add the Cisco IDS 3.1 device, make sure that you have configured the Cisco IDS device for the MARS to retrieve the device configuration. The device configuration would be used for mapping of the logs received by MARS.
Page 192: C H A P T E R 6 Configuring Network-Based Ids And Ips Devices
(has to be unique). Figure 6-1 Add MARS Information to Cisco IDS 3.1 Organizations File In the hosts file add a line indicating your MARS appliances’ name associated to the organization that was previously added in the organizations file;...
Page 193 (these numbers are not used by MARS). Figure 6-3 Add MARS Information to Cisco IDS 3.1 Routes File In the destinations file add a line indicating your MARS appliances’ name (as defined in the routes file)
Page 194: Add And Configure A Cisco Ids 3.1 Device In Mars
Enter “netrangr” as the Login and its Password. When adding a Cisco IDS 3.1 device, use the netrangr username or some other username that is not the root login for the sensor. Using the root login causes MARS to fail to parse the login prompt correctly, which in turn, cause the Test Connectivity to fail.
Page 195: Cisco Ids 4.0 And Ips 5.X Sensors
Click Submit. Cisco IDS 4.0 and IPS 5.x Sensors Adding a Cisco IDS or IPS network sensor to MARS involves two parts: Bootstrap the Sensor, page 6-5 Add and Configure a Cisco IDS or IPS Device in MARS, page 6-6...
Page 196: Enable The Access Protocol On The Sensor
If the signature actions are correctly configured, MARS can display the trigger packet information for the first event that fires a signature on a Cisco IDS or IPS device. MARS is also able to pull the IP log data from Cisco IDS and IPS devices, however, this operation is system intensive. Therefore, you should select the set of signatures that generate IP log data carefully.
Page 197 Chapter 6 Configuring Network-based IDS and IPS Devices Cisco IDS 4.0 and IPS 5.x Sensors Select Cisco IDS 4.0 from the Device Type list. • Figure 6-6 Configure Cisco IDS 4.0 Select Cisco IPS 5.x from the Device Type list.
Page 198: Specify The Monitored Networks For Cisco Ips Or Ids Device Imported From A Seed File
To define the networks monitored by a sensor, follow these steps: Click Admin > System Setup > Security and Monitor Devices. Step 1 Select the check box next to the Cisco IPS or IDS device that was imported using a seed file. and click Step 2 Edit.
Page 199: View Detailed Event Data For Cisco Ips Devices
IP log varies based on sensor configuration, by default an IP log contains 30 seconds of packet data. To view this data, you must enable the Pull IP Logs option on the Cisco IPS device under Admin > System Setup > Security and Monitor Devices.
Page 200: Verify That Mars Pulls Events From A Cisco Ips Device
On the Cisco IPS device, enable and alert on the signatures 2000 and 2004. The signatures monitor ICMP messages (pings). Ping a device on the subnet on which the Cisco IPS device is listening. The events are generated and pulled by MARS.
Page 201: Enable Sdee On The Cisco Ios Device With An Ips Module
To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps: Click Admin > System Setup > Security and Monitor Devices. Step 1 From the list of devices, select the Cisco switch or Cisco ASA to which you want to add the IPS module Step 2 and click Edit.
Page 202 Configuring Network-based IDS and IPS Devices Cisco IPS Modules For Cisco switches, you can also add a Cisco IPS 4.0 module or an IDS 3.1 module. You configure these modules just as you would a standalone sensor. For instructions on configuring these modules, refer to Cisco IDS 3.1 Sensors, page 6-1...
Page 203: Iss Site Protector
To perform the major configuration steps required to use Site Protector to forward the SNMP alerts generated by sensors to MARS Appliance, follow these steps: Using the Add Sensor Wizard, register the sensor to Site Protector Console. Step 1 User Guide for Cisco Security MARS Local Controller 6-13 78-17020-01...
Page 204 Chapter 9, Registering Software Managed by SiteProtector, on page 105 at the following URL: http://documents.iss.net/literature/SiteProtector/SPUserGuideforSecurityManagers20SP52.pdf Step 2 Right-click the sensor to edit, and click Edit Settings on the shortcut menu. The Edit Settings dialog appears. User Guide for Cisco Security MARS Local Controller 6-14 78-17020-01...
Page 205 Select the SNMP tab. Click Add to create a new SNMP response object using the IP address of the MARS Appliance. Select the Security Events to configure new SNMP destination. Step 4 User Guide for Cisco Security MARS Local Controller 6-15 78-17020-01...
Page 206 You can also select policies and edit them at the group level. Note Click Edit to configure SNMP response of all the selected policies. Select the MARS Appliance on SNMP tab. Step 5 User Guide for Cisco Security MARS Local Controller 6-16 78-17020-01...
Page 207: Iss Realsecure 6.5 And 7.0
SNMP notification is current.policy a default response when triggered. • Edit the files to specify the IP of the SNMP manager (MARS Appliance) and response.policy the community string. User Guide for Cisco Security MARS Local Controller 6-17 78-17020-01...
Page 208: Configure Iss Realsecure To Send Snmp Traps To Mars
Edit each signature to have SNMP as one of its responses, and set the choice for SNMP trap as default. For example, in this original signature: [\template\features\AOLIM_File_Xfer\Response\]; [\template\features\AOLIM_File_Xfer\Response\DISPLAY\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\LOGDB\]; Choice =S LogWithoutRaw; Insert the following bolded lines to make it look similar to the following: User Guide for Cisco Security MARS Local Controller 6-18 78-17020-01...
Page 209: Add An Iss Realsecure Device As A Nids
From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on Step 2 existing host. Step 3 Enter the Device Name. Click Apply. Step 4 Click on Reporting Applications tab. Step 5 User Guide for Cisco Security MARS Local Controller 6-19 78-17020-01...
Page 210: Add An Iss Realsecure Device As A Hids
From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on Step 2 existing host. Enter the Device Name. Step 3 User Guide for Cisco Security MARS Local Controller 6-20 78-17020-01...
Page 211 Step 9 For multiple interfaces, click on General Tab, and add the new interfaces’ name, IP address, and Step 10 network mask. Figure 6-11 Adding Multiple Interfaces Click Apply. Step 11 User Guide for Cisco Security MARS Local Controller 6-21 78-17020-01...
Page 212: Intruvert Intrushield
| ip_address | +------------+------------+ | intruvert | 0A010134 | intruvert1 | 0A010135 +------------+------------+ 2 row in set (0.00 sec) You would then edit the above file to appear as: intruvert,0A010134 intruvert1,0A010135 User Guide for Cisco Security MARS Local Controller 6-22 78-17020-01...
Page 213: Configure Intrushield Version 1.5 To Send Snmp Traps To Mars
Check the Forward Alerts box. Select the For this and child admin domains radio button. Select the severity from the list. Cisco recommends selecting High and Medium severity. Check the Forward Faults box. Select the severity from the list. Cisco recommends selecting Error and above severity.
Page 214 Chapter 6 Configuring Network-based IDS and IPS Devices IntruVert IntruShield Figure 6-12 IntruShield SNMP Forwarder Configuration Click the Add button. Step 6 User Guide for Cisco Security MARS Local Controller 6-24 78-17020-01...
Page 215: Add And Configure An Intrushield Manager And Its Sensors In Mars
Target Server Port Number: Enter MARS’s port number 162. SNMP Version: 1 Forward Alerts Select the severity from the list. Cisco recommends selecting Informational and above severity. Customize Community: Enter the community string that you want to use. Click Apply and exit the program.
Page 216: Add The Intrushield Manager Host To Mars
For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one Step 4 of the following: To manually define the networks, select the Define a Network radio button. Enter the network address in the Network IP field. User Guide for Cisco Security MARS Local Controller 6-26 78-17020-01...
Page 217: Add Intrushield Sensors Using A Seed File
To save the changes made to this management console and the sensors it manages, click Submit. Step 7 Step 8 To enable MARS to start sessionizing events from this module, click Activate. User Guide for Cisco Security MARS Local Controller 6-27 78-17020-01...
Page 218: Snort 2.0
Click Admin > System Setup > Security and Monitor Devices > Add Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host User Guide for Cisco Security MARS Local Controller 6-28 78-17020-01...
Page 219: Symantec Manhunt
Step 1 Login to the Symantec ManHunt with appropriate username and password. In the main screen, click Setup > Policy > Response Rules, then Response Rules window will appear. Step 2 User Guide for Cisco Security MARS Local Controller 6-29 78-17020-01...
Page 220 Step 5 In the left menu, click SNMP Notification and enter the following information: SNMP Manager IP address: Reporting IP address of MARS Maximum number of SNMP notification: (Example: 100000). User Guide for Cisco Security MARS Local Controller 6-30 78-17020-01...
Page 221: Mars Side Configuration
To enable MARS to start sessionizing events from this module, click Activate. Step 10 NetScreen IDP 2.1 IDP-side Configuration Click NetScreen-Global Pro > IDP Manager > IDP. Step 1 Log in to the IDP Manager. Step 2 User Guide for Cisco Security MARS Local Controller 6-31 78-17020-01...
Page 222: Mars-Side Configuration
Select existing device or Add New device. Step 2 Enter the Device Name, Sensor Name, and its Reporting IP address. Step 3 • Device Name – the DNS entry for this device User Guide for Cisco Security MARS Local Controller 6-32 78-17020-01...
Page 223: Enterasys Dragon 6.X
In the left menu, click Notification Rules. Step 3 In the right window, select syslog if it exists. If not, you need to create it: Step 4 Click New Notification Rules and select syslog. User Guide for Cisco Security MARS Local Controller 6-33 78-17020-01...
Page 224: Host-Side Configuration
Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host User Guide for Cisco Security MARS Local Controller 6-34 78-17020-01...
Page 225: Add A Dragon Nids Device
To save your changes, click Submit. Step 6 Step 7 Click Done when you are done adding the sensor. Step 8 To enable MARS to start sessionizing events from this module, click Activate. User Guide for Cisco Security MARS Local Controller 6-35 78-17020-01...
Page 226 Chapter 6 Configuring Network-based IDS and IPS Devices Enterasys Dragon 6.x User Guide for Cisco Security MARS Local Controller 6-36 78-17020-01...
Page 227: Chapter 7 Configuring Host-Based Ids And Ips Devices
Specific the Events to Generate SNMP Traps for MARS, page 7-2 • Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5) Entercept agent information is saved in a database file on the Entercept console. Note User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 228: Create A Csv File For Entercept Agents In Version 2.5
Entercept console, instead of typing the mapping for each agent. Create a CSV file for Entercept Agents in Version 2.5 Go to the directory Program Files\Cisco IDS\Console\Database and copy the file Step 1 CoreShield.mdb to another directory, e.g.: C:\temp.
Page 229: Add And Configure An Entercept Console And Its Agents In Mars
Check the “Is Sensor” check box—which is asking if it is a sensor or not. Step 9 Step 10 Enter the sensor’s Agent Name, which is the agent name for the console if it is an agent. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 230: Add Entercept Agents Manually
Step 2 If you need to generate the Entercept Agent CSV file, see Extracting Entercept Agent Information • into a CSV file (for Entercept Version 2.5), page 7-1. Click Submit. Step 3 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 231: Cisco Security Agent 4.X Device
Export CSA Agent Information to File, page 7-6. Prior to the 4.1.1 release, CSA was identified by the device type name Cisco CSA 4.0. As part of an Note upgrade, any Cisco CSA 4.0 devices were renamed as Cisco CSA 4.x. This new name includes support for Cisco CSA 4.0 and 4.5.
Page 232: Configure Csa Mc To Forward Snmp Notifications To Mars
Export CSA Agent Information to File With the release of MARS 4.1.1, you are no longer required to define each Cisco CSA agent, as they are discovered as a device sends an SNMP notification to the CSA Management Console (CSA MC).
Page 233: Add And Configure A Csa Mc Device In Mars
Enter the Device Name and IP addresses if adding a new host. Click Apply. Step 4 Click Reporting Applications tab. Step 5 From the Select Application list, select Cisco CSA 4.x. Step 6 Click Add. Step 7 The Management Console page appears.
Page 234: Add A Csa Agent Manually
Click Admin > Security and Monitoring Devices. Step 1 From the list of devices, select the host running Cisco CSA Management Center, and click Edit. Step 2 Click the Reporting Applications tab, select Cisco CSA Management Center in the Device Type list, Step 3 and click Edit.
Page 235: Add Csa Agents From File
Click Admin > Security and Monitoring Devices. Step 1 From the list of devices, select the host running Cisco CSA Management Center, and click Edit. Step 2 Click the Reporting Applications tab, select Cisco CSA Management Center in the Device Type list, Step 3 and click Edit.
Page 236: Troubleshooting Csa Agent Installs
Indicates that the identified FTP server is not reachable from the MARS Appliance. You may Status: NoRouteToHostException need to define additional routes or enable traffic flows to ensure the connection is allowed. User Guide for Cisco Security MARS Local Controller 7-10 78-17020-01...
Page 237: Chapter 8 Configuring Antivirus Devices
Step 5 Step 6 Under System Hierarchy, right-click the appropriate server group name and unlock the server group by supplying the configured password. Unlocking the server enables you to configure it. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 238 All Tasks > AMS > Configure. Figure 8-2 Symantec AV AMS Select Send SNMP Trap under each Alert Action, then click Configure. Step 8 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 239 Select the Local Controller to send the SNMP trap to as defined in Step 3, and then click Next to view the Action Message window. Step 11 Add alert parameters to the Alert message list according to the following information: User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 240 Virus Name: < Virus Name> • File Path: <File Path> • Severity: <Severity> • Source: <Source> • The following list identifies the trap type and the full list of possible fields: Alert: Virus Found User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 241 Alert: Scan Start/Stop Alert: <Alert Name> • • Computer: <Computer Name> Date: <Date> • Time: <Time> • Severity: <Severity> • Source: <Source> • Source: <Source> • Logger: <Logger> • User: <User> • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 242 Computer: <Computer Name> • Date: <Date> • Time: <Time> • • Description: <Description> Severity: <Severity> • Source: <Source> • Repeat Step 8 through Step 11 for each alert event. Step 12 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 243: Export The Antivirus Agent List
Add Agents from a CSV File, page 8-8.) This topic explains how to manually add a single agent. The value of defining an agent is that is accelerates the discover process; however, it is not required. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 244: Add Agents From A Csv File
Configure ePolicy Orchestrator to Generate Required Data To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps: Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 245 In the Server address field, enter the IP address of the eth0 interface, the monitoring interface for the Step 7 MARS Appliance, and click OK. The SNMP server is added to represent the MARS Appliance. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 246 Appliance. To edit a rule, follow these steps: Click the rule. The Describe Rule wizard page appears. Click Next to proceed to Set Filters page. Under Add or Edit Notification Rule, click the 3. Set Thresholds link. User Guide for Cisco Security MARS Local Controller 8-10 78-17020-01...
Page 247 Set Threshold Values Verify the Aggregation and Throttling values are set as shown in Figure 8-6 on page 8-11. Click Next to proceed to the Create Notifications page. Click Add SNMP Trap. User Guide for Cisco Security MARS Local Controller 8-11 78-17020-01...
Page 248: Add And Configure Epolicy Orchestrator Server In Mars
To add an ePolicy Orchestrator server to MARS, follow these steps: Step 1 Select Admin > Security and Monitor Devices > Add. From the Device Type list, select Add SW Security apps on a new host. Step 2 User Guide for Cisco Security MARS Local Controller 8-12 78-17020-01...
Page 249: Cisco Incident Control Server
Outbreak Prevention ACL (OPACL). • Second, as soon as a signature is available, Cisco ICS updates all Cisco IPS and IDS devices running on your network with the signature required to detect and prevent the specific threat. This signature is referred to as an Outbreak Prevention Signature (OPSig).
Page 250: Configure Cisco Ics To Send Syslogs To Mars
Cisco ICS now publishes syslog message to MARS. For MARS to be aware of this device, you must add the Cisco ICS device as a software application running on a host and you must click Activate in the web interface.
Page 251: Add The Cisco Ics Device To Mars
Microsoft Internet Information Services. In the Device Name field, enter the hostname of the server. Step 3 In the Reporting IP field, enter the IP address of the interface in Cisco ICS server from which the syslog Step 4 messages will originate.
Page 252 Using that information, they could push equivalent ACLs to devices not managed by Cisco ICS. When defining inspection rules or reports, you can access the list of Cisco ICS-specific events by entering Cisco ICS in the Description / CVE: field and clicking Search on the Management > Event Management page of the web interface.
Page 253: Chapter 9 Configuring Vulnerability Assessment Devices
Schedule the interval at which the Foundstone FoundScan server data is pulled by MARS. This section contains the following topics: Configure FoundScan to Generate Required Data, page 9-2 • Add and Configure a FoundScan Device in MARS, page 9-2 • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 254: Configure Foundscan To Generate Required Data
Step 3 Add and Configure a FoundScan Device in MARS To add a FoundScan device in MARS, follow these steps: Select Admin > Security and Monitor Devices > Add. Step 1 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 255: Eeye Rem 1.0
Schedule the interval at which the eEye REM server data is pulled by MARS. • This section contains the following topics: Configure eEye REM to Generate Required Data, page 9-4 • Add and Configure the eEye REM Device in MARS, page 9-4 • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 256: Configure Eeye Rem To Generate Required Data
Add and Configure the eEye REM Device in MARS To add the eEye REM device in MARS, follow these steps: Select Admin > Security and Monitor Devices > Add. Step 1 User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 257: Qualys Qualysguard Devices
Configure QualysGuard to collect the required data, ensuring that the data is current. • • Add the QualysGuard device that represents a report query to MARS using the web interface. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 258: Configure Qualysguard To Scan The Network
Proxy Settings for the Global Controller or Local Controller, page 6-18 of the “Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.” This section contains the following topics: Configure QualysGuard to Scan the Network, page 9-6 •...
Page 259 Enter the username of the account that MARS will use to access the Qualys device in the Login field. Step 6 Enter the password that corresponds to the account identified in Step 5 in the Password field. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 260: Schedule The Interval At Which Data Is Pulled
The update rule appears in the list on the Topology/Monitored Device Update Scheduler page. Click Activate. Step 8 To perform this discovery on demand, select the check box next to the rule you just defined and click Run Now. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 261: Troubleshooting Qualysguard Integration
• correctly, If there is no direct connection exists from CS-MARS to Qualys server • The hostname specified in the URL string is correct • Login name and Password is valid. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 262 Chapter 9 Configuring Vulnerability Assessment Devices Qualys QualysGuard Devices User Guide for Cisco Security MARS Local Controller 9-10 78-17020-01...
Page 263: Chapter 10 Configuring Generic, Solaris, Linux, And Windows Application Hosts
MARS. You can enter any syslog or SNMP device into the network topology, configure it to report data to the MARS, and query it using a free-form query. For more information on free form queries, see To Run a Free-form Query, page 20-2. User Guide for Cisco Security MARS Local Controller 10-1 78-17020-01...
Page 264: Sun Solaris And Linux Hosts
*.debug @MARS_hostname where MARS_hostname is the hostname or IP address of the MARS Appliance. Run following commands to restart syslogd so that the changes are process: Step 2 /etc/init.d/syslog stop User Guide for Cisco Security MARS Local Controller 10-2 78-17020-01...
Page 265: Configure Mars To Receive The Solaris Or Linux Host Logs
Click Admin > Security and Monitor Devices > Add. Step 1 Figure 10-1 Adding a Solaris or Linux Device From the Device Type list, select Add SW Security apps on a new host. Step 2 User Guide for Cisco Security MARS Local Controller 10-3 78-17020-01...
Page 266: Microsoft Windows Hosts
MARS Appliance, and how near real-time you want MARS to process the event data. User Guide for Cisco Security MARS Local Controller 10-4...
Page 267: Push Method: Configure Generic Microsoft Windows Hosts
Select Normal Installation in the Components list and click Next. Select the target Start menu location and click Next. Step 7 Verify the selection options and click Install. Step 8 User Guide for Cisco Security MARS Local Controller 10-5 78-17020-01...
Page 268: Enable Snare On The Microsoft Windows Host
Ensure that the Windows host and MARS Appliance clocks are synchronized. It is recommend that you configure a NTP server for this purpose. For more information, see Specify the Time Settings, page 5-10. User Guide for Cisco Security MARS Local Controller 10-6 78-17020-01...
Page 269: Enable Windows Pulling Using A Domain User
2000 server, you must set this property to Disabled on each host from which you want the MARS Appliance to pull syslogs. To enabled MARS to pull event log data from a Windows 2000 host, follow these steps: User Guide for Cisco Security MARS Local Controller 10-7 78-17020-01...
Page 270 We recommend you either set a default domain policy, or set the retention method for security event logs on your Windows system to be Overwrite as needed. Otherwise, when the log is full no new event log can be generated on the Windows system. User Guide for Cisco Security MARS Local Controller 10-8 78-17020-01...
Page 271: Configure The Mars To Pull Or Receive Windows Host Logs
If you use Registry Editor incorrectly, you may cause serious problems that may require you to Warning reinstall your operating system. Microsoft Corporation or Cisco Systems, Inc. cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Page 272 Domain name—Identifies the domain name to which the host belongs. • • Host login—Identifies the username with security audit and log permissions. Host password—Identifies that password that authenticates the username provided in the Host • login field. User Guide for Cisco Security MARS Local Controller 10-10 78-17020-01...
Page 273: Windows Event Log Pulling Time Interval
If you are using SNARE to push the log data to MARS, then you do not need to enable this setting. To configure the Windows event log pulling time interval, follow these steps: Click Admin > System Parameters > Windows Event Log Pulling Time Interval. Step 1 User Guide for Cisco Security MARS Local Controller 10-11 78-17020-01...
Page 274: Define Vulnerability Assessment Information
• Edit. Select Admin > Security and Monitor Devices, select the check box next to the desired host, and • click Edit. Click the Vulnerability Assessment Info tab. Step 2 User Guide for Cisco Security MARS Local Controller 10-12 78-17020-01...
Page 275 Identify Network Services Running on Step 5 the Host, page 10-14. Step 6 Click Apply to save the changes made to this host. Step 7 Click Done to close the Host page User Guide for Cisco Security MARS Local Controller 10-13 78-17020-01...
Page 276: Identify Network Services Running On The Host
You can enter more services here by clicking Add New Service, or you can click Submit to continue. Step 5 Click Submit to complete the addition of the host. Step 6 User Guide for Cisco Security MARS Local Controller 10-14 78-17020-01...
Page 277: Chapter 11 Configuring Database Applications
UNIX/Linux application host. To configure an Oracle database server to write audit logs, follow these steps: Step 1 As sysdba execute cataudit.sql to create audit trail views: [oracle@server]$ sqlplus /nolog User Guide for Cisco Security MARS Local Controller 11-1 78-17020-01...
Page 278: Add The Oracle Database Server To Mars
Add the Oracle Database Server to MARS To represent the Oracle database server in the web interface, follow these steps: Click Admin > Security and Monitor Devices > Add. Step 1 User Guide for Cisco Security MARS Local Controller 11-2 78-17020-01...
Page 279: Configure Interval For Pulling Oracle Event Logs
To specify the interval at which MARS should pull the event logs from all Oracle database servers on your network, follow these steps: Click Admin > System Parameters > Oracle Event Log Pulling Time Interval. Step 1 User Guide for Cisco Security MARS Local Controller 11-3 78-17020-01...
Page 280 Chapter 11 Configuring Database Applications Oracle Database Server Generic Step 2 Enter the new time interval in seconds. The default value is 300 (five minutes). Click Submit. Step 3 User Guide for Cisco Security MARS Local Controller 11-4 78-17020-01...
Page 281: Chapter 12 Configuring Web Server Devices
MARS, To configure SNARE for web logging, follow thees steps: Click Start > Programs > InterSect Alliance > Audit Configuration. Step 1 User Guide for Cisco Security MARS Local Controller 12-1 78-17020-01...
Page 282: To Configure Iis For Web Logging
In Destination, click the Syslog radio button. Step 4 Click OK. Step 5 To configure IIS for web logging Step 1 Click Start > Programs > Administrative Tools > Internet Services Manager. User Guide for Cisco Security MARS Local Controller 12-2 78-17020-01...
Page 283 Configure IIS for Web Logging In the Tree tab on the left, right-click Default Web Site. Step 2 On the shortcut menu, select Properties. Step 3 Figure 12-3 Enable Logging User Guide for Cisco Security MARS Local Controller 12-3 78-17020-01...
Page 284 In the General Properties tab, set the New Log Time Period to Daily. The Log file directory must match the one previously set using the Audit Configuration program. Note In the Extended Properties tab, make sure all available properties are selected. User Guide for Cisco Security MARS Local Controller 12-4 78-17020-01...
Page 285: Mars-Side Configuration
Enter the Device Name and IP Addresses if adding a new host. Step 3 Select the Windows from Operation System list Step 4 Click Logging Info Step 5 Step 6 For this configuration, you must check the Receive host log box User Guide for Cisco Security MARS Local Controller 12-5 78-17020-01...
Page 286 Select W3C_EXTENDED_LOG format Step 14 Click Submit. Step 15 Once you have configured and activated both sides, it takes two pulling intervals (default time of 10 Note minutes) before new events appear. User Guide for Cisco Security MARS Local Controller 12-6 78-17020-01...
Page 287: Apache Web Server On Solaris Or Redhat Linux
MARS. Solaris or Linux-side Configuration Cisco provides an opensource logging agent and an associated configuration file for you to use. This agent can be downloaded from the software download center at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc...
Page 288: Web Server Configuration
Make sure the Format radio button Use Common Logfile Format is checked. Step 4 If you have made any changes, click OK. Step 5 If necessary, shut down and restart the iPlanet web server. Step 6 User Guide for Cisco Security MARS Local Controller 12-8 78-17020-01...
Page 289: Mars-Side Configuration
Click Reporting Applications tab. Step 11 From the Select Application list, select Generic Web Server Generic. Step 12 Step 13 Click Add. Figure 12-9 Linux Operating System Web Log Format User Guide for Cisco Security MARS Local Controller 12-9 78-17020-01...
Page 290 From the Web Log Format list, select appropriately. Step 14 Click Submit. Step 15 Once you have edited a device you must click Activate for the changes to take effect. Note User Guide for Cisco Security MARS Local Controller 12-10 78-17020-01...
Page 291: Chapter 13 Configuring Web Proxy Devices
In the right side of the window, under Web Access Log Enable, select the Enable the Web Access Log Step 4 checkbox. Under Log Format, select one of the first four formats: Step 5 Web Access Log Default Format • Common Log Format • User Guide for Cisco Security MARS Local Controller 13-1 78-17020-01...
Page 292: Add And Configure Netcache In Mars
To add the NetCache device in MARS, follow these steps: Select Admin > Security and Monitor Devices > Add. Step 1 From the Device Type list, select Network Appliance NetCache Generic. Step 2 User Guide for Cisco Security MARS Local Controller 13-2 78-17020-01...
Page 293 Step 5 Configure NetCache to Send Syslog to MARS, page 13-1. Step 5 From the Streaming media log format list, select a streaming media log format. Step 6 Click Submit. User Guide for Cisco Security MARS Local Controller 13-3 78-17020-01...
Page 294 Chapter 13 Configuring Web Proxy Devices Network Appliance NetCache Generic User Guide for Cisco Security MARS Local Controller 13-4 78-17020-01...
Page 295: Chapter 14 Configuring Aaa Devices
MARS supports the Cisco Secure ACS software and the Cisco Secure ACS Solution Engine, version 3.3 and later. In the case of Cisco Secure ACS software, support is provided by an agent that resides on the Cisco Secure ACS server. For the Cisco Secure ACS Solution Engine, this agent must reside on a remote logging host.
Page 296: Supporting Cisco Secure Acs Server
Configure Cisco Secure ACS server to generate the correct log files and details and define the AAA clients. Install the PN Log Agent on the Cisco Secure ACS server and configure it to forward the correct log files. Add the Cisco Secure ACS server to the MARS web interface You can also configure Cisco Secure ACS to provide command authorization for the MARS Appliance.
Page 297: Bootstrap Cisco Secure Acs
Configuring AAA Devices Bootstrap Cisco Secure ACS Add the remote logging host to MARS as a Cisco ACS 3.x reporting device. To perform this task Add and Configure the Cisco ACS Device in MARS, page 14-12, and substitute the ACS server references with the remote logging host.
Page 298 • NAS-IP-Address System-Posture-Token • EAP Type Name • Click Submit. Step 7 Click CVS RADIUS Accounting, and verify that the following attributes appear in the Logged Step 8 Attributes list: User Guide for Cisco Security MARS Local Controller 14-4 78-17020-01...
Page 299: Define Aaa Clients
802335ea.html Define AAA Clients To support the 802.1x features of NAC, you must also define the Cisco switches as AAA clients within Cisco Secure ACS. When defining a AAA client, verify the following settings: User Guide for Cisco Security MARS Local Controller...
Page 300 The attack path can not be calculated for a NAC 802.1x security incident when the events triggering the Note incident are reported to the MARS Appliance by Cisco Secure ACS. However, the MARS Appliance knows the switch port to block so you can mitigate without the attack path.
Page 301: Configure Tacacs+ Command Authorization For Cisco Routers And Switches
Configure TACACS+ Command Authorization for Cisco Routers and Switches You can use the TACACS+ feature of Cisco Secure ACS to authorize the command sets that MARS is allowed to execute on a reporting device. The use of this feature is not required by MARS. However, if you are using this feature on your routers and switches, you must ensure that MARS is allowed to execute specific commands.
Page 302 Step 7 From the Application Name list, select the Cisco ACS-Failed Attempts. Click on the … button to select the appropriate log where all Cisco Secure ACS logs are stored. In this Step 8 example after selecting Failed Attempts application, be sure to select the matching log file, Failed Attempts active log.
Page 303 Failed Attempts active • Passed Authentications active • RADIUS Accounting active • Result: The configured files appear in the List of Log Files to Monitor list. Step 10 Select File > Activate. User Guide for Cisco Security MARS Local Controller 14-9 78-17020-01...
Page 304: Upgrade Pn Log Agent To A Newer Version
To upgrade to the new PN Log Agent from an existing installation, you must perform the following steps: On the Cisco Secure ACS or syslog server where PN Log Agent is running, uninstall the old agent. Step 1 To uninstall the old agent, click Start > Control Panel > Add/Remove Programs.
Page 305 Warning in case some attribute data in the file exceeds CS-MARS limit for an individual attribute value and shall be split. MARS raw message length... MARS will store the data after splitting it into multiple events Informational User Guide for Cisco Security MARS Local Controller 14-11 78-17020-01...
Page 306: Add And Configure The Cisco Acs Device In Mars
In the Device Name field, enter the hostname of the server or the remote logging host. Step 3 Step 4 In the Reporting IP field, enter the IP address of the interface in Cisco Secure ACS server or the remote logging host from which the syslog messages will originate. Step 5...
Page 307 Install and Configure the PN Log Agent, page 14-7. The Cisco ACS 3.x option supports both Cisco Secure ACS 3.x and Cisco Secure ACS 4.0. No explicit Note 4.0 option exists for Cisco Secure ACS.
Page 308 Chapter 14 Configuring AAA Devices Add and Configure the Cisco ACS Device in MARS User Guide for Cisco Security MARS Local Controller 14-14 78-17020-01...
Page 309: Chapter 15 Configuring Custom Devices
Application as Reporting Device, page 15-13. Until each of these tasks is completed, MARS is unable to parse the logs from the reporting device, even if it is receiving those events. User Guide for Cisco Security MARS Local Controller 15-1 78-17020-01...
Page 310: Define A Custom Device/Application Type
Click the User Defined Log Parser Templates Step 2 Figure 15-1 User Defined Log Parser Template On the next screen, click Add button which is located next to the Device/Application type list Step 3 User Guide for Cisco Security MARS Local Controller 15-2 78-17020-01...
Page 311: Add Parser Log Templates For The Custom Device/Application
Software - An application running on a host and the host can be configured to send logs to the • MARS Appliance Enter the Vendor, Model and Version for the Device or Application. (For Example, Cisco PIX 7.0) Step 5 Click Submit.
Page 312 (for example) from the list above the Event Type select window and click Get) New Event Types can be added by clicking Add below the Event Type list. Step 8 User Guide for Cisco Security MARS Local Controller 15-4 78-17020-01...
Page 313 Add new Event type and its information and click Submit (optional) Step 9 Click Apply - the Patterns link will become enabled. Step 10 Click the Patterns link. Step 11 User Guide for Cisco Security MARS Local Controller 15-5 78-17020-01...
Page 314 (Appendix B, “Regular Expression Reference.” for details on syntax). Note that a KEY can be an empty string. A log format consists of several KEY-VALUE sub-pattern pairs. User Guide for Cisco Security MARS Local Controller 15-6 78-17020-01...
Page 315 Pattern Name list, a user can add new value names to identify value patterns that may be commonly used in their logs. In the above figure, the value pattern captures all word-character strings that may also include the characters ‘-‘, ‘/’ and ‘+’. User Guide for Cisco Security MARS Local Controller 15-7 78-17020-01...
Page 316 The above is for a source port. PORT_NUMBER is the Pattern Name, provided for the above Value Pattern with the Description above. Repeat for every position of Pattern definition. Step 23 User Guide for Cisco Security MARS Local Controller 15-8 78-17020-01...
Page 317 Configuring Custom Devices Adding User Defined Log Parser Templates Figure 15-10 The above example is a 12 KEY-VALUE sub-pattern pieces. Figure 15-11 Log template for the device type ‘Vendor1 Model1 1.2’ . User Guide for Cisco Security MARS Local Controller 15-9 78-17020-01...
Page 318 The parsing patterns for ‘HTTP Status OK’ are specified to match the following example raw message reported in an event. 155.98.65.40 - - [21/Nov/2004:21:08:47 -0800] "GET /~shash/ HTTP/1.0" 200 1633 "-" "Lynx/2.8.2rel.1 libwww-FM/2.14" User Guide for Cisco Security MARS Local Controller 15-10 78-17020-01...
Page 319 Details on how to specify the value format are given in Appendix F. Several pattern names with a few of the commonly used date/time formats have been predefined. User Guide for Cisco Security MARS Local Controller 15-11 78-17020-01...
Page 320 Chapter 15 Configuring Custom Devices Adding User Defined Log Parser Templates Figure 15-16 Position 3 Key Pattern for HTTP Status OK Figure 15-17 Pattern log for HTTP Status OK User Guide for Cisco Security MARS Local Controller 15-12 78-17020-01...
Page 321: Add Custom Device Or Application As Reporting Device
Fill in name and other host details and click Apply. Step 5 Click on Reporting Applications. Step 6 Select Application (e.g., Apache Webserver.1.1) from the list and click Add. Step 7 User Guide for Cisco Security MARS Local Controller 15-13 78-17020-01...
Page 322 Select either SNMP TRAP or SYSLOG as the Reporting Method in the resulting window, and click Step 8 Submit. This option determines what type of traffic will be processed by the custom log parser. Step 9 Click Done. User Guide for Cisco Security MARS Local Controller 15-14 78-17020-01...
Page 323: Chapter 16 Policy Table Lookup On Cisco Security Manager
When MARS receives a syslog from a Cisco PIX firewall, Cisco Adaptive Security Appliance (Cisco ASA), Cisco Firewall Services Module (Cisco FWSM), or Cisco IOS, and can derive the five tuple information required to establish an event (source IP, destination IP, source port, destination port, and...
Page 324 Chapter 16 Policy Table Lookup on Cisco Security Manager Overview of Cisco Security Manager Policy Table Lookup Figure 16-1 Cisco Security MARS Policy Table Query Process Click the Policy Table Lookup icon. MARS authenticates to Security Failed Manager with the Security Manager Username and Password.
Page 325: More About Cisco Security Manager Device Lookup
If the deployed and committed views are not identical, the access rule generating the MARS event may not be visible in the policy table displayed by MARS. For further information on Cisco Security Manager operation, please access the documentation at the following URL: http://www.cisco.com/en/US/products/ps6498/tsd_products_support_series_home.html...
Page 326: More About Cisco Security Manager Policy Table Lookup
MARS Local Controller running software version 4.2.1 or more recent version. • Cisco Security Manager version 3.0.1 or more recent • MARS configured for operation with Cisco Security Manager as explained in the section, Checklist • for Security Manager-to-MARS Integration, page 16-6...
Page 327: Restrictions For Policy Table Lookup
• views. The access rule causing the MARS event may not be visible in the policy table. To examine the deployed policies view of a device, you must login to the device or Cisco Security Manager directly. MARS examines only Layer 3 ACLs for traffic events on the supported reporting devices. The policy •...
Page 328: Checklist For Security Manager-To-Mars Integration
Policy Table Lookup on Cisco Security Manager Checklist for Security Manager-to-MARS Integration An error occurred while querying policies from Cisco Security Manager. Reason: Failed to retrieve policy information from CSM. Reason: Cisco Security Manager Internal error: Failed to get interfaces in the device! The device LC2DTM was discovered by CSM without any errors.
Page 329 FWSM support is supported only in Cisco Security Manager Enterprise Edition (Professional-50) and higher, Note The Professional version includes support for the management of Cisco Catalyst® 6500 Series switches and associated services modules; the Standard versions do not include this support.
Page 330 2-1, in Install and Setup Guide for Cisco Security Monitoring, • Analysis, and Response System Supporting Devices, page 2-1, in Install and Setup Guide for Cisco Security Monitoring, Analysis, and • Response System Required Traffic Flows, page 2-2, in Install and Setup Guide for Cisco Security Monitoring, Analysis, and •...
Page 331 Enable discovery of the device settings. • While many Cisco devices support the EMBLEM syslog format, this format is not compatible with MARS. Note As part of this task, you must verify that the devices are not reporting to the MARS Appliance using the EMBLEM format.
Page 332 Supported Reporting and Mitigation Devices in the (CSV Keyword column) in the document “Supported • Devices and Software Versions for Cisco Security MARS Local Controller 4.2.x and 5.2.x” Verify Connectivity with the Reporting and Mitigation Devices, page 2-26 • Activate the Reporting and Mitigation Devices, page 2-27 •...
Page 333 (CSV Keyword column) in the document “Supported • Devices and Software Versions for Cisco Security MARS Local Controller 4.2.x and 5.2.x” Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS, page • 16-14 Perform policy lookups as required.
Page 334: Bootstrapping Cisco Security Manager Server To Communicate With Mars
Using Security Manager for mitigation response. While MARS suggests ACL changes to mitigate attacks, and in the case of Layer 2 devices such as Cisco switches, it can push changes to layer 2 device via the “Big Red” button (which shuts down a port on a switch), you must ensure accuracy between the policy defined in Security Manager and the configuration running on the managed devices.
Page 335: Add A Cisco Security Manager Server To Mars
Device Name — Enter the name of the device. This name must exactly match the hostname shown in the Cisco Security Manager user interface. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and as the primary management station in the Security and Monitoring Device list.
Page 336: Procedure For Invoking Cisco Security Manager Policy Table Lookup From Cisco Security Mars
Procedure for Invoking Policy Table Lookup from Cisco Security MARS Do the following steps to view a Cisco Security Manager policy table from the Cisco Security MARS: Log on to MARS as an Administrator or Security Analyst. Step 1 Identify the incident or event to investigate.
Page 337 Chapter 16 Policy Table Lookup on Cisco Security Manager Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS Figure 16-2 Recent Incidents on MARS Summary Page Step 3 Click Incident ID of the incident to examine. The Incident Page appears as shown in Figure 16-3.
Page 338 Chapter 16 Policy Table Lookup on Cisco Security Manager Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS Figure 16-4 MARS Multiple Events Pop-up Window Click the Security Manager icon in the Policy field of the appropriate event. One of the following two...
Page 339 MARS event or incident. If the committed and deployed views are identical, locating the policy is simplified. A MARS event can be generated from a deployed access rule not visible in the committed view. Login to Cisco Security Manager or the specific device to alter the security rule creating the MARS Step 7 event.
Page 340 Chapter 16 Policy Table Lookup on Cisco Security Manager Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS User Guide for Cisco Security MARS Local Controller 16-18 78-17020-01...
Page 341: Chapter 17 Network Summary
Logging In To login to the Local Controller, enter its IP or DNS address into the browser address field. The login Step 1 box appears. Figure 17-1 Local Controller Login Box User Guide for Cisco Security MARS Local Controller 17-1 78-17020-01...
Page 342: Basic Navigation
Click any of the seven tabs to navigate to the pages relevant to the tab’s sub-tabs, as shown in Figure 17-3 though Figure 17-8. Do not use the browser navigation buttons with the MARS Appliance GUI (for example, Back, Note Forward, Refresh, or Stop). User Guide for Cisco Security MARS Local Controller 17-2 78-17020-01...
Page 343 Network Summary Navigation within the MARS Appliance Figure 17-3 Summary Tab Figure 17-4 Incidents Tab Figure 17-5 Query/Reports Tab Figure 17-6 Rules Tab Figure 17-7 Management Tab Figure 17-8 Administration Tab User Guide for Cisco Security MARS Local Controller 17-3 78-17020-01...
Page 344: Help Page
Figure 17-10 Help Page Click About to display the software version number running on the MARS. Click Documentation to display URLs to MARS documentation on the Cisco Systems, Inc. website (http://www.cisco.com). Your Suggestions Welcomed The Feedback button appears at the bottom of most pages, a shown in Figure 17-10.
Page 345 To send your comments to the MARS development engineering team, type in your email address and comments then click Submit. When you click the Include log file a MARS log file is sent with your message. User Guide for Cisco Security MARS Local Controller 17-5 78-17020-01...
Page 346: Summary Page
Figure 17-12. Figure 17-12 Summary Tab Dashboard When you first view the Summary page after upgrading the Local Controller, expect a small delay while Note the Java Server pages recompile. User Guide for Cisco Security MARS Local Controller 17-6 78-17020-01...
Page 347 Summary Page Figure 17-13 The Working Areas on the Dashboard Subtabs Tabs Case Bar (Local Controller only) Recent incidents information Links to Cases assigned to you. HotSpot and Attack diagrams Charts User Guide for Cisco Security MARS Local Controller 17-7 78-17020-01...
Page 348: Recent Incidents
Networks start to show immediate action in the events and sessions categories. Note that the 24 Hour Events table and the Events and Sessions chart are different ways of presenting the same information. User Guide for Cisco Security MARS Local Controller 17-8...
Page 349: Data Reduction
17-10. You can start drilling-down attack paths in the Attack Diagram by clicking the Path icon Drilling-down into these diagrams is one of the fastest ways to uncover real-time information about your network. User Guide for Cisco Security MARS Local Controller 17-9 78-17020-01...
Page 350 If you click No on the SVG auto-installer, the Local Controller does not prompt you to install it again. If you want to run the auto-installer, open the browser and click Tools > Internet Options > General > Delete Cookies. User Guide for Cisco Security MARS Local Controller 17-10 78-17020-01...
Page 351: Manipulating The Diagrams
Alt+click to use the hand to move the image. • Ctrl+click to use the magnifying glass to zoom in. • Ctrl+click and drag to select an area. • • Ctrl+shift+click to use the magnifying glass to zoom out. User Guide for Cisco Security MARS Local Controller 17-11 78-17020-01...
Page 352: Display Devices In Topology
Attacks: All - Top Rules Fired • Rated by the highest number of incidents fired. Activity: All - Top Event Types • Rated by the highest numbers of events of that type. User Guide for Cisco Security MARS Local Controller 17-12 78-17020-01...
Page 353: Reading Charts
Sets chart to represent the sum of all zones or quarter (the last 3 months), or year. each individual zone (Global Controller only). Displays a larger version of the chart. Displays the chart legend. The chart legend User Guide for Cisco Security MARS Local Controller 17-13 78-17020-01...
Page 354 In the following Incidents chart, you can see the top incidents for the week, starting eight days in the past. Figure 17-22 Eight Days of Incidents A more drastic spike in red is not offset by the Incident spikes are built upon each other green incident User Guide for Cisco Security MARS Local Controller 17-14 78-17020-01...
Page 355: My Reports
The reports that you can select from are pre-defined. When you create your own reports, you can select those to display. See Reports, page 20-23 for more information. User Guide for Cisco Security MARS Local Controller 17-15 78-17020-01...
Page 356 Chapter 17 Network Summary Summary Page User Guide for Cisco Security MARS Local Controller 17-16 78-17020-01...
Page 357: Case Management Overview
When a case is closed, you can still email it, annotate it, add device information, and include a reference Note to another case. Case information collected on incidents, sessions, queries, reports and mitigation logs are forensic evidence pertinent to the following: User Guide for Cisco Security MARS Local Controller 18-1 78-17020-01...
Page 358 To generate an HTML document of the View Case page content that can be emailed, click View Case Document at the bottom of the View Case page. Graphs and charts plotted from reports are also captured in the Case Document. User Guide for Cisco Security MARS Local Controller 18-2 78-17020-01...
Page 359: Chapter 18 Case Management
The Case Bar displays by default. When displayed, the Case Bar appears at the top of each page. The Case Bar must be displayed to create or modify a case. Hiding the Case Bar To hide the Case Bar, perform the following steps: User Guide for Cisco Security MARS Local Controller 18-3 78-17020-01...
Page 360: Create A New Case
Display the Case Bar as described in the section, Hide and Display the Case Bar. Step 1 Click New Case. Step 2 The Add a New Case Dialog box appears, as shown in Figure 18-5. User Guide for Cisco Security MARS Local Controller 18-4 78-17020-01...
Page 361: Edit And Change The Current Case
Edit and Change the Current Case Editing the Current Case To edit the Current Case complete the following procedure: User Guide for Cisco Security MARS Local Controller 18-5 78-17020-01...
Page 362: Add Data To A Case
Navigate to the page to be captured in the case. In the example, the Query page is selected. Step 2 Click Add this. . . on the Case Bar. Step 3 Figure 18-8 Case Bar Add Button User Guide for Cisco Security MARS Local Controller 18-6 78-17020-01...
Page 363: Generate And Email A Case Report
Case Document. By default, all items are selected. Click Show Include to show only those items selected for the Case Document. Show Include does not function for cases created in Cisco Security MARS version 4.1.1. Step 4 Click View Case Document at the bottom of the View Case page.
Page 364 Click Submit to send the Case Document to the recipients. Step 7 The email is sent and the case history is updated to show the email event as the lastest item of the case history. User Guide for Cisco Security MARS Local Controller 18-8 78-17020-01...
Page 365: Chapter 19 Incident Investigation And Mitigation
For example, if your network is probed for a DoS attack and then attacked, a rule fires when it sees the follow up attack. The incident displays the instances of this attack. User Guide for Cisco Security MARS Local Controller 19-1...
Page 366: The Incidents Page
Incidents are collections of events and sessions that meet the criteria for a rule, each having helped to cause the rule to fire. An incident’s duration only includes the events that contributed to the incident firing. User Guide for Cisco Security MARS Local Controller 19-2 78-17020-01...
Page 367 Incident Path • The icon that takes you to the incident’s path diagram. Incident Vector • The icon that takes you to the source, event type, and destination diagram. User Guide for Cisco Security MARS Local Controller 19-3 78-17020-01...
Page 368: Time Ranges For Incidents
Enter the ID into the appropriate field. Step 1 Click the Show button. Step 2 To view a partially hidden rule Click the Show button next to the Rule Description. User Guide for Cisco Security MARS Local Controller 19-4 78-17020-01...
Page 369: Incident Details Table
Path and Incident Vector diagrams (L2 or L3 attack path information) Links to Session and Incident Detail pages of Links to the Event Type Details pages all incidents within the session User Guide for Cisco Security MARS Local Controller 19-5 78-17020-01...
Page 370: False Positive Confirmation
False Positive invalid scenario False Positive False Negative Attack/Alarm (noise) True False Negative Intrusion/True Alarm Based on the valid cases in Table 19-1, we can clearly distinguish the false positive terminology: User Guide for Cisco Security MARS Local Controller 19-6 78-17020-01...
Page 371 Therefore, the attack never reaches the target. Cisco Security Agent detects an attack and blocks it. • An unconfirmed false positive is where, after further analysis, the firing event is believed to be invalid primarily due to the attack being against an invalid target.
Page 372: The False Positive Page
Query field False Positive type and severity icon Launches the Security Device Information popup window Launches Port Information popup window Launches False Positive Sessions Details popup window User Guide for Cisco Security MARS Local Controller 19-8 78-17020-01...
Page 373: To Tune A False Positive
After you determine that a false positive is true, and you have clicked the No button, click Next. Step 1 Step 2 Make a final confirmation that this is a true positive, and click the Confirm button. User Guide for Cisco Security MARS Local Controller 19-9 78-17020-01...
Page 374: To Activate False Positive Drop Rules
For some 802.1X switch configurations, it is not possible for CS-MARS to determine the correct Note physical interface to which to push a mitigation command. This occurs for switches, such as the Cisco Catalyst 3550 Multilayer switch, where a FastEthernet and a Gigabit Ethernet port can have the same module/port designation (for example, 0/1).
Page 375: 802.1X Mitigation Example
Prerequisites for Mitigation with 802.1X Network Mapping To perform mitigation with 802.1X network mapping with CS-MARS, the following prerequisites are required: Cisco switch running Cisco CatOS or IOS and configured with IEEE 802.1X Port Based Network • Access Control protocol The switch Reporting IP address must be configured on the CS-MARS Security and Monitoring •...
Page 376 19-9, CS-MARS does not have sufficient static information to identify a Layer 2 enforcement device, but can suggest mitigation commands for discovered Layer 3 devices (Cisco PIX firewall, and a Cisco router). Layer 3 mitigation commands must be configured manually on the Layer 3 devices.
Page 377 Click Dynamic Info to view Layer 2 mitigation recommendations derived from 802.1X configurations. Step 4 The Dynamic Mitigation window appears with host name, IP address, MAC address, and connection status as shown in Figure 19-10. User Guide for Cisco Security MARS Local Controller 19-13 78-17020-01...
Page 378 The Push button is red and functional when the 802.1X target host is present on the network, Note and CS-MARS has command access to the enforcement device otherwise, it appears gray and is not functional. User Guide for Cisco Security MARS Local Controller 19-14 78-17020-01...
Page 379: Display Dynamic Device Information
Click Dynamic Info to display current connection information, as shown in Figure 19-11. Dynamic information can be derived from 802.1X configurations, Cisco Security Agents, or from other security software suites. The current connection information is the most recent network information available for the selected IP address.
Page 380 To mitigate a device of Access Type SNMP you must have the SNMP Read/Write Community String. Note Click the Yes button to confirm the mitigation command and have it take effect. User Guide for Cisco Security MARS Local Controller 19-16 78-17020-01...
Page 381: Virtual Private Network Considerations
IP address on a virtual private network (VPN). MARS can identify the attacking host if the VPN IP address of the host was supplied by a Cisco 3000 Series VPN Concentrator configured as a MARS reporting device.
Page 382: Network Diagram
SNMP. The SNMP RO community string is always required on Layer 2 devices for L2 mitigation. If the switches are interconnected, make sure STP (Spanning Tree Protocol) is enabled and • configured on them. User Guide for Cisco Security MARS Local Controller 19-18 78-17020-01...
Page 383: Procedures For Layer 2 Path And Mitigation
SNMP: For the Login ID, enter the user name and Password needed to access the switch. – – For Enable Password, enter the password to get into Cisco enable mode. User Guide for Cisco Security MARS Local Controller 19-19 78-17020-01...
Page 384: Add The Cisco Catalyst 6500 With Snmp As Access Type (Layer 2 Only)
Click the Test Connectivity button to have the MARS discover the device. Step 7 Click the Submit button. Add the Cisco Catalyst 6500 with SNMP as Access Type (Layer 2 only). Click Admin > Security and Monitor Devices > Add. Step 1...
Page 385: Add The Cisco 7500 Router With Telnet As The Access Type
Chapter 19 Incident Investigation and Mitigation Layer 2 Path and Mitigation Configuration Example For Enable Password, enter the password to get into Cisco enable mode. – Enter its SNMP RO Community. – TELNET: For the Login ID, enter the user name and Password needed to access the switch.
Page 386: Verify The Connectivity Paths For Layer 3 And Layer 2
Enter its SNMP RO Community. – SNMP: – For the Login ID, enter the user name and Password needed to access the switch. For Enable Password, enter the password to get into Cisco enable mode. – Enter its SNMP RO Community. – SSH: For the Login ID, enter the user name and Password needed to access the switch.
Page 387 In the following Query Event Data screen use the result format All Matching Sessions and query events from Source IP 10.1.252.250 and Destination IP 65.54.153.118 over the last 10 minutes. User Guide for Cisco Security MARS Local Controller 19-23 78-17020-01...
Page 388 Step 3 use Windows RPC DCOM Overflow), click the icon under the Graph column to view the topology paths. The first topology path to appear is the Layer 3 topology graph: User Guide for Cisco Security MARS Local Controller 19-24 78-17020-01...
Page 389 Layer 2 Path and Mitigation Configuration Example Figure 19-21 Layer 3 topology graph Under Topology Path Graph, click the Layer 2 Path button to view the Layer 2 topology graph: User Guide for Cisco Security MARS Local Controller 19-25 78-17020-01...
Page 390: Perform Mitigation
Incident Details screen, click the Mitigate link that corresponds with the Session or Event Type you want to mitigate (in this case, Windows RPC DCOM Overflow). The Mitigation Information screen appears. User Guide for Cisco Security MARS Local Controller 19-26 78-17020-01...
Page 391 If the device where the mitigation command to be downloaded is a Layer 3 device, the Push button Note shown in red on the Mitigation Information screen is greyed out and you must use the suggested commands directly on the device to mitigate the compromised host. User Guide for Cisco Security MARS Local Controller 19-27 78-17020-01...
Page 392 The SNMP RW community string must be enabled for the MARS to download a mitigation command to Note a device using the Access Type SNMP. Click Yes to confirm the mitigation of the device. Step 3 User Guide for Cisco Security MARS Local Controller 19-28 78-17020-01...
Page 393: Chapter 20 Queries And Reports
Click on a field value to open the dialog box without opening dialog box for the field. for that field. Save the query as a report or as a rule. Click Submit Inline to run the query. User Guide for Cisco Security MARS Local Controller 20-1 78-17020-01...
Page 394: Chapter 20 Querie And Report
Under Search String enter strings to query; under Operation, select the operation (AND, OR, NOT). For Step 3 the final item in the list, select None. Step 4 Click the Apply button. Click the Submit button to run the query. Step 5 User Guide for Cisco Security MARS Local Controller 20-2 78-17020-01...
Page 395: To Run A Batch Query
Submit Batch. Your query is submitted, and you are automatically taken to the Batch Query tab. If your query is very large, you may only be give the options of Save as Rule, Save as Report, or Submit Batch. Figure 20-6 Change Query Criteria User Guide for Cisco Security MARS Local Controller 20-3 78-17020-01...
Page 396: To Stop A Batch Query
Click QUERY/REPORTS, then click the Batch Query tab. Step 1 Step 2 Click Resubmit. The Status of the query changes to In Progress. User Guide for Cisco Security MARS Local Controller 20-4 78-17020-01...
Page 397: To Delete A Batch Query
Returns the most reported event types. Ranked by either: number of sessions containing at least one of the event type or by bytes transmitted in sessions that contain events that meet the query criteria. User Guide for Cisco Security MARS Local Controller 20-5...
Page 398 Protocol Ranking • Returns most used protocols. Ranked by either: number of sessions with that protocol or by bytes transmitted in sessions that contain events that meet the query criteria. User Guide for Cisco Security MARS Local Controller 20-6 78-17020-01...
Page 399: Order/Rank By
Result Format that you use when you run the query. • Session Count The number of sessions that contain events that meet the criteria that contributed to the incident. User Guide for Cisco Security MARS Local Controller 20-7 78-17020-01...
Page 400: Filter By Time
Use Only Firing Events Select this if you want only events that fired incidents to return information. Maximum Number of Rows Returned Select the number of rows that you want displayed. User Guide for Cisco Security MARS Local Controller 20-8 78-17020-01...
Page 401: Selecting Query Criteria
Sources Selected field, clicking Select All will de-select them.) Use the Equal and Not Equal buttons to bring highlighted items from the Sources Available field into the Sources Selected field. Filter sources from this drop-down list. User Guide for Cisco Security MARS Local Controller 20-9 78-17020-01...
Page 402: Query Criteria
IP addresses present on devices in the system or user entered dotted quads. IP ranges • The range of addresses between two dotted quads. Networks • Topologically valid networks. Devices • The hosts and reporting devices present in the system. User Guide for Cisco Security MARS Local Controller 20-10 78-17020-01...
Page 403: Destination Ip
Event Types • No constraint on the event type. Event types • Events that have been merged into types. • Event type groups Groups of event types. Device Devices • User Guide for Cisco Security MARS Local Controller 20-11 78-17020-01...
Page 404: Severity/Zone
Restricts the query to the sub-set of events that contributed to the incidents of rules that have the specified notifications as part of their actions. (See Table 21-1Rule Fields and Arguments, page 21-6 more information.) User Guide for Cisco Security MARS Local Controller 20-12 78-17020-01...
Page 405: Saving The Query
Window, or right-click {link on MARS interface}>Open in New Window). Multiple real-time queries can operate in multiple browser instances at the same time, but you must login to MARS with each browser instance. User Guide for Cisco Security MARS Local Controller 20-13 78-17020-01...
Page 406: Procedure For Invoking The Real-Time Event Viewer
From the Result Format dropdown list, select a format that can be ranked by time. The formerly grayed-out Real Time radio button becomes clickable. Click the Real Time radio button, and select Raw events or Sessionized Events from the dropdown list. User Guide for Cisco Security MARS Local Controller 20-14 78-17020-01...
Page 407 Real-time results begin to scroll up from the bottom of the page within 5 seconds, as shown in Figure 20-16. Real-time raw events are shown in this example. User Guide for Cisco Security MARS Local Controller 20-15 78-17020-01...
Page 408 Click the active links within a real-time event record to view the related pop-up windows. For example, Step 5 the Reporting Device Information pop-up window is shown in Figure 20-17. User Guide for Cisco Security MARS Local Controller 20-16 78-17020-01...
Page 409: Perform A Long-Duration Query Using A Report
This section explains how to create and view a long-duration query on the MARS. There are two ways to perform a long-duration query on the MARS: Modifying an existing report. User Guide for Cisco Security MARS Local Controller 20-17 78-17020-01...
Page 410 To query using a report, follow these steps: In the QUERY / REPORTS tab, click the Reports tab to obtain the Main Report window. Step 1 User Guide for Cisco Security MARS Local Controller 20-18 78-17020-01...
Page 411: View A Query Result In The Report Tab
Click the Submit button to run the report and return to the Main Report window. Step 4 View a Query Result in the Report Tab To view a query in the Report tab, follow these steps: User Guide for Cisco Security MARS Local Controller 20-19 78-17020-01...
Page 412: Perform A Batch Query
This type of long-duration query can take a long time to perform and is more suitable for a shorter duration of time. Only Admin users can perform a batch query. Note User Guide for Cisco Security MARS Local Controller 20-20 78-17020-01...
Page 413 Figure 20-22 Query window In the Query window, click the Edit button to change the query criteria. The Query Event Data window Step 2 appears. Figure 20-23 Query Event Data window User Guide for Cisco Security MARS Local Controller 20-21 78-17020-01...
Page 414 To watch the status of the query in real-time, you can use the Batch Query tab drop-down list to change Step 5 the Page Refresh Rate from Never (the default) to 1 minute, 3 minutes, 5 minutes, 10 minutes, 15 minutes, or 30 minutes. User Guide for Cisco Security MARS Local Controller 20-22 78-17020-01...
Page 415: Reports
5,000 event/session reports CS-MARS-200-K9 1,000 ranking reports 6 months 5,000 event/session reports CS-MARS-GC-K9 1,000 ranking reports 12 months 5,000 event/session reports CS-MARS-GCM-K9 1,000 ranking reports 12 months 5,000 event/session reports User Guide for Cisco Security MARS Local Controller 20-23 78-17020-01...
Page 416: Report Type Views: Total Vs. Peak Vs. Recent
100, maximum number of event/session reports is 1,000. 2. As of Cisco Security MARS Release 4.1.5. In Release 4.1.3, and 4.1.4, report results are retained for one year in the MARS database before they are automatically purged. In Releases prior to Release 4.1.3, report results are retained indefinately. The purge interval cannot be changed.
Page 417: Creating A Report
From the drop-down list on the bottom of the page, select either: Step 2 – View HTML: to view the report as an HTML file. – View CSV: to view the report as a CSV file. User Guide for Cisco Security MARS Local Controller 20-25 78-17020-01...
Page 418 Navigating to the Recipients column by clicking its criteria Step 4 Edit the report, and click the Apply button to apply changes to the report. Click the Submit button to finalize the report. Step 5 User Guide for Cisco Security MARS Local Controller 20-26 78-17020-01...
Page 419 In some situation such as filtering out specific IP source, user should create a new report. Email notification of a global generated report will be sent from the Global Controller and not the Note Local Controller. User Guide for Cisco Security MARS Local Controller 20-27 78-17020-01...
Page 420 Chapter 20 Queries and Reports Reports User Guide for Cisco Security MARS Local Controller 20-28 78-17020-01...
Page 421: Chapter 21 Rules
Appendix D, “System Rules and Reports.” A rule cannot be deleted, it can be made active or inactive. Note Figure 21-1 shows a portion of the Inspection Rules page of the Rules tab. User Guide for Cisco Security MARS Local Controller 21-1 78-17020-01...
Page 422: Prioritizing And Identifying
Planning an Attack Start to detail your plan. You want to penetrate a network. You’d like to avoid detection and identification if possible. You want root access on a host. User Guide for Cisco Security MARS Local Controller 21-2 78-17020-01...
Page 423: Back To Being The Admin
For device types supported by CS-MARS, this should not be necessary. To define a new parser template, see Adding User Defined Log Parser Templates, page 15-1 Add Parser Log Templates for the Custom Device/Application, page 15-3. User Guide for Cisco Security MARS Local Controller 21-3 78-17020-01...
Page 424: Types Of Rules
Events that match active drop rules are not used to construct incidents. Because the Global Controller does not receive events from reporting devices, rather it receives them from Local Controllers, you cannot define drop rules for the Global Controller. User Guide for Cisco Security MARS Local Controller 21-4 78-17020-01...
Page 425: Constructing A Rule
2.) It correlates the same value of a cell across rule lines, e.g., a probe from a source address AND an attack from that same source address. User Guide for Cisco Security MARS Local Controller 21-5...
Page 426 The row number. Open ( Identifies the open of a clause. Displays the open braces you create a Clauses are used to compare one or clauses. more compound conditions in a rule. User Guide for Cisco Security MARS Local Controller 21-6 78-17020-01...
Page 427 The hosts and reporting devices present in the system. IP addresses IP addresses present on devices in the system or user entered dotted quads. IP ranges The range of addresses between two dotted quads. User Guide for Cisco Security MARS Local Controller 21-7 78-17020-01...
Page 428 IP ranges—The range of addresses The range of addresses between two between two dotted quads. dotted quads. Service Name A TCP/IP-based network service, identified by protocol and port, defined within the packet. User Guide for Cisco Security MARS Local Controller 21-8 78-17020-01...
Page 429 • $ANY_BOTH_PORT5 $ANY_DEST_PORT1 to • ANY_DEST_PORT5 $ANY_SRC_PORT1 • $TCP_BOTH_PORT1, • $TCP_BOTH_PORT2 $TCP_DEST_PORT1 to • $TCP_DEST_PORT5 $TCP_SRC_PORT1, • $TCP_SRC_PORT2 $UDP_BOTH_PORT1, • $UDP_BOTH_PORT2 $UDP_DEST_PORT1 to • $UDP_DEST_PORT5 $UDP_SRC_PORT1, • $UDP_SRC_PORT2 User Guide for Cisco Security MARS Local Controller 21-9 78-17020-01...
Page 430 All events • Event type groups—Groups of • event types. SAME • • DISTINCT Red Severity Event Types—Displays all severe event types Yellow Severity Event Types—Displays all yellow event types User Guide for Cisco Security MARS Local Controller 21-10 78-17020-01...
Page 431 Variables—Signify any single • user, only useful for lines in tandem with the same variable. Invalid User Name—Specifies • that this condition is met when the user name reported is invalid. User Guide for Cisco Security MARS Local Controller 21-11 78-17020-01...
Page 432 Close Identifies the close of a clause. User Guide for Cisco Security MARS Local Controller 21-12 78-17020-01...
Page 433 (e.g., Y must happen after X).The condition of this line must be met, and then the condition of the next line must be met before the compound condition is met. User Guide for Cisco Security MARS Local Controller 21-13 78-17020-01...
Page 434 Count login attempts have occurred over a value is reached or the time period 10-minute period that counter can be expires. reset. User Guide for Cisco Security MARS Local Controller 21-14 78-17020-01...
Page 435 TCP session.) See the Technology Preview: Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS, page 1 document for DTM configuration information. User Guide for Cisco Security MARS Local Controller 21-15 78-17020-01...
Page 436: Working Examples
Rule for Same Host, Destination, Same Port Denied In this example, the rule fires when 20 of the specified events occur that have the same source and destination addresses, and identical destination port numbers. User Guide for Cisco Security MARS Local Controller 21-16 78-17020-01...
Page 437: Working With System And User Inspection Rules
Note Upgrade the MARS software regularly to obtain new and updated System Inspection rules. For more information, see the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. To view a list of System Inspection rules, see Appendix D, “System Rules and Reports.”...
Page 438: Edit A Rule
The Rule Wizard can only be invoked from the Inspections Rule page. To edit a rule with the Rule Wizard, follow these steps: Step 1 Select the check box of the rule to edit. User Guide for Cisco Security MARS Local Controller 21-18 78-17020-01...
Page 439: Add An Inspection Rule
Navigate to the Inspection Rules page. Step 1 Click Add. Step 2 Enter a name and description for the rule, then click Next. Step 3 Select Source IP address. Step 4 User Guide for Cisco Security MARS Local Controller 21-19 78-17020-01...
Page 440 When you are asked, “Are you done defining the rule conditions,” you can: Step 6 Click the Yes button for a single line rule. Continue to add repetition requirements (counts), – alert information, and valid time ranges for each line. User Guide for Cisco Security MARS Local Controller 21-20 78-17020-01...
Page 441: Working With Drop Rules
When you change the status to inactive, the rule displays only on the inactive rules page. Step 3 To display inactive Drop Rules, select Inactive from the View dropdown list. Duplicate a Drop Rule Check the box next to the rule. Step 1 User Guide for Cisco Security MARS Local Controller 21-21 78-17020-01...
Page 442: Edit A Drop Rule
Add a Drop Rule Step 1 Click Add. Enter a name and description for the rule, and click Next. Step 2 Select your sources. Step 3 Figure 21-8 Drop Rule Creation Form User Guide for Cisco Security MARS Local Controller 21-22 78-17020-01...
Page 443: Setting Alerts
You have two options for learning about rules that have fired: you can log in and view the appropriate pages in the HTML interface or you can have MARS send alerts to external devices and users. Actions provide instructions to MARS on the second method. User Guide for Cisco Security MARS Local Controller 21-23 78-17020-01...
Page 444: Configure An Alert For An Existing Rule
Rule and Report Groups This section contains the following subsections: Rule and Report Group Overview, page 21-25 • Global Controller and Local Controller Restrictions for Rule and Report Groups, page 21-26 • User Guide for Cisco Security MARS Local Controller 21-24 78-17020-01...
Page 445: Rule And Report Group Overview
System: COBIT DS5.19: Malicious software — System: COBIT DS5.20: Firewall control — System: COBIT DS5.2: Authentication and — Access System: COBIT DS5.4: User Account Changes — System: COBIT DS5.7: Security Surveillance — User Guide for Cisco Security MARS Local Controller 21-25 78-17020-01...
Page 446: Global Controller And Local Controller Restrictions For Rule And Report Groups
Note The procedures described in this section are valid for both the Local and Global Controllers, except that the Case Bar does not appear on the Global Controller HTML interface. User Guide for Cisco Security MARS Local Controller 21-26 78-17020-01...
Page 447: Add, Modify, And Delete A Rule Group
Click Add. The selected rules appear in the lefthand pane of the dialog box. To remove a rule from the group, highlight the item in the lefthand pane and click Remove. User Guide for Cisco Security MARS Local Controller 21-27 78-17020-01...
Page 448 Select the rule group to delete in the Group pulldown filter. Step 3 Click Delete Group. The Delete Group dialog box appears listing the rules in the group to be deleted. You are prompted to confirm deletion. User Guide for Cisco Security MARS Local Controller 21-28 78-17020-01...
Page 449 Chapter 21 Rules Rule and Report Groups Click Yes. Step 4 The rule group no longer appears in the Group dropdown filters on the Incident and Inspection Rules pages. User Guide for Cisco Security MARS Local Controller 21-29 78-17020-01...
Page 450: Add, Modify, And Delete A Report Group
Step 5 The selected reports appear in the lefthand pane of the dialog box. To remove a report from the group, highlight the item in the lefthand pane and click Remove. User Guide for Cisco Security MARS Local Controller 21-30 78-17020-01...
Page 451 Step 5 Deleting a Report Group Navigate to the Reports page, as shown in Figure 21-13. Step 1 Select the report group to delete in the Group pulldown filter. Step 2 User Guide for Cisco Security MARS Local Controller 21-31 78-17020-01...
Page 452: Display Incidents Related To A Rule Group
Select the rule group in the dropdown filter above the Matched Rules column, as shown in Figure 21-16. The Incidents page will display only those incidents that occurred from rules firing in the selected rule group. Figure 21-16 Rule Group on Incidents Page User Guide for Cisco Security MARS Local Controller 21-32 78-17020-01...
Page 453: Create Query Criteria With Report Groups
Selecting a Report Within the Report Group to Make a Query Select the report in the secondary dropdown list. Step 3 The Query criteria are automatically populated per the selected report. User Guide for Cisco Security MARS Local Controller 21-33 78-17020-01...
Page 454: Using Rule Groups In Query Criteria
To remove rules, highlight the items to remove in the lefthand pane, then click Remove. Click Apply. Step 6 The selected rules appear in the Rules field of the Query Event Data bar. User Guide for Cisco Security MARS Local Controller 21-34 78-17020-01...
Page 455: Chapter 22 Sending Alerts And Incident Notifications
Sending Alerts and Incident Notifications A Cisco Systems MARS alert action is a signal transmitted to people or devices as notification that a MARS rule has fired, and that an incident has been logged. Alert actions can only be configured through the Action parameter of a rule.
Page 456 Distributed Threat Mitigation • configured within the MARS device administration pages. See the section, Reporting and Mitigation Devices Overview, page 2-1 information on configuring individual devices to work with MARS. User Guide for Cisco Security MARS Local Controller 22-2 78-17020-01...
Page 457 Mon May 15 08:47:26 2006 Fired Rule Id: 134473 Fired Rule: System Rule: CS-MARS Database Partition Usage Incident Id: 597842933 For more details about this incident, please go to: https://MyLatest/Incidents/IncidentDetails.jsp?Incident_Id=597842933 User Guide for Cisco Security MARS Local Controller 22-3 78-17020-01...
Page 458: Configure The E-Mail Server Settings
To send alert actions, MARS must be configured to communicate with an e-mail server. To configure the e-mail server settings, follow these steps: Click Admin > Configuration Information. Step 1 The Device Configuration window appears, as shown in Figure 22-1. User Guide for Cisco Security MARS Local Controller 22-4 78-17020-01...
Page 459: Configure A Rule To Send An Alert Action
Action dialog box. An alert action determines which alert notifications are sent to which users or user groups when the rule fires. You can edit or delete existing alert actions or create a new one. User Guide for Cisco Security MARS Local Controller 22-5 78-17020-01...
Page 460 Proceed to Step to complete the procedure. – Create a new alert action. • Click Add. – The Alert recipients page appears in an a new window, as shown in Figure 22-3. User Guide for Cisco Security MARS Local Controller 22-6 78-17020-01...
Page 461 Page—Users or user groups can receive an alpha-numeric electronic page on their pagers or pager-enabled mobile telephones. • SMS—Users or groups can receive a text message on their SMS-enabled mobile telephones. User Guide for Cisco Security MARS Local Controller 22-7 78-17020-01...
Page 462 • Distributed Threat Mitigation—For more information on this feature, see Technology Preview: • Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS, page For SNMP and Syslog, you must configure the receiving systems to receive notifications. Note Click the Change Recipient button to add or remove a recipient for a notification type.
Page 463 You are returned to the Alert Recipients Window. Repeat Step through Step until you have assigned recipients to all the notification types you have Step 10 selected. Click Submit. Step 11 User Guide for Cisco Security MARS Local Controller 22-9 78-17020-01...
Page 464: Create A New User-Role, Identity, Password, And Notification Information
Click Add on the Select (user) dialog box when creating an alert notification. See “Configure a Rule • to Send an Alert Action” section on page 22-5. The User Configuration page appears, as shown in Figure 22-6. User Guide for Cisco Security MARS Local Controller 22-10 78-17020-01...
Page 465 If you are not creating a notification by pager, go to Step Step 5 For notification by pager, you must specify a service provider (cell phone or pager company). From the Step 6 Service Provider field, select New Provider. User Guide for Cisco Security MARS Local Controller 22-11 78-17020-01...
Page 466: Create A Custom User Group
The selected names appear in the right-hand side of the dialog box. Click Submit. Step 5 You are returned to the User Management tab. This ends the Create a Custom User Group procedure. User Guide for Cisco Security MARS Local Controller 22-12 78-17020-01...
Page 467: Add A User To A Custom User Group
Click Submit. Step 5 You are returned to the User Management tab. This ends the Add a User to a Custom User Group procedure. User Guide for Cisco Security MARS Local Controller 22-13 78-17020-01...
Page 468: Add A User To A Custom User Group
Chapter 22 Sending Alerts and Incident Notifications Add a User to a Custom User Group User Guide for Cisco Security MARS Local Controller 22-14 78-17020-01...
Page 469: Chapter 23 Management Tab Overview
To open the Event Management sub-tab, click the Management > Event Management tabs. On the Event Management page, you can search and filter events and event groups, and work with groups of events. User Guide for Cisco Security MARS Local Controller 23-1 78-17020-01...
Page 470: Search For An Event Description Or Cve Names
Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it. Step 4 Click Add or Remove to move highlighted items as needed. Click Submit. Step 5 User Guide for Cisco Security MARS Local Controller 23-2 78-17020-01...
Page 471: Add A Group
Enter the text that you want to search for in the Search field. Step 1 Click Search. Step 2 Filter by Groups From the Select Group list, select the group. User Guide for Cisco Security MARS Local Controller 23-3 78-17020-01...
Page 472: Edit A Group
Add a Network, IP Range, or Variable Step 1 Select Management > IP Management. The IP Management page appears. Figure 23-2 Add a Network, IP Range, or Variable Step 2 Click Add. User Guide for Cisco Security MARS Local Controller 23-4 78-17020-01...
Page 473: Add A Host
A host managed by a reporting device defined under the Admin > Security and Monitoring Devices • tab, such as a host running Cisco Security Agent and discovered by MARS when processing the logs provided by the CSA Management Console.
Page 474: Edit Host Information
Check the box next to the host that you want to edit. Step 2 If you are editing interface or IP mask information, make your changes here and click Submit. Step 3 User Guide for Cisco Security MARS Local Controller 23-6 78-17020-01...
Page 475: Service Management
Click Submit. Step 5 Edit a Group of Services You can not edit system-defined groups. Note Select the group in the Select Group list. Step 1 Click Edit Group. Step 2 User Guide for Cisco Security MARS Local Controller 23-7 78-17020-01...
Page 476: Add A Service
To access the User Management page, click either Management > User Management or Admin > User Management. User Guide for Cisco Security MARS Local Controller 23-8 78-17020-01...
Page 477: Add A New User
To add a new user, follow these steps: From the Management > User Management tab, click Add. The User Configuration page appears, as Step 1 shown in Figure 23-4. User Guide for Cisco Security MARS Local Controller 23-9 78-17020-01...
Page 478 Short Message Service (SMS) number—for example, 8885551212@servprov.com • Work telephone number • Home telephone number • FAX number • Pager number— may also be a mobile telephone number, for example, 5552345678 • User Guide for Cisco Security MARS Local Controller 23-10 78-17020-01...
Page 479: Add A Service Provider (Cell Phone/Pager)
Click Submit to close the User Configuration page and return to the User Management tab. Step 5 Search for a User Enter the text that you want to search for in the Search field. Step 1 Click Search. Step 2 User Guide for Cisco Security MARS Local Controller 23-11 78-17020-01...
Page 480: Edit Or Remove A User
To remove users from the group, select the users from the left hand side with Ctrl+click . Click Remove. Step 4 The selected names move to the righthand side of the dialog box. Click Submit. You are returned to the User Management tab. Step 5 User Guide for Cisco Security MARS Local Controller 23-12 78-17020-01...
Page 481: Filter By Groups
Chapter 23 Management Tab Overview User Management Filter by Groups From the Select Group list, select the group. Only the members of the group are displayed. User Guide for Cisco Security MARS Local Controller 23-13 78-17020-01...
Page 482 Chapter 23 Management Tab Overview User Management User Guide for Cisco Security MARS Local Controller 23-14 78-17020-01...
Page 483: Setting Runtime Logging Levels
Hardware Maintenance Tasks—MARS 100, 100E, 200, GCM, and GC, page 24-11 • For information about upgrading, backing up, and restoring data on the MARS Appliance, see the following sections of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System: Performing Command Line Administration Tasks, page 6-1 •...
Page 484: Chapter 24 System Maintenance
Last: The present time minus the number of days, hours, and minutes entered. • • Start/End: Absolute literal time ranges defined by the date to the minute. Select user, group, etc. Step 2 Select the source. Step 3 Click Submit. Step 4 User Guide for Cisco Security MARS Local Controller 24-2 78-17020-01...
Page 485: Viewing The Audit Trail
This section contains the following topics: • Retrieve Raw Messages From Archive Server, page 24-4 • Retrieve Raw Messages From a Local Controller, page 24-5 User Guide for Cisco Security MARS Local Controller 24-3 78-17020-01...
Page 486: Retrieve Raw Messages From Archive Server
Use WinZip or another archive expansion program to extract the contents of the Gzip archive file. Step 6 Once the textfile is extracted from the GNU Zip archive format, its contents resemble the following: Step 7 User Guide for Cisco Security MARS Local Controller 24-4 78-17020-01...
Page 487: Retrieve Raw Messages From A Local Controller
Review the Cached Files time range information, and then do one of the following: Step 5 If you want data from within this time range, you do not need for Force Generate Files. • User Guide for Cisco Security MARS Local Controller 24-5 78-17020-01...
Page 488 33750»Wed Jul 27 16:16:06 PDT 2005»BR-FW-1»10.4.1.1 Mon Jan 6 11:05:34 2003 <134>Jan 06 2003 11:03:53: %PIX-6-302001: Built inbound TCP connection 21000 for faddr 10.1.2.4/9000 gaddr 10.1.5.20/80 laddr 10.1.5.20/80 where it reads: device ID>>date>>device name>>raw message. User Guide for Cisco Security MARS Local Controller 24-6 78-17020-01...
Page 489: Change The Default Password Of The Administrator Account
If the two match, the presented certificate is considered valid. This approach allows MARS to validate certificates without knowledge of revocation lists and to operate in a network without an Internet connection. User Guide for Cisco Security MARS Local Controller 24-7 78-17020-01...
Page 490 Admin > System Maintenance > Upgrade page. • Discovery operation. (SSH) Test Connectivity operation. (SSL) • Cisco IDS, IPS, and IOS IPS router Event Processing (RDEP or SDEE over SSH) • CSM Policy Query Integration (SSL) • Qualys Report Discovery. (SSL) •...
Page 491: Setting The Global Certificate And Fingerprint Response
The following procedures explain how to upgrade under the specific circumstances: Upgrade a Certificate or Fingerprint Interactively, page 24-10 • Upgrade a Certificate Manually, page 24-10 • Upgrade a Fingerprint Manually, page 24-10 • User Guide for Cisco Security MARS Local Controller 24-9 78-17020-01...
Page 492: Upgrade A Certificate Or Fingerprint Interactively
Step 4 If the value is correct, click Yes. Step 5 Monitoring Certificate Status and Changes To support the certificate management features in MARS, the following system inspection rule exists: User Guide for Cisco Security MARS Local Controller 24-10 78-17020-01...
Page 493: Hardware Maintenance Tasks-Mars 100, 100E, 200, Gcm, And Gc
There is the danger of explosion if the battery is replaced incorrectly. Replace the battery only with Warning the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions. Statement 1015 User Guide for Cisco Security MARS Local Controller 24-11 78-17020-01...
Page 494: Hard Drive Troubleshooting And Replacement
The following MARS Appliances are equipped with a Parallel IDE/ATA Redundant Array of Inexpensive Disks (RAID) controller card: CS-MARS-100E-K9 • CS-MARS-100-K9 • CS-MARS-200-K9 • CS-MARS-GCM-K9 • • CS-MARS-GC-K9 All other MARS appliances running software version 4.X or prior have software RAID controllers. User Guide for Cisco Security MARS Local Controller 24-12 78-17020-01...
Page 495: Raid Procedures For Mars Appliances 100, 100E, 200, Gcm, And Gc
To match original performance, hotswapped hard drives should be the same make, model and size as the Note original hard drives. RAID Procedures for MARS Appliances 100, 100E, 200, GCM, and GC This section pertains only to the MARS 100, 100E, 200, GCM, and GC appliances. User Guide for Cisco Security MARS Local Controller 24-13 78-17020-01...
Page 496 SUBUNIT 0: RAID 1: OK SUBUNIT 0: CBOD: OK PHYSICAL PORT: 7 LOGICAL PORT: 0 SUBUNIT 1: CBOD: OK PHYSICAL PORT: 4 LOGICAL PORT: 1 SUBUNIT 1: RAID 1: REBUILDING (1%) User Guide for Cisco Security MARS Local Controller 24-14 78-17020-01...
Page 497 Rebuilding—A subunit is being rebuilt. Array efficiency is not yet optimal. • Degraded—At least one physical disk in the array cannot be accessed. Troubleshooting is advised to prevent possible data loss. User Guide for Cisco Security MARS Local Controller 24-15 78-17020-01...
Page 498: Correlating Hard Drive Slots To Raidstatus Command Physical Port Numbers
Table 24-2 shows how the hard drive slots in the chassis correspond to the port and physical port numbers as reported in the CLI. User Guide for Cisco Security MARS Local Controller 24-16 78-17020-01...
Page 499 1. The stated storage capacity is the sum of the rated capacity of all the hard drives and does reflect bytes reserved for the RAID overhead on each drive. Figure 24-4 Hard Drive Slot Numbering for MARS Local Controller 200 and Global Controllers User Guide for Cisco Security MARS Local Controller 24-17 78-17020-01...
Page 500: Hotswap Procedure To Remove And Add A Hard Drive
At the CLI prompt, enter hotswap add disk. Be sure to use the same slot number (disk) as in Step Step 6 A message informs you that the hard drive (disk) is added successfully (to the logical array). Insert the new Cisco field-replaceable hard drive unit. Step 7 Lock the hard drive into place. Step 8 Step 9 Close and lock the drive bay door.
Page 501: Hotswap Cli Example
Port 1: WDC WD2500JB-19GVA0 WD-WCAL73291174 232.88 GB (488397168 blocks) : OK(unit 0) Port 2: WDC WD2500JB-19GVA0 WD-WCAL73157538 232.88 GB (488397168 blocks) : OK(unit 0) Port 3: WDC WD2500JB-98GVA0 WD-WMAL72243570 232.88 GB (488397168 blocks) User Guide for Cisco Security MARS Local Controller 24-19 78-17020-01...
Page 502: Procedures For The Mars Raid Utility
Subunit 1: CBOD: OK Physical Port: 0 Logical Port: 1 Procedures for the MARS RAID Utility This section pertains only to the MARS 100, 100E, 200, GCM, and GC appliances. User Guide for Cisco Security MARS Local Controller 24-20 78-17020-01...
Page 503 Select Array Unit 0. The status of the array is Degraded if one of the drives in an array is degraded. Step 4 A selected item is marked with an asterisk in the leftmost column. Step 5 Select Rebuild Array then press F8 to complete. User Guide for Cisco Security MARS Local Controller 24-21 78-17020-01...
Page 504 A screen appears listing the ports and the hard drives of the array that will be deleted. Within the RAID utility, you can use the following keystrokes to highlight the corresponding GUI button: Alt-C—Create Array Alt-D—Delete Array Alt-M—Maintain Array Alt-R—Rebuild Array User Guide for Cisco Security MARS Local Controller 24-22 78-17020-01...
Page 505 Note Shutdown the MARS Appliance with the shutdown CLI command. Step 2 Powerup the MARS Appliance. Press Alt-3 to access the RAID utility when the following message Step 3 appears: User Guide for Cisco Security MARS Local Controller 24-23 78-17020-01...
Page 506 A degraded physical port at this stage can indicate a defective hard drive, and improperly inserted hard drive, a loose hard drive cable connection, or a defective RAID controller card. User Guide for Cisco Security MARS Local Controller 24-24 78-17020-01...
Page 507 Hardware Maintenance Tasks—MARS 100, 100E, 200, GCM, and GC An array that has not completed rebuilding in two hours could indicate a defective RAID controller card. This ends the Delete and Create the RAID 10 Array procedure. User Guide for Cisco Security MARS Local Controller 24-25 78-17020-01...
Page 508 Chapter 24 System Maintenance Hardware Maintenance Tasks—MARS 100, 100E, 200, GCM, and GC User Guide for Cisco Security MARS Local Controller 24-26 78-17020-01...
Page 509: Appendix
A P P E N D I X Cisco Security MARS XML API Reference This appendix provides resources for creating XML applications that integrate Cisco Security MARS XML data into third-party applications. XML Schema Overview The XML schema are written in conformance with the standard World Wide Web Consortium (W3C) XML schema language.
Page 510: Appendix A Cisco Security Mar Xml Api Reference
<TimeStamp>May 23, 2007 8:13:09 AM PDT</TimeStamp> <ReportingDevice id="128783" /> <RawMessage>Wed May 23 08:13:09 2007 <134>%PIX-2-106001: Inbound TCP connection denied from 10.3.50.200/15330 to 248.64.35.88/3890 flags FIN on interface inside</RawMessage> <FalsePositiveType>NOT_AVAILABLE</FalsePositiveType> <EventEndPoints> <Source ipaddress="10.3.50.200" /> User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 511 <ReportingDevice id="128783" /> <RawMessage>Wed May 23 08:13:10 2007 <134>%PIX-2-106016: Deny IP spoof from (10.3.50.200) to 105.74.127.53 on interface inside</RawMessage> <FalsePositiveType>NOT_AVAILABLE</FalsePositiveType> <EventEndPoints> <Source ipaddress="10.3.50.200" /> <Destination ipaddress="105.74.127.53" /> <SourcePort>0</SourcePort> <DestinationPort>0</DestinationPort> <Protocol>0</Protocol> </EventEndPoints> <NATtedEndPoints> User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 512 <HostName /> <MACAddress /> <AAAUser /> <EnforcementDeviceAndPort /> <ReportingDevice /> <StartTime>Dec 31, 1969 4:00:00 PM PST</StartTime> <EndTime>Dec 31, 1969 4:00:00 PM PST</EndTime> <UpdateTime>Dec 31, 1969 4:00:00 PM PST</UpdateTime> </DynamicInfo> </NetworkAddressObj> <NetworkAddressObj id="2235813216"> User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 513 <Description>Denied spoofed packet - different ingress interface</Description> <Severity>HIGH</Severity> <CVE /> </EventTypeObj> <EventTypeObj id="1135"> <Name>1106001</Name> <Description>Deny packet due to security policy</Description> <Severity>LOW</Severity> <CVE /> </EventTypeObj> <EventTypeObj id="1137"> <Name>1106016</Name> <Description>Denied IP spoof</Description> <Severity>MEDIUM</Severity> <CVE /> </EventTypeObj> <DeviceObj id="128783"> <Name>pixie</Name> User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 514: Xml Incident Notification Schema
– hh:mm:ss is hours, minutes, seconds hh are 1–9, 10–12 mm are 00–60 ss are 00–60 AM or PM – TZD is time zone designator (PDT, PST, MDT, MST, etc.) – User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 515: Appendix
Perl documentation and in a number of books, some of which have copious examples. Jeffrey Friedl's "Mastering Regular Expressions", published by O'Reilly, covers regular expressions in great detail. This description of PCRE's regular expressions is intended as reference material. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 516: Appendix B Regular Expression Reference
In particular, if you want to match a backslash, you write \\. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 517: Non-Printing Characters
Thus the sequence \0\x\07 specifies two binary zeros followed by a BEL character (code value 7). Make sure you supply two digits after the initial zero if the pattern character that follows is itself an octal digit. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 518: Generic Character Types
For compatibility with Perl, \s does not match the VT character (code 11). This makes it different from the the POSIX "space" class. The \s characters are HT (9), LF (10), FF (12), CR (13), and space (32). User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 519: Unicode Character Properties
Letter Lower case letter Modifier letter Other letter Title case letter Upper case letter Mark Spacing mark Enclosing mark Non-spacing mark Number Decimal number Letter number Other number Punctuation Connector punctuation User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 520: Simple Assertions
Thus, they are independent of multiline mode. These three assertions are not affected by the User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 521: Circumflex And Dollar
Note that the sequences \A, \Z, and \z can be used to match the start and end of the subject in both modes, and if all branches of a pattern start with \A it is always anchored, whether PCRE_MULTILINE is set or not. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 522: Full Stop (Period, Dot
The newline character is never treated in any special way in character classes, whatever the setting of the PCRE_DOTALL or PCRE_MULTILINE options is. A class such as [^a] will always match a newline. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 523: Posix Character Classes
(not quite the same as \s) upper upper case letters word "word" characters (same as \w) xdigit hexadecimal digits User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 524: Vertical Bar
(and it will therefore show up in data extracted by the pcre_fullinfo() function). An option change within a subpattern affects only that part of the current pattern that follows it, so (a(?i)b)c User Guide for Cisco Security MARS Local Controller B-10 78-17020-01...
Page 525: Subpatterns
As a convenient shorthand, if any option settings are required at the start of a non-capturing subpattern, the option letters may appear between the "?" and the ":". Thus the two patterns (?i:saturday|sunday) (?:(?i)saturday|sunday) User Guide for Cisco Security MARS Local Controller B-11 78-17020-01...
Page 526: Named Subpatterns
For example, {,6} is not a quantifier, but a literal string of four characters. User Guide for Cisco Security MARS Local Controller B-12...
Page 527 If the PCRE_UNGREEDY option is set (an option which is not available in Perl), the quantifiers are not greedy by default, but individual ones can be made greedy by following them with a question mark. In other words, it inverts the default behaviour. User Guide for Cisco Security MARS Local Controller B-13 78-17020-01...
Page 528: Atomic Grouping And Possessive Quantifiers
If we use atomic grouping for the previous example, the matcher would give up immediately on failing to match "foo" the first time. The notation is a kind of special parenthesis, starting with (?> as in this example: User Guide for Cisco Security MARS Local Controller B-14 78-17020-01...
Page 529: Back References
Outside a character class, a backslash followed by a digit greater than 0 (and possibly further digits) is a back reference to a capturing subpattern earlier (that is, to its left) in the pattern, provided there have been that many previous capturing left parentheses. User Guide for Cisco Security MARS Local Controller B-15 78-17020-01...
Page 530: Assertions
An assertion is a test on the characters following or preceding the current matching point that does not actually consume any characters. The simple assertions coded as \b, \B, \A, \G, \Z, \z, ^ and $ are described above. User Guide for Cisco Security MARS Local Controller B-16 78-17020-01...
Page 531: Lookahead Assertions
This is an extension compared with Perl (at least for 5.8), which requires all branches to match the same length of string. An assertion such as User Guide for Cisco Security MARS Local Controller B-17...
Page 532: Using Multiple Assertions
"foo" preceded by six characters, the first of which are digits and the last three of which are not "999". For example, it doesn't match "123abcfoo". A pattern to do that is User Guide for Cisco Security MARS Local Controller B-18...
Page 533: Conditional Subpatterns
If the condition is not a sequence of digits or (R), it must be an assertion. This may be a positive or negative lookahead or lookbehind assertion. Consider this pattern, again containing non-significant white space, and with the two alternatives on the second line: (?(?=[^a-z]*[a-z]) \d{2}-[a-z]{3}-\d{2} \d{2}-\d{2}-\d{2} ) User Guide for Cisco Security MARS Local Controller B-19 78-17020-01...
Page 534: Comments
If this were part of a larger pattern, you would not want to recurse the entire pattern, so instead you could use this: ( $ ( (?>[^()]+) | (?1) )* $ ) User Guide for Cisco Security MARS Local Controller B-20 78-17020-01...
Page 535: Subpatterns As Subroutines
If the syntax for a recursive subpattern reference (either by number or by name) is used outside the parentheses to which it refers, it operates like a subroutine in a programming language. An earlier example pointed out that the pattern (sens|respons)e and \1ibility User Guide for Cisco Security MARS Local Controller B-21 78-17020-01...
Page 536: Callouts
A complete description of the interface to the callout function is given in the pcrecallout documentation. Last updated: 09 September 2004 Copyright © 1997-2004 University of Cambridge. User Guide for Cisco Security MARS Local Controller B-22 78-17020-01...
Page 537: Appendix
The day of month (1-31). Equivalent to %m/%d/%y. (This is the American style date, very confusing to non-Americans, especially since %d/%m/%y is widely used in Europe. The ISO 8601 standard format is %Y-%m-%d.) User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 538 The year within century (0-99). When a century is not otherwise specified, values in the range 69-99 refer to years in the twentieth century (1969-1999); values in the range 00-68 refer to years in the twenty-first century (2000-2068). User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 539 The week number of the year (Sunday as the first day of the week) using the locale's alternative numeric symbols. The number of the weekday (Sunday=0) using the locale's alternative numeric symbols. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 540 %I, and %P is accepted as a synonym for %p. Finally The number of seconds since the epoch, i.e., since 1970-01-01 00:00:00 UTC. Leap seconds are not counted unless leap second support is available. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 541: Appendix
Spyware are malicious applications that can be installed on a computer without the knowledge of the user, e.g. when one visits a web site or clicks on an advertising link or installs file User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 542 • This rule detects connectivity issues between CS-MARS and IOS - CS-MARS may not be able to dynamically turn on ACTIVE signatures on IOS. • System Rule: CS-MARS Database Partition Usage. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 543 - such activities include excessive denies and scans, connection to backdoors, attempts to propagate worms etc. The presence of such activities may indicate that the host is compromised. System Rule: Misc. Attacks: Access Web Customer Data. • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 544 This rule detects attempts to modify windows registry entries on a host. System Rule: Modify Host: Security. • This rule detects attempts to modify the security settings on a host. System Rule: Modify Host: Service. • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 545 SMTP, HTTP, POP3 running on non-standard ports, (d) uncommon protocols such as FSP. System Rule: Network Activity: Windows Popup Spam. • This correlation detects excessive traffic (likely pop up spam) from the same source to the Windows Messenger service. User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 546 System Rule: New Malware Prevention Deployment Failed. • This rule detects that Cisco Incident Control Server (ICS) has failed to deploy ACLs or signatures to routers and IPS devices for preventing a new virus/worm/malware outbreak. System Rule: New Malware Traffic Match.
Page 547 (e.g. Windows L2TP, PPTP based RAS, IPSec etc.), followed by a successful logon. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password. System Rule: Password Attack: SNMP - Attempt. • User Guide for Cisco Security MARS Local Controller 78-17020-01...
Page 548 System Rule: Resource Issue: IOS IPS DTM. • This rule detects that a Cisco IOS router has too little memory for running the required set of ACTIVE IPS signatures. CS-MARS was not successful in downloading the complete ACTIVE signature set.
Page 549 TRANSITION state. A host enters the TRANSITION state when it is not running the Cisco Trust Agent (CTA) software and requires an out-of-band audit by an audit server to move it out of TRANSITION state to any one of HEALTHY, INFECTED, QUARANTINE, CHECKUP or UNKNOWN states.
Page 550 This rule detects excessive NAC status query failures from distinct hosts to the same Network Access Device (NAD). A Status query failure indicates a change in posture detected by the Cisco Trust Agent (CTA) after the initial authorization. Excessive status query failures may indicate a sign of end point instability caused by the user enabling or disabling agents.
Page 551 The attacks include buffer overflows, remote command execution attempts, privilege escalation attempts to become root, denial of service attempts etc. System Rule: Server Attack: RPC - Success Likely. • User Guide for Cisco Security MARS Local Controller D-11 78-17020-01...
Page 552 This correlation rule detects significant network status state change events such as system failing, failover occuring, interface cards coming up and down etc. • System Rule: State Change: SCADA Modbus. User Guide for Cisco Security MARS Local Controller D-12 78-17020-01...
Page 553 • This report details AAA based access (e.g. to the network or to specific devices). • Activity: AAA Based Access - All Events. Activity: AAA Based Access - All Events User Guide for Cisco Security MARS Local Controller D-13 78-17020-01...
Page 554 Activity: AAA Based Access Failure - All Events. • This report details all failed AAA (e.g. RADIUS, TACACS) based access attempts. Typically mechanisms such as 802.1x, network device access, Cisco NAC use AAA servers for access control. Activity: AAA Based Access Failure - All Events. •...
Page 555 This report ranks the session sources of all events seen by MARS over the past hour. This report is used by pages in the Summary tab. Activity: All - Top Sources. • Activity: All - Top Sources Activity: All - Top Users. • User Guide for Cisco Security MARS Local Controller D-15 78-17020-01...
Page 556 A backdoor event can be either an attempt to connect to a backdoor or a response from a server running a backdoor. Activity: Backdoor - Top Event Types. • User Guide for Cisco Security MARS Local Controller D-16 78-17020-01...
Page 557 Activity: Database Login Successes - Top Servers. • Activity: Database Login Successes - Top Servers Activity: Database Login Successes - Top Users. • This report ranks the database users by the number of successful logins. User Guide for Cisco Security MARS Local Controller D-17 78-17020-01...
Page 558 Activity: Database Regular Command Failures - All Events. • This report lists the event details for all failed non-privileged database command execution attempts. Activity: Database Regular Command Failures - All Events. • User Guide for Cisco Security MARS Local Controller D-18 78-17020-01...
Page 559 This report ranks the destination hosts to which attacks have been targeted but denied. Activity: Denies - Top Destinations. • Activity: Denies - Top Destinations Activity: Denies - Top Sources. • User Guide for Cisco Security MARS Local Controller D-19 78-17020-01...
Page 560 This report provides details for events that represent an user attempting to increase access rights on a particular host. Such attempts can happen remotely or from the local console and can be reported by Network or Host IDS devices or the hosts themselves User Guide for Cisco Security MARS Local Controller D-20 78-17020-01...
Page 561 This report records the Microsoft Windows system events, e.g. startup, shutdown, LSA registration, audit event discards, etc. Activity: Host System Events - All Events. • Activity: Host System Events - All Events Activity: Host User/Group Management - All Events. • User Guide for Cisco Security MARS Local Controller D-21 78-17020-01...
Page 562 This report provides a general usage pattern of the network. Activity: Network Usage - Top Destination Ports. • User Guide for Cisco Security MARS Local Controller D-22 78-17020-01...
Page 563 Activity: New Malware Prevention Deployment Failure - All Events. • This report lists all devices to which ACL and signature deployment attempts by a Cisco Incident Control Server, in response to a new virus/worm/malware outbreak, failed. Activity: New Malware Prevention Deployment Failure - All Events.
Page 564 Scans involve activities such as searching for alive hosts, open services on such hosts and detecting host configuration and application settings. Activity: Scans - Top Destination Ports. • Activity: Scans - Top Destination Ports • Activity: Scans - Top Destinations. User Guide for Cisco Security MARS Local Controller D-24 78-17020-01...
Page 565 Activity: Security Posture: NAC Agentless - Top Hosts. • This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server.
Page 566 System Rules and Reports List of System Reports This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server.
Page 567 For these end hosts, the NAD directly permits network access without consulting the posture validation server. • Activity: Security Posture: NAC Static Auth - Top NADs. User Guide for Cisco Security MARS Local Controller D-27 78-17020-01...
Page 568 This report details the top hosts that failed the status queries from the Network Access Devices (NAD). Such failures occur after initial authorization whenever there is a change in posture detected by the Cisco Trust Agent (CTA) on the end host. Such failures may be caused by user frequently enabling or disabling CTA agents.
Page 569 Activity: Vulnerable Host Found via VA Scanner. This report lists vulnerable hosts and associated vulnerabilities found by importing information from Vulnerability Analysis (VA) scanners. • Activity: Vulnerable Host Found via VA Scanner. User Guide for Cisco Security MARS Local Controller D-29 78-17020-01...
Page 570 Attacks: All - Top Rules Fired. • Attacks: All - Top Rules Fired Attacks: All - Top Sources. • This report ranks the sources of attack events seen by MARS over the past hour. User Guide for Cisco Security MARS Local Controller D-30 78-17020-01...
Page 571 Attacks: Password - All Events. • This report details all password attack events. Attacks: Password - All Events. • This report details all password attack events. Attacks: Password - Top Destinations. • User Guide for Cisco Security MARS Local Controller D-31 78-17020-01...
Page 572 Attacks: Uncommon or Anomalous Traffic - Top Event Types. • Attacks: Uncommon or Anomalous Traffic - Top Event Types • Attacks: Virus/Worms - Top Sources. This report ranks addresses that are the source of virus/worm propagation attempts. User Guide for Cisco Security MARS Local Controller D-32 78-17020-01...
Page 573 Configuration Issues: Network - Top Reporting Devices. • Configuration Issues: Network - Top Reporting Devices • Configuration Issues: Server - All Events. User Guide for Cisco Security MARS Local Controller D-33 78-17020-01...
Page 574 • This report lists event details for all events related to resource issues with the CS-MARS device, e.g. dropped events or netflow, etc. Resource Issues: CS-MARS - All Events. • User Guide for Cisco Security MARS Local Controller D-34 78-17020-01...
Page 575 This report summarizes the events that represent resource issues with servers. These are likely to be Host IDS events. Resource Issues: Server - Top Reporting Devices. • Resource Issues: Server - Top Reporting Devices Resource Utilization: Bandwidth: Inbound - Top Interfaces. • User Guide for Cisco Security MARS Local Controller D-35 78-17020-01...
Page 576 Resource Utilization: Memory - Top Devices. • This report ranks the memory utilization of the devices managed by PN-MARS. • Resource Utilization: Memory - Top Devices. Resource Utilization: Memory - Top Devices User Guide for Cisco Security MARS Local Controller D-36 78-17020-01...
Page 577 Groups of similar security events. An event type is the normalized signature from a reporting device. Event Types An event that resembles a valid security threat, but is not. False Positive An event that contributed to a rule firing. Firing Events User Guide for Cisco Security MARS Local Controller GL-1 78-17020-01...
Page 578 A user-defined request to the database on an automatic or on-demand basis. Report A discovered device that reports information – usually in the form of logs – to a MARS STM appliance. Reporting Device User Guide for Cisco Security MARS Local Controller GL-2 78-17020-01...
Page 579 NetFlow events, but the device is not defined in the appliance. Without a definition, MARS is unable to correlate events correctly as it needs to know which message format to use in parsing. A valid security threat. True Positive User Guide for Cisco Security MARS Local Controller GL-3 78-17020-01...
Page 580 Glossary User Guide for Cisco Security MARS Local Controller GL-4 78-17020-01...
Page 581 22-10, 23-9 user group 23-12 adding IP groups 23-4 adding service provider 22-11, 23-11 admin roles, see user management 23-9 Adobe SVG 17-10 alert action 21-15 Distributed Threat Management 21-15 User Guide for Cisco Security MARS Local Controller IN-1 78-17020-01...
Page 582 Cisco Secure ACS, 802.1x feature support 14-5 destination network ranking 20-6 Cisco Secure ACS, 802.1x support 14-1 destination ranking 20-6 Cisco Secure ACS, audit logs required by MARS 14-3 device,re-add 2-19 Cisco Secure ACS, bootstrap 14-3 devices Cisco Secure ACS, event logs studied by MARS...
Page 583 20-6 19-3 event type ranking 20-5 instances 19-6 Expand All matched rule 19-5 19-3 expired certificate severity 24-9 19-3 time 19-3 time ranges 19-4 incidents table User Guide for Cisco Security MARS Local Controller IN-3 78-17020-01...
Page 584 24-2 20-6 network ranking 20-6 Network Status tab Incidents 17-12 Top Destinations 17-13 MAC address report 20-7 Top Event Types 17-12 management Top Sources 17-13 events 23-1 23-3 User Guide for Cisco Security MARS Local Controller IN-4 78-17020-01...
Page 585 20-6 protocol ranking 20-6 unknown event report 20-7 public networks 2-38 use only firing events 20-8 event type grouping 20-11 event types 20-11 20-11 operation 20-12, 21-13 FOLLOWED-BY 20-12, 21-13 User Guide for Cisco Security MARS Local Controller IN-5 78-17020-01...
Page 586 20-24 variables 20-10 report views, recent 20-25 time range report views, total 20-24 last 20-8 rules start and end times 20-8 destination IP zone 20-12 21-8 query devices 21-8 User Guide for Cisco Security MARS Local Controller IN-6 78-17020-01...
Page 587 21-7 Simple Network Management Protocol Network Groups 21-7 See SNMP. 21-15 networks 21-7 SNMP RO, unsupported characters 2-9, 2-22, 2-29 variables 21-7 Snort runtime logging 24-1 syslog format expectation 6-28 User Guide for Cisco Security MARS Local Controller IN-7 78-17020-01...
Page 588 Topology variables 20-10, 20-11, 21-7, 21-8 toggle device display 17-12 traffic flows identify and enable 1-4, 16-8 troubleshoot,cannot add device 2-19 troubleshoot,cannot re-add device 2-19 tuning false positives 19-5, 19-9 User Guide for Cisco Security MARS Local Controller IN-8 78-17020-01...

This manual is also suitable for:

Mars 20 Mars 50 Mars 100 Mars 200

Cisco CS-MARS-20-K9 - Security MARS 20 User Manual

CHAPTER 3 Configuring Router and Switch Devices

Chapter 4 Configuring Firewall Devices

Chapter 5 Configuring VPN Devices

CHAPTER 6 Configuring Network-Based IDS and IPS Devices

Chapter 7 Configuring Host-Based IDS and IPS Devices

Chapter 8 Configuring Antivirus Devices

Chapter 9 Configuring Vulnerability Assessment Devices

Chapter 10 Configuring Generic, Solaris, Linux, and Windows Application Hosts

Chapter 11 Configuring Database Applications

Chapter 12 Configuring Web Server Devices

Chapter 13 Configuring Web Proxy Devices

Chapter 14 Configuring AAA Devices

Chapter 15 Configuring Custom Devices

Chapter 16 Policy Table Lookup on Cisco Security Manager

Quick Links

Troubleshooting

Related Manuals for Cisco CS-MARS-20-K9 - Security MARS 20

Summary of Contents for Cisco CS-MARS-20-K9 - Security MARS 20