8-15
User Guide for Cisco Security MARS Local Controller
78-17020-01
Chapter 8 Configuring Antivirus Devices
Cisco Incident Control Server
Add the Cisco ICS Device to MARS
Before MARS can being processing the syslog messages as Cisco ICS messages, you must define the
Cisco ICS management server as an software application running on a host. After Cisco ICS is defined
as a reporting device, MARS can process any inspection rules that you have defined using Cisco ICS
event types.
To add a Cisco ICS server to MARS, follow these steps:
Step 1
Click
Admin >
Security and Monitor Devices >
Add
.
Step 2
From the Device Type list, select
Add SW Security apps on a new host
.
You can also select Add SW Security apps on an existing host if you have already defined the host within
MARS, perhaps as part of the Management >IP Management settings or if you are running another
application on the host, such as Microsoft Internet Information Services.
Step 3
In the Device Name field, enter the hostname of the server.
Step 4
In the Reporting IP field, enter the IP address of the interface in Cisco ICS server from which the syslog
messages will originate.
Step 5
Under Enter interface information, enter the interface name, IP address, and netmask value of the
interface in Cisco ICS server from which the syslog messages will originate.
This address is the same value as the Reporting IP address.
Step 6
Click
Apply
.
Step 7
Click
Next
to move the Reporting Applications tab.
Step 8
In the Select Application field, select
Cisco ICS 1.x
, then click
Add
.
Step 9
Click
Select
to add the Cisco ICS application to this host.
Step 10
Click
Done
to save the changes.
Step 11
To activate the device, click
Activate
.
Define Rules and Reports for Cisco ICS Events
From Cisco ICS, MARS receives syslog messages that allow it to identify outbreaks, successful OPACL
and OPSig deployments, and failed attempts to deploy. MARS stays abreast of when the OPACLs and
OPSigs fire on Cisco IPS devices. MARS also monitors the Cisco ICS server for system issues, such as
database failures.
These events assist MARS in providing an accurate, holistic assessment of your network. OPACL and
OPSig matching events provide five-tuple correlation, which MARS uses to perform attack path analysis
and verify the containment of threats. You can uses the events to define inspection rules that help you
perform manual mitigation on devices that cannot use OPACLs and OPSigs.