manualshive.com logo in svg

Cisco CS-MARS-20-K9 - Security MARS 20, User Manual

The Cisco CS-MARS-20-K9 - Security MARS 20 is a highly efficient security management appliance. Unlock the full potential of this product by easily accessing its comprehensive User Manual. Enjoy hassle-free downloading and get your free copy from our website, empowering you to explore the device's features to the fullest.

Share
Download
background image

 

19-7

User Guide for Cisco Security MARS Local Controller

78-17020-01

Chapter 19      Incident Investigation and Mitigation

False Positive Confirmation

legitimate attack

 is an actual attempt by an attacker to gain access to or information about a 

specific host using a known exploit.

valid target

 is a host that is susceptible to the launched attack. A host can become an 

invalid target

 

if it is properly patched or has some other preventative measure in place, such as a local firewall, 
virus scanner, or intrusion prevention software that guards against the attack.

Attack detected

 refers to whether the monitoring device detected the attack and generated an alarm. 

false positive

 is when the monitoring system generates an alarm for a condition that is benign. In 

this case, there is no legitimate attack, despite the alarm generation.

An 

unconfirmed false positive

 is one where the monitoring system, based on data not available to 

the reporting device, has determined that an alarm is a false positive. Unconfirmed refers to the fact 
that the administrator must review and accept or reject the assessment of the false positive.

false negative

 is when the monitoring system fails to detect a legitimate attack. 

Noise

 refers to those alarms that are triggered due to attacks against invalid targets. While they can 

represent real attacks, the target cannot be compromised due to preventative measures. Attacks that 
fall within the noise category are of secondary importance in terms of investigation and mitigation.

Intrusion

 identifies a successful attack against the host, where the host is compromised by the 

attacker.

true false negative

 identifies an intrusion that remains undetected by the monitoring system.

true alarm

 identifies an intrusion that is detected by the monitoring system.

When a Local Controller receives an event, it is evaluated against the conditions of the defined rules. If 
the event satisfies the conditions of a rule, then the incident triggers. When an event triggers an incident, 
we refer to that event as a 

firing event

. False positive analysis is performed for such firing events to 

reduce the number of false alarms. 

Using built-in event vulnerability data, learned topology paths, sessionized event data, ACL analysis of 
layer 2 and 3 reporting devices, supporting data from 3

rd

-party vulnerability analysis (VA) software 

(such as Foundstone and eEye), and information that you provide about hosts, MARS analyzes the firing 
events reported to it determine whether the they hold up to a higher-level review. 

In the case of MARS, a 

system-confirmed false positive

 is where, after further analysis, a firing event is 

determined to be invalid. Example system-confirmed false positives include:

When an IDS device monitoring the network outside of a firewall reports an attack; however, the 
firewall drops that session as part of its standard access restrictions. Therefore, the attack never 
reaches the target.

Cisco Security Agent detects an attack and blocks it.

An 

unconfirmed false positive

 is where, after further analysis, the firing event is believed to be invalid 

primarily due to the attack being against an invalid target. Example unconfirmed false positives include

A reporting device reports a valid attack against a host; however, the host is not susceptible to that 
attack because it targets a different operating system. You can reduce these types of false positives 
by employing OS fingerprinting technologies on the reporting devices.

A reporting device reports a valid attack against a host’s application; however, the host is not 
susceptible to that attack because it targets a different application.

A reporting device reports a valid web attack against TCP port 80, however, dynamic probing 
determines that no services on the target host listen to TCP port 80.

For unconfirmed false positives, you must manually investigate the alarm and specify in 
Local Controller whether it is an actual false positive. For actual false positives, you should define a drop 
rule for the event. Defining a drop rule does not mean that the event is not stored in the database, you 

Summary of Contents for CS-MARS-20-K9 - Security MARS 20

Page 1: ...West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 User Guide for Cisco Security MARS Local Controller Release 4 2 x December 2006 Customer Order Number Text Part Number 78 17020 01 ...

Page 2: ...try to correct the interference by using one or more of the following measures Turn the television or radio antenna until the interference stops Move the equipment to one side or the other of the television or radio Move the equipment farther away from the television or radio Plug the equipment into an outlet that is on a different circuit from the television or radio That is make certain the equi...

Page 3: ...sistance xxiii Cisco Support Website xxiii Submitting a Service Request xxiv Definitions of Service Request Severity xxv Obtaining Additional Publications and Information xxv C H A P T E R 1 STM Task Flow Overview 1 1 Checklist for Provisioning Phase 1 2 Checklist for Monitoring Phase 1 9 Strategies for Monitoring Notification Mitigation Remediation and Audit 1 16 Appliance side Tuning Guidelines ...

Page 4: ... Columns 2 21 Load Devices From the Seed File 2 24 Adding Reporting and Mitigation Devices Using Automatic Topology Discovery 2 25 Verify Connectivity with the Reporting and Mitigation Devices 2 26 Discover and Testing Connectivity Options 2 26 Run a Reporting Device Query 2 27 Activate the Reporting and Mitigation Devices 2 27 Data Enabling Features 2 28 Layer 2 Discovery and Mitigation 2 29 Netw...

Page 5: ...rvers 2 56 Configure Syslog ng Server to Forward Events to MARS 2 56 Configure Kiwi Syslog Server to Forward Events to MARS 2 57 Add Syslog Relay Server to MARS 2 57 Add Devices Monitored by Syslog Relay Server 2 58 C H A P T E R 3 Configuring Router and Switch Devices 3 1 Cisco Router Devices 3 1 Enable Administrative Access to Devices Running Cisco IOS 12 2 3 1 Enable SNMP Administrative Access ...

Page 6: ... Bootstrap the Cisco Firewall Device 4 2 Enable Telnet Access on a Cisco Firewall Device 4 4 Enable SSH Access on a Cisco Firewall Device 4 4 Send Syslog Files From Cisco Firewall Device to MARS 4 4 Device Side Tuning for Cisco Firewall Device Syslogs 4 6 Logging Message Command 4 6 List of Cisco Firewall Message Events Processed by MARS 4 7 Add and Configure a Cisco Firewall Device in MARS 4 8 Ad...

Page 7: ...Management Station 4 55 Troubleshooting MARS and Check Point 4 56 C H A P T E R 5 Configuring VPN Devices 5 1 Cisco VPN 3000 Concentrator 5 1 Bootstrap the VPN 3000 Concentrator 5 1 Add the VPN 3000 Concentrator to MARS 5 2 C H A P T E R 6 Configuring Network based IDS and IPS Devices 6 1 Cisco IDS 3 1 Sensors 6 1 Configure Sensors Running IDS 3 1 6 1 Add and Configure a Cisco IDS 3 1 Device in MA...

Page 8: ...Sensors Using a Seed File 6 27 Snort 2 0 6 28 MARS Expectations of the Snort Syslog Format 6 28 Configure Snort to Send Syslogs to MARS 6 28 Add the Snort Device to MARS 6 28 Symantec ManHunt 6 29 Symantec ManHunt Side Configuration 6 29 MARS Side Configuration 6 31 Add Configuration Information for Symantec ManHunt 3 x 6 31 NetScreen IDP 2 1 6 31 IDP side Configuration 6 31 MARS side Configuratio...

Page 9: ...ter to Generate Required Data 7 5 Configure CSA MC to Forward SNMP Notifications to MARS 7 6 Export CSA Agent Information to File 7 6 Add and Configure a CSA MC Device in MARS 7 7 Add a CSA Agent Manually 7 8 Add CSA Agents From File 7 9 Troubleshooting CSA Agent Installs 7 10 C H A P T E R 8 Configuring Antivirus Devices 8 1 Symantec AntiVirus Configuration 8 1 Configure the AV Server to Publish ...

Page 10: ...eneric Devices 10 1 Sun Solaris and Linux Hosts 10 2 Configure the Solaris or Linux Host to Generate Events 10 2 Configure Syslogd to Publish to the MARS Appliance 10 2 Configure MARS to Receive the Solaris or Linux Host Logs 10 3 Microsoft Windows Hosts 10 4 Push Method Configure Generic Microsoft Windows Hosts 10 5 Install the SNARE Agent on the Microsoft Windows Host 10 5 Enable SNARE on the Mi...

Page 11: ... side Configuration 12 7 Install and Configure the Web Agent on UNIX or Linux 12 7 Web Server Configuration 12 8 To configure the Apache web server for the agent 12 8 To configure the iPlanet web server for the agent 12 8 MARS side Configuration 12 9 To add configuration information for the host 12 9 C H A P T E R 13 Configuring Web Proxy Devices 13 1 Network Appliance NetCache Generic 13 1 Config...

Page 12: ...up 16 4 Prerequisites for Policy Table Lookup 16 4 Restrictions for Policy Table Lookup 16 5 Checklist for Security Manager to MARS Integration 16 6 Bootstrapping Cisco Security Manager Server to Communicate with MARS 16 12 Add a Cisco Security Manager Server to MARS 16 13 Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS 16 14 C H A P T E R 17 Network Summ...

Page 13: ... Tune an Unconfirmed False Positive to False Positive 19 9 To Tune an Unconfirmed False Positive to True Positive 19 9 To Activate False Positive Drop Rules 19 10 Mitigation 19 10 802 1X Mitigation Example 19 11 Prerequisites for Mitigation with 802 1X Network Mapping 19 11 Procedure for Mitigation with 802 1X Network Mapping 19 11 Display Dynamic Device Information 19 15 Virtual Private Network C...

Page 14: ...s Returned 20 8 Selecting Query Criteria 20 9 To Select a Criterion 20 9 Query Criteria 20 10 Source IP 20 10 Destination IP 20 11 Service 20 11 Event Types 20 11 Device 20 11 Severity Zone 20 12 Operation 20 12 Rule 20 12 Action 20 12 Saving the Query 20 13 Viewing Events in Real time 20 13 Restrictions for Real time Event Viewer 20 13 Procedure for Invoking the Real Time Event Viewer 20 14 Perfo...

Page 15: ... Denied 21 16 Working with System and User Inspection Rules 21 17 Change Rule Status Active and Inactive 21 17 Duplicate a Rule 21 17 Edit a Rule 21 18 Add an Inspection Rule 21 19 Working with Drop Rules 21 21 Change Drop Rule Status Active and Inactive 21 21 Duplicate a Drop Rule 21 21 Edit a Drop Rule 21 22 Add a Drop Rule 21 22 Setting Alerts 21 23 Configure an Alert for an Existing Rule 21 24...

Page 16: ...ent Description or CVE Names 23 2 To view a list of all currently supported CVEs 23 2 Event Groups 23 2 To filter by event groups or severity 23 2 Edit a Group of Events 23 2 Add a Group 23 3 IP Management 23 3 Search for an Address Network Variable or Host 23 3 Filter by Groups 23 3 Edit a Group 23 4 Add a Group 23 4 Add a Network IP Range or Variable 23 4 Add a Host 23 5 Edit Host Information 23...

Page 17: ...Certificate and Fingerprint Response 24 9 Upgrading from an Expired Certificate or Fingerprint 24 9 Upgrade a Certificate or Fingerprint Interactively 24 10 Upgrade a Certificate Manually 24 10 Upgrade a Fingerprint Manually 24 10 Monitoring Certificate Status and Changes 24 10 Hardware Maintenance Tasks MARS 100 100E 200 GCM and GC 24 11 Replacing the Lithium Cell CMOS Battery 24 11 Hard Drive Tr...

Page 18: ...1 Backslash B 2 Non printing Characters B 3 Generic Character Types B 4 Unicode Character Properties B 5 Simple Assertions B 6 Circumflex and Dollar B 7 Full Stop Period Dot B 8 Matching a Single Byte B 8 Square Brackets and Character Classes B 8 Posix Character Classes B 9 Vertical Bar B 10 Internal Option Setting B 10 Subpatterns B 11 Named Subpatterns B 12 Repetition B 12 Atomic Grouping and Po...

Page 19: ...r Cisco Security MARS Local Controller 78 17020 01 A P P E N D I X C Date Time Format Specfication C 1 A P P E N D I X D System Rules and Reports D 1 List of System Rules D 1 List of System Reports D 13 G L O S S A R Y I N D E X ...

Page 20: ...Contents xx User Guide for Cisco Security MARS Local Controller 78 17020 01 ...

Page 21: ...etworks It takes in all of the raw events from your reporting devices sessionizes them across different devices fires default rules for incidents determines false positives and delivers consolidated information through diagrams charts queries reports and rules The MARS operates at distinct and separate levels based on how much information is provided about your networks devices At its most basic l...

Page 22: ...PN Devices Chapter 6 Configuring Network based IDS and IPS Devices Chapter 7 Configuring Host Based IDS and IPS Devices Chapter 8 Configuring Antivirus Devices Chapter 9 Configuring Vulnerability Assessment Devices Chapter 10 Configuring Generic Solaris Linux and Windows Application Hosts Chapter 11 Configuring Database Applications Chapter 12 Configuring Web Server Devices Chapter 13 Configuring ...

Page 23: ...mentation and additional literature are available on Cisco com This section explains the product documentation resources that Cisco offers Cisco com You can access the most current Cisco documentation at this URL http www cisco com techsupport You can access the Cisco website at this URL http www cisco com You can access international Cisco websites at this URL http www cisco com public countries_...

Page 24: ... products Register to receive security information from Cisco A current list of security advisories security notices and security responses for Cisco products is available at this URL http www cisco com go psirt To see security advisories security notices and security responses as they are updated in real time you can subscribe to the Product Security Incident Response Team Really Simple Syndicati...

Page 25: ... tool enables you to create a profile and choose those products for which you want to receive information To access the Product Alert Tool you must be a registered Cisco com user Registered users can access the tool at this URL http tools cisco com Support PAT do ViewMyProfiles do local en To register as a Cisco com user go to this URL http tools cisco com RPF register register do Obtaining Techni...

Page 26: ...ink next to the Search box on the resulting page and then click the Technical Support Documentation radio button To provide feedback about the Cisco com website or a particular technical document click Contacts Feedback at the top of any Cisco com web page Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests S3 and S4 service ...

Page 27: ...you can sign up for a variety of Cisco e mail newsletters and other communications Create a profile and then select the subscriptions that you would like to receive To visit the Cisco Online Subscription Center go to this URL http www cisco com offer subscribe The Cisco Product Quick Reference Guide is a handy compact reference tool that includes brief product overviews key features sample part nu...

Page 28: ...tp www cisco com discuss networking What s New in Cisco Documentation is an online publication that provides information about the latest documentation releases for Cisco products Updated monthly this online publication is organized by product category to direct you quickly to the documentation for your products You can view the latest release of What s New in Cisco Documentation at this URL http ...

Page 29: ...er source destination services and hours of operation Identify the network infrastructure able to provide audit data in network proximity to the critical resources Identify the various event logging levels available from the devices and hosts in the network infrastructure Identify the devices and techniques used to investigate Your mitigation policy should Identify the choke points on your network...

Page 30: ...ontinually and you should consider each of them when you create and update your corporate security policy The remainder of this section details recommended task flows according to the following project phases Provisioning see Checklist for Provisioning Phase page 1 2 Monitoring see Checklist for Monitoring Phase page 1 9 Check out http www cisco com web about security intelligence articles html fo...

Page 31: ...d take care in identifying which devices to monitor The following are only a couple examples of considerations you should make when identifying devices Consider of the types of logs and data available from reporting devices on specific network segments and select those logs that provide the most complete picture of the activity on your network Identify mitigation devices at natural chokepoints acr...

Page 32: ...ertificates which require the time date and time zone to be set properly Otherwise sessions and incidents are stamped incorrectly and you may experience time out errors when accessing the web interface To limit troubleshooting you should test each traffic flow from the source network segment to the destination segment If possible you should test all device to device flows for each protocol to ensu...

Page 33: ...expected role in your STM system will correlate directly with the configuration of the tasks listed above In addition you identify any restrictions imposed by MARS For example MARS may restrict the supported protocols for discovery of a specific device type Result The correct logging levels are enabled on the reporting devices and mitigation devices The MARS Appliance can receive or pull any neces...

Page 34: ...face To display all devices that are either added incorrectly or not activated in MARS you can define one of two queries Select Unknown Reporting Device in the Devices field This query returns the events only for those devices that are reporting events that do not matching the one of the reporting IPs defined in MARS When MARS receives events it first determines if the IP from which the events are...

Page 35: ...devices you can define the intervals at which the event logs are retrieved and processed These update features are as follows Distributed Threat Mitigation DTM device updates The DTM services poll Cisco IPS and Cisco IDS devices to determine the top firing signatures across the reporting devices Based on this information MARS generates the list of top signatures that are firing on the network so t...

Page 36: ...resenting a reporting device a mitigation device or an important asset on your network This information identifies the operating system patch levels and the network services that run on the host After you define the hosts you must activate them by clicking Activate on any page in the web interface Result MARS understands more about the hosts on your network and the services that they run For more ...

Page 37: ...work and administrative practices You can further qualify the rules using a combination of seven conditions source destination service type event type time range reporting device and event severity You must choose whether to drop the event entirely or to drop it and log it to the database where it can be used by queries and reports Note Drop rules do not prevent MARS from storing the event data th...

Page 38: ...ccount the short and long term requirements of monitoring and forensic analysis as well as how to stop ongoing attacks and clean infected hosts These strategies encompass not only your expected interaction with MARS but the expectations of your reporting devices as well Essentially they identify the roles tasks and data requirements that you anticipate so that you can map events rules queries and ...

Page 39: ... any person or device that is expected to receive a notification must be identified in the system Therefore the first step is to define user accounts that map to the users or groups who must be notified based on specific event settings see User Role Worksheet page 1 20 You must also identify the devices that need to be notified or that need to take some action see Device Inventory Worksheet page 1...

Page 40: ...ta such as number of sessions where a custom log parser can enable detailed inspection of aspects of the traffic such as resource utilization or failed logging attempts To define a custom parser you must know the message format used by that appliance and it must be published to MARS in clear text Organizing the rules that you create into meaningful groups can help clarify your purpose and improves...

Page 41: ...events important to fulfilling your policies This feature can be especially useful for adhering to compliance reporting requirements as you can define a report schedule it to be generated and store the results as part of your audit records As with overall access you can restrict the ability to run or view reports and queries based on user role Such safeguards can reduce accidental tampering with s...

Page 42: ...ority views of your network activity displaying hot spot diagrams recent events charts of incidents and a topology diagram identifying recent activities When you identify an incident that requires further investigation or mitigation you can investigate the incident to determine whether it is a false positive or block attack using MARS If you have choke points operating at layer 2 primarily switche...

Page 43: ...user roles Because reports can be scheduled you can notify the appropriate users each time the report is updated Tip If you cannot view the resource usage of a reporting device verify that you have enabled the Monitor Resource Usage option as part of that device definition in Admin System Configuration Security and Monitored Devices For the list of devices that can be configured to provide this da...

Page 44: ...ts by MARS Note For releases 4 2 3 and earlier of MARS you cannot define drop rules for a NetFlow based event For these releases tuning of NetFlow events must be performed on the reporting device Turn on or off event generation at the device Identify selected incidents as false positives Tune inspection rules to include or exclude specific networks hosts services reporting devices or traffic flows...

Page 45: ...at you should perform system monitoring versus security monitoring System monitoring involves monitoring not only the status of the MARS Appliance but also the health and status of the reporting devices and mitigation devices that MARS manages Security monitoring focuses on network and security activity For both types of monitoring you must decide what predefined and custom queries and reports are...

Page 46: ...ect authorization to connect to the management IP address and read or write information based on the role in the network For reporting devices this account must have privileges sufficient for MARS to read the existing configuration For mitigation devices specifically layer 2 switches this account can enable MARS to publish actual CLI changes to the device to block detected attacks Role in system s...

Page 47: ...TM Task Flow Overview Device Inventory Worksheet Table 1 1 Device Inventory Worksheet Device Name Reporting IP Address Management IP Address Account Username Password Role in System Segment Required Protocols Log Settings SNMP RO Community Tunable y n Notify y n Notification Format ...

Page 48: ...es the information required to contact this user when incident rules are fired For users notification settings include e mail pager messages or SMS messages For response teams you may use group aliases Users should be notified when inspection rules fire and scheduled reports are generated Device Ownership Identifies the reporting devices and mitigation devices on your network for which the user is...

Page 49: ...rity MARS Local Controller 78 17020 01 Chapter 1 STM Task Flow Overview User Role Worksheet Table 1 2 User Role Worksheet User Name User Role MARS Account Role Notification Settings Device Ownership Inspection Rules Reports Queries ...

Page 50: ...1 22 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 1 STM Task Flow Overview User Role Worksheet ...

Page 51: ...itigation devices Discussion of the levels of operation that MARS supports Guidance on selecting a method for adding devices to Local Controller Discussion of those features that enable rich data collection It contains the following sections Levels of Operation page 2 1 Selecting the Devices to Monitor page 2 2 Understanding Access IP Reporting IP and Interface Settings page 2 8 Selecting the Acce...

Page 52: ...on requirements and the features enabled at that level Selecting the Devices to Monitor All monitoring strategies involve selecting the types of devices to monitor and how much data to provide the MARS Appliance All devices on your network be they hosts gateways security devices or servers provide some level of data that MARS can use to improve the accuracy of security incident identification Howe...

Page 53: ...od for your monitoring strategy How you tune your MARS affects your overall operational costs proportionally to the number of device of a give type that are monitored Essentially if you have the bandwidth available we recommend that you tune the events at the MARS Appliance which reduces your operational costs by tuning at a single point in the network However if bandwidth is a precious commodity ...

Page 54: ...a device status and resource utilization such as memory CPU and interface port statistics ARP cache table Used to map IP address to MAC address Enable the following SNMP RO community strings Syslog traffic Device discovery via SSH or Telnet access Switch During investigation and mitigation the ARP cache tables are reviewed to resolve the MAC addresses involved in the incident This data is cached f...

Page 55: ...cked before reaching their targets Audit logs Associates users with authentication sessions and assists in identifying exploited accounts and administrative sessions ARP cache tables Used to map IP address to MAC address Device status and resource utilization information Used to identify anomalous network activities based on memory CPU and interface and port statistics Enable the following SNMP RO...

Page 56: ...identification which in turn improves the ability of the administrator to accurately prioritize the work required to contain attacks Anti Virus Central anti virus management servers provide information on which hosts are infected which hosts have reported attempted infections etc The servers also provide the dat or signature file information for managed hosts which improves the ability to determin...

Page 57: ...fully traversed the network MARS correlates this data with the network level data to discover the whole incident and analyze the exploit method so the administrator can build a better defense In some cases MARS recommends actions for mitigating the attack We recommend that you maintain these recommended blocks as long as similar attacks are expected Typical blocking techniques such as IPS shunning...

Page 58: ...nerate event messages for MARS to process e g NetCache appliances In addition not all devices require the definition of interfaces This section discusses the following three addresses and their relationship to other settings Access IP page 2 9 Reporting IP page 2 9 Interface Settings page 2 10 AAA Server Login logout and NAC functionality deny a person due to privileges it triggers NAC message pas...

Page 59: ...nd SNMP RO are unrelated to SNMP notifications or SNMP traps SNMPwalk and SNMP RO both require that MARS initiate the information request where as SNMP notifications are event notifications published by the reporting device much the same as syslog messages are As with syslog messages SNMP notifications are published over the reporting IP address Reporting IP The reporting IP is the source IP addre...

Page 60: ... a secured connection It allows for the discovery of the settings using SNMPwalk such as routes connected networks ARP tables and address translations If granted read write access SNMP also allows for mitigation on any L2 devices that support MIB2 Telnet Telnet provides full administrative access to the device using an unsecured connection It allows for the discovery of the settings such as routes...

Page 61: ...SNMP in the Access Type list To select SNMP as the access type you must provide MARS with SNMP read write access Note The SNMP access type is not required to enable the SMPO RO strings In fact no access type is required to support SNMP RO SNMP RO uses a shared read only community string it does not require a read write community string as does the SNMP access type If you selected SNMP as the acces...

Page 62: ...e FTP Access for Devices in MARS This procedure assumes you are defining a reporting device or mitigation device and that you were referred to this procedure after selecting FTP in the Access Type list If you selected FTP as the access type follow these steps Step 1 In the Login field enter the username of the FTP server account to use when accessing the configuration file of the reporting device ...

Page 63: ...8 Firewall Devices Cisco PIX 1 Access to access and reporting IP address interface by MARS 2 FTP Telnet or SSH access by MARS 3 Define SNMP RO community string Note SNMP settings should be defined for the admin context on ASA and FWSM You do not need to define these settings for each security context 4 Turn on syslog define log level and define MARS as target of syslog messages Bootstrap the Cisco...

Page 64: ... and IPS 5 x Sensors page 6 5 Cisco IPS ASA module 1 Enable SDEE for IPS modules 2 Configure the following signature actions Alert Optional To view trigger packets enable the produce verbose alert Optional To view IP logs enable the alert or produce verbose alert and log pair packets Cisco IPS Modules page 6 10 Cisco IOS IPS module 1 Enable SDEE for IPS modules 2 Configure the following signature ...

Page 65: ...rd Qualys QualysGuard Devices page 9 5 Foundstone Foundscan Foundstone FoundScan 3 0 page 9 1 Host Operating Systems Windows Do one of the following Install and configure the SNARE agent Create or edit an administrative account to ensure that it has permissions to pull the event data Syslog pushed by SNARE agent or event data pull using MS RPC Push Method Configure Generic Microsoft Windows Hosts ...

Page 66: ...RS Agent Install and Configure the PN Log Agent page 14 7 Cisco Secure ACS Cisco Secure ACS Appliance Install and configure remote log agent Syslog from MARS Agent on secondary host Supporting Cisco Secure ACS Solution Engine page 14 2 Install and Configure the PN Log Agent page 14 7 Cisco Secure ACS SNMP and Syslog Servers Generic Syslog Server Publish syslog messages to MARS Appliance Enable SNM...

Page 67: ...s is presented in the Supported Devices and Software Versions for Cisco Security MARS Local Controller 4 2 x and 5 2 x document Devices are added to this list on an ongoing basis via software upgrade packages See Install and Setup Guide for Cisco Security Monitoring Analysis and Response System for details on how to upgrade your MARS Appliance MARS can also support any syslog or SNMP devices even ...

Page 68: ... Type to a Newer Version You can change the Device Type version setting of a hardware based security device You cannot upgrade the version for software applications running on a host To upgrade the software appliance version you must remove the application from the host and add the newer one This version change feature applies only to device types with the same vendor and model but different versi...

Page 69: ...t functions that each of these pages serves The Security and Monitoring Devices page configures the contact and device type information whereas the IP Management page is used by the parser module to correlate known devices versus unknown devices Typically when you delete a device from the Security and Monitoring Device page you still want to retain the knowledge of that device in MARS so that hist...

Page 70: ... export files as CSV files The following is a sample seed file as exported from a popular spreadsheet program 10 1 1 1 PIX TELNET cisco 192 168 229 241 IOS TELNET csRv 12 EcsRv 12 10 1 1 83 PIX SSH pix Vpnspn12 vPfw1ne 192 168 151 169 PIX SSH pix lpt 12 pot 1 d1 10 4 2 4 NETSCREEN SSH netscreen nt scn25 10 4 2 3 NETSCREEN SSH netscreen nt scn10 10 1 1 241 IOS TELNET cisco cisco 10 4 2 1 IOS TELNET...

Page 71: ... of the Symantec AntiVirus agents dynamically you can also import the initial list of agents using a custom seed file For more information see Export the AntiVirus Agent List page 8 7 Devices that Require Updates After the Seed File Import When you add specific reporting devices using a seed file you must edit them to complete the definition of the device before you can monitor them Typically thes...

Page 72: ...R IP The device s name or IP address Mandatory If the device name is provided and Column U is empty MARS performs a DNS lookup to identify the address which will be used to populate the Access and Reporting IP fields Note If an IP address appears in Column U that address overrides any address or derived address specified in Column A However the name value specified in Column A is used Column B SNM...

Page 73: ...ve Mode EXTREME for Extreme ExtremeWare 6 x NETSCREEN for ScreenOS 4 0 and 5 0 WINDOWS for Window host Windows2000 for Windows 2000 host Windows2003 for Windows 2003 host WindowsNT for Windows NT 4 x host SOLARIS for Solaris host LINUX for Linux host Note In the case of host files Linux Solaris and Windows MARS is configured by default to receive events from the hosts specified in a seed file Howe...

Page 74: ...PC user name This column is only valid if you have used TELNET SSH or FTP in Column F Column H SSH FTP RPC PASSWORD The SSH or FTP Password for the device This column is only valid if you have used SSH or FTP in Column F Column I TELNET PASSWORD The Telnet password for the device Column J ENABLE PASSWORD The enable password applicable only with FWSM PIX or IOS devices Columns K EMPTY Emplty placeh...

Page 75: ...t schedule rule is once a month for all valid networks However if no valid networks are defined the process wakes up sees no valid networks are defined and quits Each schedule rule allows you to select which networks as defined within the list of valid networks and ranges that should be discovered according to frequency also specified in the rule As connected networks often exist you can refine wh...

Page 76: ...y checking the box next to the name of the device and clicking Edit On the device s page click Discover or Test Connectivity The UI displays a holding pattern screen while it connects to the device When complete it shows you the device s discovery screen Note Some devices cannot be checked for connectivity nor can be discovered The next section Discover and Testing Connectivity Options page 2 26 c...

Page 77: ...ata is limited to queries and reports Typically MARS runs inspection rules and generates notifications only against the data retrieved from activated devices Once a device is known to the MARS Appliance all data provided by that particular device can be normalized and sessionized which enables that device s data to be used to fire an incident Note Default installations of MARS do not fire incident...

Page 78: ... uses nmap for OS fingerprinting and port scanning during a vulnerability assessment scan These scans are conducted in response to suspicious activity to determine whether the attempted attack is successful or likely to succeed based on information such as target operating system type patch level and open ports on the host Understanding NetFlow Anomaly Detection page 2 30 By enabling NetFlow MARS ...

Page 79: ...ot discover L2 devices automatically as it does with L3 devices Note L2 devices must be added manually there is no automatic discovery for these devices Make sure all the L2 devices switches have the SNMP RO community strings specified in the web interface even if the access type is not SNMP The SNMP RO community string is always required on L2 devices for L2 mitigation You can specify which L3 de...

Page 80: ... scan settings follow these steps Step 1 Click the Network IP radio button Step 2 Enter the Network IP address and Mask Step 3 Click Add Create a Network IP Range for Scanning To create a range of network addresses that you can use to define the scan settings follow these steps Step 1 Click the IP Range radio button Step 2 Enter the range of IP addresses Step 3 Click Add Understanding NetFlow Anom...

Page 81: ...s for Configuring NetFlow on Your Network page 2 32 Enable Cisco IOS Routers and Switches to Send NetFlow to MARS page 2 32 Configuring Cisco CatIOS Switch page 2 34 Enable NetFlow Processing in MARS page 2 34 How MARS Uses NetFlow Data When MARS is configured to work with NetFlow you can take advantage of NetFlow s anomaly detection using statistical profiling which can pinpoint day zero attacks ...

Page 82: ...e MARS Appliance MARS uses NetFlow versions 5 and 7 Ensure that the version of Cisco IOS software or Cisco CatOS running on your reporting devices supports at least one of these NetFlow versions Note For releases 4 2 3 and earlier of MARS you cannot define drop rules for a NetFlow based event For these releases tuning of NetFlow events must be performed on the reporting device The taskflow for con...

Page 83: ... for the interface to send the NetFlow The syslog_interface_name value should be the interface attached to the network through which the MARS Appliance is reachable and it must equal the syslog source interface name ip flow export version version_number Identifies which version of NetFlow 5 or 7 to use when generating events Cisco recommends using version 5 if supported version_number is either 5 ...

Page 84: ...pervisor engines as distinct streams The router side running IOS is configured as specified in Enable Cisco IOS Routers and Switches to Send NetFlow to MARS page 2 32 However to configure the he CatIOS NetFlow Data Export use the following commands set mls flow full set mls nde version 5 set mls nde MARS_IP_address 2055 set mls nde enable From a user s perspective the switch is only running IOS wh...

Page 85: ...rewalls Step 3 Choose whether to Enable NetFlow Processing Yes tells MARS to process the NetFlow logs No disables the processing of NetFlow data into the MARS Step 4 Choose whether to Always Store NetFlow Records Yes tells MARS to store all of the NetFlow events in the database Selecting this option can slow down the system by greatly decreasing the number of events per second that MARS is able to...

Page 86: ...spected incidents at a layer above the endpoint hosts that are the source or destination of network sessions If operating exclusively at this network layer MARS can generate a number of false positive incidents that must be manually investigated However several features exist that allow you to provide host level details to MARS Enable event reporting from the hosts on your network MARS can receive...

Page 87: ...ologies Note Remember to activate additions and changes to your community strings and valid networks by clicking Activate Add a Community String for a Network To add a community string for a network IP follow these steps Step 1 To open the Community Strings and Networks page click Admin Community Strings and Networks Step 2 Click the Network IP radio button Step 3 Enter the Community String Networ...

Page 88: ...alid networks follow these steps Step 1 Click Admin Valid Networks to open the Valid Networks page Step 2 Enter the SNMP Target s IP address The SNMP target is the entry point where the MARS starts discovering devices on a network It typically identifies an address on a default gateway of the network Step 3 Click either Network IP or Network Range to define the scope of the scan Step 4 Enter the a...

Page 89: ...ce type proper authorization an access type such as Telnet or SSH and an access IP address When device discovery is performed MARS contacts the device and conducts a topology and configuration discovery This discovery collects all of the route NAT and ACL related information for the device or admin context In addition the name of the device may change to hostname domain format if it was not alread...

Page 90: ...ges Step 5 Click Add to move the network into the selected field To remove an item in the selected field click it to highlight it and click Remove Step 6 In the schedule table select the appropriate radio button and its time criteria Run On Demand Only Daily and the Time of Day Weekly the Time of Day and the Days Monthly the Time of the Day and the Dates Step 7 Click Submit To edit a scheduled top...

Page 91: ...n For FWSM MARS monitors system context level resources CPU memory connections via the CLI and per context resources CPU memory connections interface utilization and errors via SNMP Therefore you can monitor three views of the FWSM module base platform IOS switch hosting the module module level system context and security context level To enable the collection of resource usage data you must ensur...

Page 92: ...ization Errors Outbound Top Interfaces Resource Utilization Memory Top Devices You can define custom rules reports and queries about resource usage based on the following events CPU Utilization Higher Than 50 CPU Utilization Higher Than 75 CPU Utilization Higher Than 90 CPU Utilization Abnormally High Memory Utilization Higher Than 50 Memory Utilization Higher Than 75 Memory Utilization Higher Tha...

Page 93: ... 1 2 1 2 2 1 16 i DEVICE_RES_OID_INTERFACE_IN_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_IN...

Page 94: ..._INTERFACE_IN_UNKNOWN_PROTOS 1 3 6 1 2 1 2 2 1 15 i DEVICE_RES_OID_INTERFACE_OUT_DISCARDS 1 3 6 1 2 1 2 2 1 19 i Cisco PIX 6 0 DEVICE_RES_OID_MEMORY_FREE 1 3 6 1 4 1 9 9 48 1 1 1 6 1 DEVICE_RES_OID_MEMORY_USED 1 3 6 1 4 1 9 9 48 1 1 1 5 1 DEVICE_RES_OID_CONNECTION 1 3 6 1 4 1 9 9 147 1 2 2 2 1 5 40 6 DEVICE_RES_OID_INTERFACE_NUMBER 1 3 6 1 2 1 2 1 0 DEVICE_RES_OID_INTERFACE_IN_BYTES 1 3 6 1 2 1 2 ...

Page 95: ..._INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INTERFACE_OUT_NUCAST_PACKET 1...

Page 96: ...1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INT...

Page 97: ...1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INT...

Page 98: ...1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INT...

Page 99: ...1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INT...

Page 100: ...1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INT...

Page 101: ...1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_OUT_BANDWIDTH 1 3 6 1 2 1 2 2 1 5 i DEVICE_RES_OID_INTERFACE_IN_ERROR 1 3 6 1 2 1 2 2 1 14 i DEVICE_RES_OID_INTERFACE_OUT_ERROR 1 3 6 1 2 1 2 2 1 20 i DEVICE_RES_OID_INTERFACE_IN_UCAST_PACKET 1 3 6 1 2 1 2 2 1 11 i DEVICE_RES_OID_INTERFACE_IN_NUCAST_PACKET 1 3 6 1 2 1 2 2 1 12 i DEVICE_RES_OID_INTERFACE_OUT_UCAST_PACKET 1 3 6 1 2 1 2 2 1 17 i DEVICE_RES_OID_INT...

Page 102: ...PN 3000 Concentrators Cisco ASA 7 0 DEVICE_RES_OID_CPU 1 3 6 1 4 1 9 9 109 1 1 1 1 3 1 DEVICE_RES_OID_MEMORY_FREE 1 3 6 1 4 1 9 9 48 1 1 1 6 1 DEVICE_RES_OID_MEMORY_USED 1 3 6 1 4 1 9 9 48 1 1 1 5 1 DEVICE_RES_OID_CONNECTION 1 3 6 1 4 1 9 9 147 1 2 2 2 1 5 40 6 DEVICE_RES_OID_INTERFACE_NUMBER 1 3 6 1 2 1 2 1 0 DEVICE_RES_OID_INTERFACE_IN_BYTES 1 3 6 1 2 1 2 2 1 10 i DEVICE_RES_OID_INTERFACE_OUT_BY...

Page 103: ...iew Activity Security Posture NAC End Host Details All Events Total View Activity Security Posture NAC Infected Quarantine All Events Total View Activity Security Posture NAC Infected Quarantine Top Hosts Total View Activity Security Posture NAC L2 802 1x Top Tokens Total View Activity Security Posture NAC L2IP Top Tokens Total View Activity Security Posture NAC Static Auth Top Hosts Total View Ac...

Page 104: ...s page 21 23 To learn more about the SNMP MIB format sent by MARS see MARS MIB Format page 2 54 MARS MIB Format The MARS management information base MIB is defined for all MARS releases The SNMP notification contains the same content as the syslog generated by MARS The MARS MIB definition is as follows enterprises 16686 1 0 string MARS 1 101 enterprises 16686 2 0 string alert_content enterprises 1...

Page 105: ...uide for Cisco Security MARS Local Controller 78 17020 01 Chapter 2 Reporting and Mitigation Devices Overview Integrating MARS with 3rd Party Applications Note Notifications are sent only from the Local Controller ...

Page 106: ...g the events while you define the reporting devices using the MARS user interface You are still required to define the reporting device by IP address and device type in MARS to ensure proper event correlation however you are not required to configure device to publish syslog messages directly to MARS To configure MARS to work with a syslog relay server perform the following tasks 1 Configure the s...

Page 107: ...llowing MARS to correctly identify the original sending device However this option cannot be used on a Kiwi relay of relay To support a Kiwi relay of relay in MARS the first relay must have this option selected and must receive syslog messages only from the source devices and all other relays must have this option cleared and must only receive syslog messages from other Kiwi relays not directly fr...

Page 108: ... IP Reporting IP and Interface Settings page 2 8 Step 5 Click Apply to save these settings Step 6 Click Next to access the Reporting Applications tab Step 7 Select Generic Syslog Relay ANY from the Select Application list and click Add Step 8 Click Submit to add this application to the host Result Generic Syslog Relay ANY appears in the Device Type list Step 9 Click the Vulnerability Assessment In...

Page 109: ... and IPS Devices page 6 1 This chapter explains how to bootstrap and add the following router and switch devices to MARS Cisco Router Devices page 3 1 Cisco Switch Devices page 3 9 Extreme ExtremeWare 6 x page 3 17 Generic Router Device page 3 18 Cisco Router Devices To configure Cisco routers running Cisco IOS Software Release 12 2 to communicate with a MARS Appliance you must perform three tasks...

Page 110: ... using Telnet access to the Cisco router or switch refer to your device documentation or the following URL http cisco com en US products sw iosswrel ps1818 products_configuration_example09186a0080 204528 shtml Enable SSH Administrative Access To enable configuration discovery using SSH access to the Cisco router or switch refer to your device documentation or the following URL http cisco com en US...

Page 111: ...ovides MARS with access to the L2 MIB which is required to identify L2 re routes of traffic and to perform L2 mitigation MARS also uses the MIB to identify trunks to other switches which are used to populate VLAN information used in L2 path calculations STP which is enabled by default on Cisco Switches should remain enabled as it is required for L2 mitigation The following topics describe how to c...

Page 112: ...ware RADIUS server logs These logs relate the authorization communications between clients and the posture validation servers Network access device logs These logs relate connection attempts by clients and final authorizations provided by the AAA server enforcing the NAC policies For more information on the events that are logged as part of NAC see the Monitoring and Reporting Tool Integration int...

Page 113: ...efining a AAA client see Define AAA Clients page 14 5 Second the switch must be configured to use a a RADIUS server Then you must enable the following features on each interface installed in the switch 802 1X port based authentication The device requests the identity of the client and begins relaying authentication messages between the client and the authentication server Each client attempting to...

Page 114: ...rotocol on the Cisco IOS device that supports IOS IPS follow these steps Step 1 Log in to the Cisco IOS device using the enable password Step 2 Enter the following commands to enable MARS to retrieve events from the IOS IPS software Router config ip http secure server Router config ip ips notify sdee Router config ip sdee subscriptions 3 Router config ip sdee events 1000 Router config no ip ips no...

Page 115: ...ss its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 5 Enter the IP address of the interface that publishes syslog messages SNMP notifications NetFlow MIBs or any combination of the three in the Reporting IP field To learn more about the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settin...

Page 116: ...The IOS IPS feature is required to enable the DTM functionality in MARS See Technology Preview Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS page 1 for more information Result The IOS IPS Information page appears a Enter the username that has HTTPS access to this device in the User Name field b Enter the corresponding password in the Password fie...

Page 117: ...o IOS Software Release 12 2 or later refer to the following procedures Enable Administrative Access to Devices Running Cisco IOS 12 2 page 3 1 Configure the Device Running Cisco IOS 12 2 to Generate Required Data page 3 3 To prepare a Cisco switch running CatOS refer to the following procedures Enable Communications Between Devices Running CatOS and MARS page 3 9 Configure the Device Running CatOS...

Page 118: ...vice documentation or the following URL IP Access http www cisco com univercd cc td doc product lan cat6000 sw_8_4 confg_gd ip_perm htm wp 1019819 Enable SSH Administrative Access To enable configuration discovery using SSH access to the Cisco router or switch refer to your device documentation or the following URL IP Access http www cisco com univercd cc td doc product lan cat6000 sw_8_4 confg_gd...

Page 119: ...bled SNMP traps on the Catalyst switch follow these steps Step 1 Enter configuration mode switch enable Enter password password switch enable Step 2 Set the SNMP read community string as follows switch enable set snmp community read only read community Step 3 Set the SNMP write community string as follows switch enable set snmp community read write write community switch enable set snmp community ...

Page 120: ...et logging level vmps 7 default set logging level kernel 7 default set logging level filesys 7 default set logging level drip 7 default set logging level pagp 7 default set logging level mgmt 7 default set logging level mls 7 default set logging level protfilt 7 default set logging level security 7 default set logging server facility SYSLOG set logging server severity 7 set logging buffer 250 set ...

Page 121: ...Reporting IP and Interface Settings page 2 8 Step 5 Enter the IP address of the interface that publishes syslog messages SNMP notifications NetFlow MIBs or any combination of the three in the Reporting IP field To learn more about the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 6 If you entered an address in the Acces...

Page 122: ... as a match criterion For more information on the activate action see Activate the Reporting and Mitigation Devices page 2 27 After submitting you can add modules See Adding Modules to a Cisco Switch page 3 14 Adding Modules to a Cisco Switch In MARS you can represent discover and monitor modules that are installed in Cisco switches These modules perform special purpose security functions for the ...

Page 123: ...lly page 3 15 Cisco Firewall Devices PIX ASA and FWSM page 4 1 Cisco IPS Modules page 6 10 Step 6 To add these modules to the base module defined in the MARS database click Submit Result The submit operation records the changes in the database tables However it does not load the changes into working memory of the MARS Appliance The activate operation loads submitted changes into working memory Ste...

Page 124: ... combination of the three in the Reporting IP field To learn more about the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 6 If you entered an address in the Access IP field select TELNET SSH or FTP from the Access Type list and continue with the procedure that matches your selection Configure Telnet Access for Devices i...

Page 125: ...S Appliance The activate operation loads submitted changes into working memory Extreme ExtremeWare 6 x MARS can use Extreme ExtremeWare switches to enforce L2 mitigation To configure MARS to communicate with an ExtremeWare switch you must configure the switch to publish SNMP notifications to the MARS Appliance In addition you must add and configure the switch in the web interface This section cont...

Page 126: ...the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 6 If you entered an address in the Access IP field select SNMP from the Access Type list For more information on understanding the access type see Selecting the Access Type page 2 10 Step 7 Optional To enable MARS to retrieve MIB objects for this reporting device enter t...

Page 127: ...ddress of the interface that publishes syslog messages SNMP notifications or both in the Reporting IP field To learn more about the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 6 If you entered an address in the Access IP field select SNMP from the Access Type list For more information on understanding the access type ...

Page 128: ...3 20 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 3 Configuring Router and Switch Devices Generic Router Device ...

Page 129: ...rewall devices to MARS Cisco Firewall Devices PIX ASA and FWSM page 4 1 NetScreen ScreenOS Devices page 4 14 Check Point Devices page 4 22 Cisco Firewall Devices PIX ASA and FWSM MARS support for Cisco firewall devices includes the following PIX Security Appliance Cisco Adaptive Security Appliance ASA Cisco Firewall Services Modules FWSM For the complete list of supported software releases by plat...

Page 130: ...Advanced Inspection and Prevention AIP modules running IPS 5 0 To configure MARS to accept syslog event data and to pull device configurations settings from a Cisco firewall device you must perform the following tasks Bootstrap the Cisco Firewall Device page 4 2 Add and Configure a Cisco Firewall Device in MARS page 4 8 Bootstrap the Cisco Firewall Device You should configure your Cisco firewall d...

Page 131: ...rate meaningful reports about the network activity of a firewall device and to monitor the security events associated with that device you must select the appropriate logging level The logging level generates the syslog details required to track session specific data After you select a logging level you can define a syslog rule that directs traffic to the MARS Appliance 3 Do one of the following S...

Page 132: ...Firewall Device Step 1 Log in to the Cisco firewall device with administrator s privileges Step 2 Enter the command telnet MARS IP address netmask of MARS IP address interface name where interface name can be inside outside DMZ Enable SSH Access on a Cisco Firewall Device Step 1 Log in to the Cisco firewall device with administrator s privileges Step 2 Enter the command ssh MARS IP address netmask...

Page 133: ...bled on the reporting device If web filtering is not enabled then the HTTP session log does not include the hostname although the destination host s IP and the Request URI are included such as 192 168 1 1 foo htm and FTP command data is not logged at all Caveats exist with HTTP session logging such as if the HTTP session request is broken across packets then the hostname data might not be included...

Page 134: ...ne Configuration Guide Version 7 2 http www cisco com en US products ps6120 products_configuration_guide_chapter09186a0080 63b3ff html wp1065706 Logging Message Command in Cisco Security Appliance System Log Messages Version 7 2 http www cisco com en US products ps6120 products_command_reference_chapter09186a0080 63f0f5 html wp1683322 Cisco Security Appliance System Log Messages Version 7 2 http w...

Page 135: ...n the ASA or PIX to move a syslog message to a new level The following syslog message IDs are those required for proper sessionization If you change the logging level of the firewall ensure that the following messages IDs are generated at the new level so the MARS Appliance receives them Note The syslog message IDs listed below are required for sessionization However other logs at the debug or inf...

Page 136: ...dding a Cisco ASA PIX 7 0 and FWSM to MARS has two distinct steps First you must define the settings for the admin context Then if multiple context mode is enabled you define or discover the settings for its security contexts These Cisco firewall device have two type of contexts one admin context which is used for configuration of the device itself and one or more security contexts For Cisco ASA y...

Page 137: ...maps queries and in the Security and Monitoring Device list For devices that support the discovery operation such as routers and firewalls MARS renames this field s value to match the name discovered in the device configuration which typically uses the hostname domain format For devices that cannot be discovered such as Windows and Linux hosts and host applications MARS uses the provided value Ste...

Page 138: ...unity string in the SNMP RO Community field Before you can specify the SNMP RO string you must define an access IP address MARS uses the SNMP RO string to read MIBs related to a reporting device s CPU usage network usage and device anomaly data and to discover device and network settings Step 8 Optional To enable MARS to monitor this device for anomalous resource usage select Yes from the Monitor ...

Page 139: ...pology Updates page 2 39 Step 11 To add this device to the MARS database click Submit Result The submit operation records the changes in the database tables However it does not load the changes into working memory of the MARS Appliance The activate operation loads submitted changes into working memory Step 12 Click Activate Result MARS begins to sessionize events generated by this device and evalu...

Page 140: ...xt name defined on the device Step 5 Enter the IP address of the security context from which syslog messages or SNMP notifications or both are published in the Reporting IP field To learn more about the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 6 Optional To enable MARS to retrieve MIB objects for this security cont...

Page 141: ...ick Add Available Module Step 2 Select a security context from the Select list Step 3 Click Add Step 4 Repeat for other contexts Step 5 To save your changes click Submit After you add discovered contexts you must edit them to provide the contact information required by MARS Continue with Edit Discovered Security Contexts page 4 13 Edit Discovered Security Contexts Note You must edit all discovered...

Page 142: ...us resource usage select Yes from the Monitor Resource Usage list Result MARS monitors the device for anomalous consumption of resources such as memory and CPU If anomalies are detected MARS generates an incident Resource utilization statistics are also used to generate reports For more information see Configuring Resource Usage Data page 2 41 Step 5 To save your changes click Submit Step 6 Repeat...

Page 143: ...e NetScreen Device To prepare the NetScreen device to be monitored by MARS follow these steps Step 1 Login to the NetScreen with appropriate username and password Step 2 In the main screen on the left hand column click Network Interfaces Step 3 Click Edit next to the appropriate interface to configure for MARS to have access to SNMP and Telnet SSH ...

Page 144: ...t one of the following values SNMP Telnet SCS 4 0 only SSH 5 0 and later MARS can only use one of the access methods to perform configuration discovery This value will also be selected in the Access Type value of Add the NetScreen Device to MARS page 4 20 Step 5 Click Apply then click OK Step 6 Configure the SNMP information by selecting Configure Report Settings SNMP ...

Page 145: ...he MARS IP address in the Host List by clicking Edit Step 8 Enter the MARS IP address and verify that this Community Name in this window is the same community string entered in the MARS web interface when adding this device Step 9 Optional If the community string does not match click New Community to define one that matches the on defined in MARS ...

Page 146: ... Step 11 Verify that the Enable Syslog Messages and Include Traffic Log boxes are checked Step 12 Enter the IP address of the MARS Appliance that will listen for events from this device Step 13 Verify that the default syslog port number of 514 is selected Step 14 Select the AUTH SEC for Security Facility and LOCAL0 for Facility Step 15 For NetScreen 5 0 select the Event Log in addition to Traffic ...

Page 147: ...evices NetScreen ScreenOS Devices Step 17 Configure logging for each policy that user wants to send the events to the MARS Appliance Select Policies on the left hand area Step 18 Click Edit then Advance and verify that Logging box is checked Repeat for all policies which events need to be sent to MARS ...

Page 148: ...in the Device Name field MARS maps this name to the reporting IP address This name is used in topology maps queries and in the Security and Monitoring Device list For devices that support the discovery operation such as routers and firewalls MARS renames this field s value to match the name discovered in the device configuration which typically uses the hostname domain format For devices that cann...

Page 149: ... a reporting device s CPU usage network usage and device anomaly data and to discover device and network settings Step 8 Optional If you defined an access IP and selected and configured an access type click Discover to determine the device settings Result If the username and password are correct and the MARS Appliance is configured as an administrative host for the device the Discovery is done dia...

Page 150: ...r and only exists within the context of a Provide 1 SiteManager 1 infrastructure CPMI Check Point Management Interface Communications protocol used for configuration discovery LEA Log Export API Communications protocol used for retrieving audit and firewall logs MDG Multi Domain GUI GUI used for managing Provider 1 SiteManager 1 deployments The MDG is the parent GUI that can launch specific SmartD...

Page 151: ...red on the MDS Each per customer security policy is managed through a CMA which also reside on the MDS The Provider 1 system allows the service provider and the end customers to maintains separate log servers using the MLM and CLM respectively The user interface for Provider 1 is called the MDG This system also support a tiered fault tolerant configuration via redundancy at the gateway CMA or MDS ...

Page 152: ... the enforcement module or forwarded to a separate logging module CLM In addition to understanding the components it is important to understand how Check Point components use Secure Internal Communications SIC to securely communicate with each other and with third party OPSEC applications SIC is the process by which MARS Appliance authenticates to the SmartCenter Server and other Check Point compo...

Page 153: ...pliance and each Check Point log module For SmartCenter and SmartCenter Pro the server SIC DN is the one assigned to the primary management station However for Provider 1 and SiteManager 1 the server SIC DN varies based on release For Provider 1 and SiteManager 1 NG FP3 and NG AI R55 the server SIC DN is the one associated with the CMA For Provider 1 and SiteManager 1 NGX R60 you can use the SIC a...

Page 154: ...he policies Policy installation include an object database push that make the Check Point modules aware of the OPSEC Application representing the MARS Appliance Without this step the modules will not forward any log information via LEA To perform this task you need a Check Point user account with administrative privileges This account must be able to create a new host define OPSEC application defi...

Page 155: ...ual hostname of the MARS Appliance Step 5 Enter the IP address of the monitoring interface in the MARS Appliance in the IP Address field Typically the monitoring interface is eth0 However if one or more intermediate gateways are applying NAT rules to the physical IP address enter the IP address that is exposed to the Check Point central management server Step 6 Click OK to close the Host Node dial...

Page 156: ...are using Provider 1 or SiteManager 1 NGX use the MDG Step 2 Select Manage Servers and OPSEC Applications from the main menu Result The Servers and OPSEC Application dialog box appears Step 3 Click the New button and then click OPSEC Application on the menu list Result The OPSEC Application Properties dialog box appears Step 4 Specify the name for this object in the Name field This value must be d...

Page 157: ... activation key in the Activation Key and Confirm Activation Key fields of the Communication dialog box Note Remember this key for future use with MARS Step 11 Click Initialize to generate the client SIC DN Result The client SIC DN is generated and the Communication dialog box closes returning to the OPSEC Application Properties dialog box The new SIC appears in the DN field Step 12 Click Close to...

Page 158: ...redentials of the MARS Appliance as an OPSEC component and SIC client Tip Using the Check Point log viewer you can verify that the OPSEC object was pushed successfully Step 18 Continue with Obtain the Server Entity SIC Name page 4 30 Obtain the Server Entity SIC Name The server SIC DN is one of the shared secrets used to provide non repudiation during a secure communication between a Check Point c...

Page 159: ...P3 or NG AI R55 installation The MDS of a Provider 1 or SiteManager 1 NGX R60 installation Log servers are the following devices SmartCenter server for standalone SmartCenter and SmartCenter Pro installations Each CLM of a Provider 1 or SiteManager 1 NG FP3 or NG AI R55 installation The MLM of a Provider 1 or SiteManager 1 NGX R60 installation Step 5 Click Edit The Check Point Host Management dial...

Page 160: ...repeat Step 5 through Step 7 Step 9 Click Close to close the Network Objects dialog box Step 10 Continue with Select the Access Type for LEA and CPMI Traffic page 4 32 Select the Access Type for LEA and CPMI Traffic Check Point devices use special access types for configuration discovery and event log queries For configuration discovery the protocol is CPMI For event log queries the protocol is LE...

Page 161: ...ber must match the port number on which the desired network service listens A port_number of 0 zero indicates that log server is not listening in CLEAR mode If it is some other number then any service can come pull the logs without authenticating For LEA_SERVER you cannot use port 18184 as it is used for encrypted log communications For CPMI_SERVER you cannot use port 18190 When CLEAR is enabled a...

Page 162: ...h Create and Install Policies page 4 34 Create and Install Policies You must create firewall policies that permit the MARS Appliance to access the relevant ports of the Check Point central management server and any remote log servers The default ports are as follows TCP port 18190 Used by CPMI to discover configuration settings TCP port 18210 Used to retrieve the certificate from the Certificate A...

Page 163: ... the security policies that enable traffic flows between the Check Point and MARS components select Policy Install on the main menu Step 5 In the Install Policy dialog box verify the Advanced Security check box is selected for each selected installation target The target devices should be those firewalls that reside between the Check Point components and the MARS Appliance Step 6 Click OK to insta...

Page 164: ...ity Monitoring Analysis and Response System Reset the OPSEC Application Certificate of the MARS Appliance If you encounter an error when pulling the certificate as part of defining the Check Point devices in the MARS web interface you must reset the certificate before you can attempt to pull it again This procedure details how to reset the certificate or SIC associated with the OPSEC Application t...

Page 165: ...pter 4 Configuring Firewall Devices Check Point Devices Step 5 Click the Communication button under Secure Internal Communication Result The Communication dialog box appears Step 6 Click Reset to reset the certificate Step 7 Click Close to close the Communication dialog box ...

Page 166: ...ion Properties dialog box The new SIC appears in the DN field Step 8 Click OK to close the OPSEC Application Properties dialog box Step 9 Click Close to close the Servers and OPSEC Application dialog box Result The OPSEC Application that represents MARS is defined and associated to the correct host You also have obtained the activation key and client SIC DN for later use in Add a Check Point Prima...

Page 167: ...hentication type and port to use for each supported access type 5 Optional Define the settings for secure communications If the access communication are not conducted in CLEAR then you must specify the client and server SIC DNs and identify the certificate authority 6 Optional Define the routes used by the firewall running on the primary management station If a firewall is running on the primary m...

Page 168: ...ou are defining a CMA for Provider 1 or SiteManager 1 you must have the virtual IP address VIP for each CMA and CLM managed by the MDS Add a Check Point Primary Management Station to MARS The primary management station represents one of the following The SmartCenter server in a SmartCenter or SmartCenter Pro installation A CMA of a Provider 1 or SiteManager 1 installation Note Check Point 4 1 NG F...

Page 169: ...with a CMA or the physical IP address of the SmartCenter server To learn more about the reporting IP address its role and dependencies see Understanding Access IP Reporting IP and Interface Settings page 2 8 Step 4 Under Enter interface information enter the interface name IP address and netmask value of each interface in the Check Point server from which configuration information will be discover...

Page 170: ...iscovery operation identifies any child enforcement modules managed by this primary management station It also discovers the NAT and ACL information necessary for NAT based correlation attack path calculation and mitigation analysis For more information on the access type see Select the Access Type for LEA and CPMI Traffic page 4 32 Access Port Verify that the port number corresponds to the value ...

Page 171: ... obtained in Obtain the Server Entity SIC Name page 4 30 Typically this value is the SIC DN of the SmartCenter server or of the CMA In the case of Provider 1 and SiteManager 1 NGX R60 this value is the SIC DN of the MDS that manages the CMA Step 12 Optional To enable MARS to retrieve MIB objects for this reporting device enter the device s read only community string in the SNMP RO Community field ...

Page 172: ...f you have not enabled configuration discovery on the primary management station or if one or more of the managed firewalls uses a log server that is not managed by the primary management station you can manually define firewalls or log servers Your goal should be to represent all of the firewalls managed by this primary management station and all log servers used by those firewalls and the primar...

Page 173: ... represents the primary management station and click Edit Such devices have CheckPoint Management Console as an entry in the Device Type column Step 3 Click Next to access the Reporting Applications tab Step 4 Select the CheckPoint Management Console check box in the Device Type list and click Edit The Access Information page appears Step 5 Click Add under Firewall Log Server Settings Result The l...

Page 174: ...nue with Step 7 Result A page appears prompting you to specify device name and SNMP RO Community string Step 7 Enter the name of the child enforcement module or log server in the Device Name field MARS maps this name to the IP address specified in the interfaces This name is used in topology maps queries and appears in the Children column of the base Check Point module in the Security and Monitori...

Page 175: ...anaged by this primary management station and each log server that is used by the primary management station or child enforcement modules Step 14 To add this device to the MARS database click Submit Result The submit operation records the changes in the database tables However it does not load the changes into working memory of the MARS Appliance The activate operation loads submitted changes into...

Page 176: ...pplication that Represents MARS page 4 27 Activation Key This value was also provided in Define an OPSEC Application that Represents MARS page 4 27 Step 3 Click Pull Certificate Result A message box appears stating Discovery is done A certificate can be pulled only once for an OPSEC Application If for any reason the pull operation fails you must reset the certificate using the CheckPoint SmartDash...

Page 177: ...umber in the corresponds to the value specified in the LEA_SERVER auth_port line of the fwopsec conf file on this log server The default authentication method for configuration discovery is SSLCA and data is passed on port 18184 Step 4 If this log server uses SSLCA or ASYMSSLCA as an authentication method specify values for the following fields Otherwise the authentication method is CLEAR Skip to ...

Page 178: ...tep 2 Click Edit Step 3 Optional To enable MARS to retrieve MIB objects for this reporting device enter the child enforcement module s read only community string in the SNMP RO Community field Before you can specify the SNMP RO string you must define an access IP address on host that represents the primary management station MARS uses the SNMP RO string to read MIBs related to a reporting device s...

Page 179: ...efault gateway Metric Identifies the priority for using a specific route When routing network packets a gateway device uses the rule with the most specific network within the rule s definition Only in cases where two routing rules have the same network is the metric used to determine which rule is applied If they are the same the lowest metric value takes priority If no routing rule exists the net...

Page 180: ...ement station is the log server for a child enforcement module the log server information is populated when you perform the test connectivity operation Figure 4 1 Log Information Published to Primary Management Station Log Server Identifies that another log server such as a CLM is acting as the log server for this child enforcement module You must either select a pre defined log server or define t...

Page 181: ...ed option is selected Step 2 Do one of the following Select a predefined log server from the Select list click Submit and continue with Step 5 Click Add to define a new log server Step 3 Specify values for the following fields Device Name Enter the name of the log server MARS maps this name to the reporting IP address This name is used in topology maps queries and as the primary management station...

Page 182: ... Access Type and LEA Access Type and you should skip to Step 5 Certificate Either select the previously defined server from the list or click Add to define a new certificate authority and continue with Add a Check Point Certificate Server page 4 47 Client SIC Name Enter the SIC DN of the OPSEC application for the MARS Appliance This value was obtained in Define an OPSEC Application that Represents...

Page 183: ... your network changes so that a firewall or log server is no longer managed by the primary management station under which it is defined you must remove the child enforcement module To remove a child enforcement module from the primary management station follow these steps Step 1 Select Admin System Setup Security and Monitor Devices Step 2 From the Security and Monitor Devices list select the host...

Page 184: ...ported version of Check Point Discovery works only with NG FP3 and above Internally we have tested up to Version R60 Invalid authentication method used The default method is SSLCA Check the fwopsec conf file to determine which method is used CS MARS currently support only three authentication methods for CPMI communication SSLCA ASYM_SSLCA and CLEAR For more information on specifying these setting...

Page 185: ...4 57 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 4 Configuring Firewall Devices Check Point Devices ...

Page 186: ...4 58 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 4 Configuring Firewall Devices Check Point Devices ...

Page 187: ... 3000 Concentrator versions 4 0 1 and 4 7 To enable communications you must perform two tasks Bootstrap the VPN 3000 Concentrator page 5 1 Add the VPN 3000 Concentrator to MARS page 5 2 Bootstrap the VPN 3000 Concentrator To configure a Cisco VPN 3000 Concentrator to generate and publish events to the MARS Appliance you must verify that the correct events are generated in the correct format and yo...

Page 188: ...ervers Step 6 Click Add to define a target syslog server Step 7 In the Syslog Server field enter the IP address or hostname of the MARS Appliance Step 8 Click Add to save the syslog server settings Step 9 Click Save in the top right corner to save all changes Add the VPN 3000 Concentrator to MARS To add the VPN 3000 Concentrator to MARS follow these steps Step 1 Select Admin Security and Monitor D...

Page 189: ...e Access IP field Step 5 Enter the IP address from which the syslog messages are sent to MARS in the Reporting IP field Step 6 Select SNMP from the Access Type list Step 7 Optional To enable MARS to retrieve MIB objects for this Concentrator enter the device s read only community string in the SNMP RO Community field MARS uses the SNMP RO string to read MIBs related to the reporting device s CPU u...

Page 190: ...5 4 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 5 Configuring VPN Devices Cisco VPN 3000 Concentrator ...

Page 191: ...hield page 6 22 Snort 2 0 page 6 28 Symantec ManHunt page 6 29 NetScreen IDP 2 1 page 6 31 Enterasys Dragon 6 x page 6 33 Cisco IDS 3 1 Sensors Before you add the Cisco IDS 3 1 device make sure that you have configured the Cisco IDS device for the MARS to retrieve the device configuration The device configuration would be used for mapping of the logs received by MARS When configuring the IDS devic...

Page 192: ...rganization name protego If there is already item in this file simply increase the item number has to be unique Figure 6 1 Add MARS Information to Cisco IDS 3 1 Organizations File In the hosts file add a line indicating your MARS appliances name associated to the organization that was previously added in the organizations file e g 2001 1 pnmars protego where 2001 1 is a unique item number followed...

Page 193: ...logs to MARS Add a 1 follows by a 5 at the end of this line these numbers are not used by MARS Figure 6 3 Add MARS Information to Cisco IDS 3 1 Routes File In the destinations file add a line indicating your MARS appliances name as defined in the routes file the client process that the appliance is using to listen for events from the sensor in this case smid and the list of log types you want sent...

Page 194: ...dd Step 2 Select Cisco IDS 3 1 from the Device Type list Step 3 Enter the hostname of the sensor in the Device Name field The Device Name value must be identical to the configured sensor name Step 4 Enter the administrative IP address in the Access IP field Step 5 Enter the administrative IP address in the Reporting IP field The Reporting IP address is the same address as the administrative IP add...

Page 195: ...ce settings click Discover Step 10 Click Submit Cisco IDS 4 0 and IPS 5 x Sensors Adding a Cisco IDS or IPS network sensor to MARS involves two parts 1 Bootstrap the Sensor page 6 5 2 Add and Configure a Cisco IDS or IPS Device in MARS page 6 6 3 Verify that MARS Pulls Events from a Cisco IPS Device page 6 10 The following topic supports Cisco IDS and IPS devices View Detailed Event Data for Cisco...

Page 196: ...lowed host one that can access the sensor and pull events If the sensors have been configured to allow access from limited hosts or subnets on the network you can use the access list ip_address netmask command to enable this access Enable the Correct Signatures and Actions If the signature actions are correctly configured MARS can display the trigger packet information for the first event that fir...

Page 197: ...lect Cisco IDS 4 0 from the Device Type list Figure 6 6 Configure Cisco IDS 4 0 Select Cisco IPS 5 x from the Device Type list Figure 6 7 Configure Cisco IPS 5 x Step 3 Enter the hostname of the sensor in the Device Name field The Device Name value must be identical to the configured sensor name Step 4 Enter the administrative IP address in the Access IP field ...

Page 198: ...ddress in the Network IP field b Enter the corresponding network mask value in the Mask field c Click Add to move the specified network into the Monitored Networks field d Repeat as needed To select the networks that are attached to the device click the Select a Network radio button a Select a network from in the Select a Network list b Click Add to move the selected network into the Monitored Net...

Page 199: ... data packet the data packet that caused the alarm to fire Packet data Identifies the data that was being transmitted on the network the instant an alarm was detected You can use this information to help diagnose the nature of an attack Although the amount of data contained in an IP log varies based on sensor configuration by default an IP log contains 30 seconds of packet data To view this data y...

Page 200: ...IPS Modules MARS can monitor Cisco IPS modules installed in Cisco switches and Cisco ASA appliances To prepare these modules you must perform the following tasks Define the base module either the router switch or Cisco ASA as defined in Cisco Router Devices page 3 1 Cisco Switch Devices page 3 9 and Cisco Firewall Devices PIX ASA and FWSM page 4 1 Bootstrap the base module to enable SDEE traffic o...

Page 201: ...outer config ip sdee subscriptions 3 Router config ip sdee events 1000 Router config no ip ips notify log Note The no ips notify log causes the IPS modules to stop sending IPS events over syslog Add an IPS Module to a Cisco Switch or Cisco ASA You can enable in line IPS functionality and signature detection in multi purpose Cisco platforms You can identify an IDS M2 running in a Cisco Switch or an...

Page 202: ...d Step 6 Enter the administrative IP address in the Reporting IP field Step 7 The Reporting IP address is the same address as the administrative IP address Step 8 In the Login field enter the username associated with the administrative account that will be used to access the reporting device Step 9 In the Password field enter the password associated with the username specified in the Login field S...

Page 203: ... Adding User Defined Log Parser Templates page 15 1 MARS supports ISS NIDS and HIDS event retrieval via SNMP However when configuring ISS RealSecure sensors NIDS and hosts HIDS you must configure each active signature to send an alert to the MARS Appliance This task can be very tedious as it must be done for each sensor and after each signature upgrade as it resets the redirect configuration One a...

Page 204: ... in Site Protector For more information on using the Wizard as well as these other methods see Chapter 9 Registering Software Managed by SiteProtector on page 105 at the following URL http documents iss net literature SiteProtector SPUserGuideforSecurityManagers20SP52 pdf Step 2 Right click the sensor to edit and click Edit Settings on the shortcut menu The Edit Settings dialog appears ...

Page 205: ... Protector Step 3 Create a new SNMP response that sends messages to the IP address of the MARS Appliance a Select Response Objects from the settings tree b Select the SNMP tab c Click Add to create a new SNMP response object using the IP address of the MARS Appliance Step 4 Select the Security Events to configure new SNMP destination ...

Page 206: ...ty Events under the sensor folder b Select the required security events from the Security Events tab The Group By button allows you to group policies using any number of parameters Note You can also select policies and edit them at the group level c Click Edit to configure SNMP response of all the selected policies Step 5 Select the MARS Appliance on SNMP tab ...

Page 207: ...reated in Step 3 a Click OK The security events and updated response target are applied to the selected sensor during the next synchronization ISS RealSecure 6 5 and 7 0 To configure ISS RealSecure you must perform the following four tasks 1 Prepare each ISS sensor as follows Edit the common policy files to point to the MARS Appliance as an SNMP target Modify the current policy files to configure ...

Page 208: ...ep 3 Open the common policy files in a text editor Step 4 Change the line that reads Manager S to Manager S MARS s IP address If MARS Appliance s IP address is NATed you may need to use the NATed address If you use the MARS Appliance s IP address as the destination IP address make sure the SNMP trap can reach MARS Appliance Step 5 Save these edited files and exit the editor Step 6 Locate the curre...

Page 209: ...d the community string SMTP_HOST S addr_1 S Response SNMP Response SNMP Default Manager S Community S public to Manager S MARS s IP address Community S string public If MARS Appliance s IP address is NATed you may need to use the NATed address If you use the MARS Appliance s IP address as the destination IP address make sure the SNMP trap can reach MARS Appliance Step 11 Save these edited files an...

Page 210: ...k IP field b Enter the corresponding network mask value in the Mask field c Click Add to move the specified network into the Monitored Networks field d Repeat as needed To select the networks that are attached to the device click the Select a Network radio button a Select a network from in the Select a Network list b Click Add to move the selected network into the Monitored Networks field c Repeat...

Page 211: ...on Reporting Applications tab Step 6 From the Select Application list select RealSecure 6 5 or 7 0 Step 7 Click Add Step 8 Click the HIDS radio button Figure 6 10 Configure ISS Real Secure HIDS Step 9 Click Submit Step 10 For multiple interfaces click on General Tab and add the new interfaces name IP address and network mask Figure 6 11 Adding Multiple Interfaces Step 11 Click Apply ...

Page 212: ...to MARS page 6 23 Configure IntruShield Version 1 8 to Send SNMP Traps to MARS page 6 23 Add and Configure an IntruShield Manager and its Sensors in MARS page 6 25 Extracting Intruvert Sensor Information from the IntruShield Manager IntruVert sensor information is saved in a database on the IntruShield Manager host When you configure the MARS to add Intruvert sensors you can manually add the mappi...

Page 213: ... Server IP Address Enter MARS s IP address as it appears to IntruShield b Target Server Port Number Enter MARS s port number 162 c SNMP Version 1 d Check the Forward Alerts box e Select the For this and child admin domains radio button f Select the severity from the list Cisco recommends selecting High and Medium severity g Check the Forward Faults box h Select the severity from the list Cisco rec...

Page 214: ...de for Cisco Security MARS Local Controller 78 17020 01 Chapter 6 Configuring Network based IDS and IPS Devices IntruVert IntruShield Figure 6 12 IntruShield SNMP Forwarder Configuration Step 6 Click the Add button ...

Page 215: ...MP Version 1 e Forward Alerts f Select the severity from the list Cisco recommends selecting Informational and above severity g Customize Community Enter the community string that you want to use Step 8 Click Apply and exit the program Add and Configure an IntruShield Manager and its Sensors in MARS Adding an IntruVert device has two distinct steps First you add configuration information for the f...

Page 216: ...e definition of this console click Add Figure 6 14 Add IntruShield Sensors Step 8 Continue defining the sensors that the console manages using one of two methods Add IntruShield Sensors Manually page 6 26 Add IntruShield Sensors Using a Seed File page 6 27 Add IntruShield Sensors Manually To add sensors manually follow these steps Step 1 Click Add Sensor Step 2 Enter the Device Name Sensor Name an...

Page 217: ...ng Intruvert Sensor Information from the IntruShield Manager page 6 22 Step 3 Click Submit The list of sensors appears on the management console page Step 4 For each sensor that appears in the management console page select the check box next to the sensor and click Edit Sensor Step 5 For attack path calculation and mitigation specify the networks being monitored by the sensor Do one of the follow...

Page 218: ...ng ip ip to identify the five tuple values Configure Snort to Send Syslogs to MARS For Snort use the syslog as your output plugin Configure your syslogd to send copies to another host On most older style systems Solaris Linux you need to edit etc syslog conf Assuming that the system is based on syslogd and not any of the newer system logging facilities The newer logging facilities are not supporte...

Page 219: ...in the Network IP field b Enter the corresponding network mask value in the Mask field c Click Add to move the specified network into the Monitored Networks field d Repeat as needed To select the networks that are attached to the device click the Select a Network radio button a Select a network from in the Select a Network list b Click Add to move the selected network into the Monitored Networks f...

Page 220: ...t Configuration Step 3 In the Response Rules window click Action Add response Rules Step 4 Click in the field of Response Action Figure 6 16 ManHunt Response Rule Config Step 5 In the left menu click SNMP Notification and enter the following information a SNMP Manager IP address Reporting IP address of MARS b Maximum number of SNMP notification Example 100000 ...

Page 221: ...k Add Step 8 For attack path calculation and mitigation specify the networks being monitored by the sensor Do one of the following To manually define the networks select the Define a Network radio button a Enter the network address in the Network IP field b Enter the corresponding network mask value in the Mask field c Click Add to move the specified network into the Monitored Networks field d Rep...

Page 222: ...policies Step 8 From the main menu click Policy Install MARS side Configuration Add Configuration Information for the IDP Step 1 Click Admin System Setup Security and Monitor Devices Add Step 2 From the Device Type list select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP Addresses if adding a new host Step 4 Click Apply Step 5 Clic...

Page 223: ...nto the Monitored Networks field d Repeat as needed To select the networks that are attached to the device click the Select a Network radio button a Select a network from in the Select a Network list b Click Add to move the selected network into the Monitored Networks field c Repeat as needed Step 6 To save your changes click Submit Step 7 To enable MARS to start sessionizing events from this modu...

Page 224: ...slog and alarm syslog match Step 11 In the main screen click Deploy and Reset to confirm the configuration change Host side Configuration Configure the syslog on the UNIX host Step 1 Log into the host as the root user Step 2 On the same system running the DPM or EFP edit the file etc syslog conf Step 3 Make sure n in localn matches the syslog entry you used on the DPM or EFP Step 4 Add the line lo...

Page 225: ... attack path calculation For multiple interfaces click Add Interface and add the new interfaces s name IP address and mask Step 5 For attack path calculation and mitigation specify the networks being monitored by the sensor Do one of the following To manually define the networks select the Define a Network radio button a Enter the network address in the Network IP field b Enter the corresponding n...

Page 226: ...6 36 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 6 Configuring Network based IDS and IPS Devices Enterasys Dragon 6 x ...

Page 227: ...file that identifies each of the Entercept hosts by logging into the host running the Entercept console and copying the data out of the database table 2 Configure the Entercept console to send SNMP traps to the MARS Appliance 3 Identify the events that should be generated as SNMP traps 4 Define a host that represents the management console Entercept console in MARS web interface 5 From that host i...

Page 228: ...ady for the MARS box to load A sample agents txt file could be 1 3 entercept1 6 1 1 1 438 1 127 0 0 1 0 1051055867 2086 where the fields are AgentID AgentTypeID ComputerName ComputerType NewFlag StatusID OperatingModeID VersionID VersionModeID IP License Note NoConnection and UpTime Define the MARS Appliance as an SNMP Trap Target Step 1 Log in to the Entercept Console Step 2 Click Configuration S...

Page 229: ...d Configure an Entercept Console and its Agents in MARS Adding an Entercept device has two distinct steps First you add configuration information for the for the Entercept Console host Second you add the agents managed by that console Add and Configure an Entercept Console and its Agents in MARS page 7 3 Add Entercept Agents Manually page 7 4 Add Entercept Agents Using a Seed File page 7 4 Add the...

Page 230: ...e Agent Name and its Reporting IP address if Adding new device For the first interface enter an IP address and mask For multiple interfaces click Add Interface and add the new interfaces IP address and mask Step 4 Click Submit Add Entercept Agents Using a Seed File Step 1 Click Load From CSV Step 2 Enter the FTP server information and location of the CSV comma separated values file If you need to ...

Page 231: ...wever you are not required to define each agent The default topology presentation for discovered CSA agents is within a cloud Note The first SNMP notification from an unknown CSA agent appears to originate from the CSA MC MARS parses this notification and defines a child agent of the CSA MC using the discovered settings Once the agent is defined all subsequent messages appear to originate from the...

Page 232: ...er IP address field enter the MARS s IP address Step 9 Click Save and exit the program Export CSA Agent Information to File With the release of MARS 4 1 1 you are no longer required to define each Cisco CSA agent as they are discovered as a device sends an SNMP notification to the CSA Management Console CSA MC Note The following instructions apply to Cisco CSA 4 x when Microsoft Internet Explorer ...

Page 233: ... the device MARS can discover the agents that are managed by that CSA MC However you can also chose to manually add the agents To add a CSA MC to MARS follow these steps Step 1 Click Admin Security and Monitor Devices Add Step 2 From the Device Type list select Add SW security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP addresses if adding a new ...

Page 234: ...ep 5 Do one of the following Select the existing device click Edit Existing and continue with Step 8 A page displays with the values pre populated for hostname reporting IP address and at least one interface Click Add New and continue with Step 6 Step 6 In the Device Name field enter the hostname on which this CSA agent resides This value should reflect the DNS entry for this device Step 7 In the ...

Page 235: ... 4 Click Load From File a Caution The file should be formatted as a tab delimited file You cannot use a CSV file To generate a tab delimited file of the CSA agents managed by the CSA MC see Export CSA Agent Information to File page 7 6 Step 5 In the IP Address field enter the address of the FTP server where you stored the exported hosts file as described in Export CSA Agent Information to File pag...

Page 236: ... number varies Error Occurred Status DbDevice occurred parsing the file at line 1 Occurs when duplicate files are imported even if you have deleted all of the agents and the CSA MC Success Status OK Indicates a successful import of CSA agents using the tab delimited file Error Occurred Status FileNotFoundException Indicates that the file does not exist at the specified path If the path is at the r...

Page 237: ...xpedite populating the Agent list in MARS Export the AntiVirus Agent List page 8 7 Configure the AV Server to Publish Events to MARS Appliance To configure the AV server to publish events to MARS follow these steps Step 1 Log in to the Windows server running Symantec AV Step 2 To identify the Local Controller as a valid SNMP trap destination click Administrative Tools Services SNMP Service Traps T...

Page 238: ...iVirus Configuration Figure 8 1 Symantec Unlock Server Step 7 Configure Symantec server AMS Alert Management System to send SNMP traps to MARS Right click the unlocked server group name then select All Tasks AMS Configure Figure 8 2 Symantec AV AMS Step 8 Select Send SNMP Trap under each Alert Action then click Configure ...

Page 239: ...Figure 8 3 Symantec AV Trap Step 9 Click Send SNMP trap and then click Next Figure 8 4 Symantec AV Send SNMP Trap Step 10 Select the Local Controller to send the SNMP trap to as defined in Step 3 and then click Next to view the Action Message window Step 11 Add alert parameters to the Alert message list according to the following information ...

Page 240: ...s Alert Alert Name Computer Computer Name Date Date Time Time Action Actual Action Description Description Note This ordering is required is because some optional fields can be so long as to prevent Mars from correctly parsing the mandatory fields if they do not appear first in the list of attributes The following optional fields can be defined after all mandatory fields are defined User User Viru...

Page 241: ...equested Action User User Virus Name Virus Name Alert Virus Definition File Update Alert Alert Name Computer Computer Name Date Date Time Time Description Description Severity Severity Source Source Alert Symantec AntiVirus Startup Shutdown Alert Alert Name Computer Computer Name Date Date Time Time Description Description Severity Severity Source Source Alert Scan Start Stop Alert Alert Name Comp...

Page 242: ...gger Alert Default Alert Alert Alert Name Computer Computer Name Date Date Time Time Severity Severity Source Source Failed Alert Failed Alert Alert Configuration Change Alert Alert Name Computer Computer Name Date Date Time Time Severity Severity Source Source Failed Alert Failed Alert Alert Configuration Change Alert Alert Name Computer Computer Name Date Date Time Time Description Description S...

Page 243: ...ct steps First add the host configuration information Then add its agents either manually or from the seed file Tip For Symantec AntiVirus the Symantec agent hostname AV client computer name appears in the Reported User column of the event data Therefore you can define a query report or rule related to this agent based on the Reported User value To add the host and application configuration inform...

Page 244: ... you can use the file to import the list of agents into the MARS web interface as child modules of the Symantec AV server Note Other population options exist MARS can automatically discover agents default or you can manually add them one at a time see Add Agent Manually page 8 7 To import the list of AV agents into MARS follow these steps Step 1 Click Load From CSV Step 2 Enter the FTP server info...

Page 245: ... username and password required to access the ePolicy Orchestrator server and click OK Step 4 In the tree select McAfee Security ePolicy Orchestrator Server_Name Notifications and click the Configuration tab and click the SNMP Servers link Step 5 Click Add Step 6 In the Name field enter the hostname of the MARS Appliance Step 7 In the Server address field enter the IP address of the eth0 interface...

Page 246: ...Afee Security ePolicy Orchestrator Server_Name Notifications and then clicking the Rules tab Step 9 Edit each rule in the list so that all notifications are sent to the SNMP server that represents the MARS Appliance To edit a rule follow these steps a Click the rule The Describe Rule wizard page appears b Click Next to proceed to Set Filters page c Under Add or Edit Notification Rule click the 3 S...

Page 247: ...pter 8 Configuring Antivirus Devices McAfee ePolicy Orchestrator Devices Figure 8 6 Set Threshold Values d Verify the Aggregation and Throttling values are set as shown in Figure 8 6 on page 8 11 e Click Next to proceed to the Create Notifications page f Click Add SNMP Trap ...

Page 248: ...er in MARS Before MARS can begin processing SNMP traps from ePolicy Orchestrator you must define the ePolicy Orchestrator server as software running on a host When ePolicy Orchestrator is defined as a reporting device MARS can process any inspection rules that you have defined using ePolicy Orchestrator event types After you add the ePolicy Orchestrator server to MARS the appliance can discover th...

Page 249: ...n across Cisco IOS routers switches and IPS devices In coordination with Trend Micro s incident control solutions Cisco ICS prevents the spread of day zero outbreaks in three ways First Cisco ICS issues temporary ACLs to those Cisco mitigation devices that can block such traffic typically using a protocol and port pair block This temporary block is referred to as an Outbreak Prevention ACL OPACL S...

Page 250: ...at are sent to MARS The Cisco ICS events for which syslog messages are geneerated have been selected to provide the most benefit to your Security Threat Mitigation STM system To prepare Cisco ICS to publish events to MARS follow these steps Step 1 Log in to the Cisco ICS Management Console Step 2 Click Global Settings Syslog Servers Step 3 Click Add A Step 4 In the IP Address field enter the addre...

Page 251: ...e syslog messages will originate Step 5 Under Enter interface information enter the interface name IP address and netmask value of the interface in Cisco ICS server from which the syslog messages will originate This address is the same value as the Reporting IP address Step 6 Click Apply Step 7 Click Next to move the Reporting Applications tab Step 8 In the Select Application field select Cisco IC...

Page 252: ...S When defining inspection rules or reports you can access the list of Cisco ICS specific events by entering Cisco ICS in the Description CVE field and clicking Search on the Management Event Management page of the web interface There are four predefined system inspection rules for Cisco ICS New Malware Discovered New Malware Prevention Deployed New Malware Prevention Deployment Failed New Malware...

Page 253: ...tabase MARS continues to use this event information for false positive analysis until a successful vulnerability assessment import occurs Upon completion of the new import the historical event information associated with the deleted device is removed from the database This chapter explains how to bootstrap and add the following VA devices to MARS Foundstone FoundScan 3 0 page 9 1 eEye REM 1 0 page...

Page 254: ...data to MARS follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where FoundScan is installed Step 2 In the SQL Server Network Utility dialog box enable TCP IP by moving TCP IP from the Disabled Protocols list to Enabled Protocols list Step 3 Click Apply Add and Configure a FoundScan Device in MARS To add a FoundScan device in MARS follow these steps Step 1 Select Admin Se...

Page 255: ... Type Verify the value is MS SQL Login The login information for the database Password The password for the database Step 9 Click Submit Step 10 Click Apply Once you activate this device click Activate in the web interface you must define the schedule at which MARS should pull data from it For more information see Scheduling Topology Updates page 2 39 eEye REM 1 0 To configure MARS to pull this RE...

Page 256: ... to MARS follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where eEye REM 1 0 is installed Step 2 In the SQL Server Network Utility dialog box enable TCP IP by moving TCP IP from the Disabled Protocols list to Enabled Protocols list Step 3 Click Apply Add and Configure the eEye REM Device in MARS To add the eEye REM device in MARS follow these steps Step 1 Select Admin S...

Page 257: ...e schedule at which MARS should pull data from it For more information see Scheduling Topology Updates page 2 39 Qualys QualysGuard Devices In MARS a QualysGuard device represents a specific report query to the QualysGuard API Server which is the central API server hosted by Qualys The only one that you configure to work with MARS is the QualysGuard API Server You want to ensure that the QualysGua...

Page 258: ... required configuration is that you have an active account and Qualys subscription that is configured correctly to scan your network By default MARS assumes that you want to retrieve the most recent scan report saved on the QualysGuard server Depending on the number of IP addresses analyzed the QualysGuard scan takes from a few seconds to several minutes You need to estimate this time so that you ...

Page 259: ...ed as a hostname or IP address that identifies the primary Qualys server Report type Real time vs Last Saved The default value Real time Report qualysapi qualys com msp scan php ip addresses The addresses attribute specifies the target IP addresses for the scan request IP addresses may be entered as multiple IP addresses IP ranges or a combination of the two Multiple IP addresses must be comma sep...

Page 260: ...at schedule Even if you have more than one Qualys device on your network you cannot stagger when MARS queries those Qualys devices However you can define unique schedules across different Local Controllers For more information on the broader use of update rules see Scheduling Topology Updates page 2 39 To define the rule by which all Qualys devices will be discovered follow these steps Step 1 Clic...

Page 261: ...s unable to parse the scan report that it pulled from the Qualys device Two possible issues can account for this message Data corruption on the QualysGuard device Format changes to the report due to an issue on the QualysGuard device or due to a software upgrade on the QualysGuard device Verify that the QualysGuard device is running a supported version and that the device data is not corrupted Inv...

Page 262: ...9 10 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 9 Configuring Vulnerability Assessment Devices Qualys QualysGuard Devices ...

Page 263: ...x Identifies any of the Linux family of operating systems You should strive to define the application host as exactly as possible This guideline applies to the vulnerability assessment information as well as the general settings This detailed information helps MARS determine whether the host is susceptible to known attacks such as those that specifically target on operating system or application s...

Page 264: ...uest anonymous inbound outbound log syslog xferlog Step 2 inetd trace messages which provide the authentication information for services provided using inetd For inetd the line in etc rc2 d S72inetsvc that reads usr sbin inetd s needs to be changed to usr sbin inetd t s Other messages will automatically appear in the syslog and do not need to be specifically configured Step 3 Once you have enabled...

Page 265: ... added to the syslog conf file and you have restarted syslogd any messages sent to console are also sent to the MARS Appliance Configure MARS to Receive the Solaris or Linux Host Logs To add a Solaris or Linux device to MARS follow these steps Step 1 Click Admin Security and Monitor Devices Add Figure 10 1 Adding a Solaris or Linux Device Step 2 From the Device Type list select Add SW Security app...

Page 266: ...mit Step 6 Click Apply to add the device Microsoft Windows Hosts MARS processes data pulled from hosts running Microsoft Windows This data includes the events found in the security event log as well application event and system event logs You can use one of two methods to retrieve the logs from a host running Microsoft Windows whether it is a server or workstation version You can configure MARS to...

Page 267: ...ting devices monitoring the event log data generated by the host The host needs to run InterSect Alliance SNARE Agent for Windows which captures event log data and sends it to MARS The push method requires four steps 1 Install the SNARE agent on the Microsoft Windows host For more information see Install the SNARE Agent on the Microsoft Windows Host page 10 5 2 Configure the SNARE agent to forward...

Page 268: ...interface Step 2 Click Setup Network Configuration The Network Configuration page appears Step 3 Specify values for the following fields Override detected DNS Name with Specify the IP address or DNS name of the local host in the field Destination Snare Server address Specify the IP address or the DNS name of the MARS Appliance Step 4 Verify that the following options are selected Allow SNARE to au...

Page 269: ...g Microsoft For more information see Windows Event Log Pulling Time Interval page 10 11 Enable Windows Pulling Using a Domain User To enable Windows pulling using a domain user domain username for example CORP syslog do the following on the domain controller before you enable Windows pulling on your client Step 1 On the domain controller click Administrative Tools Default Domain Security Policy Se...

Page 270: ...indows XP Professional To enable MARS to pull event log data from a Windows Server 2003 or Windows XP host follow these steps Step 1 Go to Start Settings Control Panel Administrative Tools Local Security Policy The Local Security Settings applet appears Step 2 Configure the settings under the following Local Policy groups as specified Security Settings Local Security Policy User Rights Management ...

Page 271: ...SYSTEM CurrentControlSet Services Eventlog Application CustomSD HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Eventlog System CustomSD Use the Security Identifier SID of the pulling account to replace the variable sid of the pulling account For example if the pulling account s SID is S 1 5 21 1801671234 2025421234 839521234 123456 and the original value of CustomSD is as follows O BAG SYD D...

Page 272: ...orms Microsoft Windows Generic Microsoft Windows NT Note If you are selecting Microsoft Windows XP Home Edition you must enable the Remote Procedure Call services under All Programs Control Panel Administrative Tools Services Step 8 Select either the Pull or the Receive checkbox based on the host configuration that you have performed Caution Do not select both checkboxes Doing so generates unpredi...

Page 273: ...ctivate the device click Activate If you selected the pull check box in Step 8 verfiy that a value has been specified for the interval at which which MARS pulls an event log from the host For more information see Windows Event Log Pulling Time Interval page 10 11 Windows Event Log Pulling Time Interval You can now set the interval at which MARS pulls an event log from all Microsoft Windows host th...

Page 274: ... then MARS can quickly determine whether the host is running the operating system that is targeted For hosts that are defined as the base platform of a reporting device you should define this information as part of that device definition However as MARS it begins to add discovered hosts to the list of hosts under Management IP Management You should periodically review these hosts to update their i...

Page 275: ...number the Patch field d Enter the name of manufacturer of the operating system in the Vendor field e Click Apply to save the operating system definition Result The new operating system definition is added to the Select operating system from list and it is the selected option If you define a custom operating system you must select Generic in the Operating System list on the General page of the hos...

Page 276: ... Step 1 To select the desired host do one of the following Select Management IP Management select the check box next to the desired host and click Edit Select Admin Security and Monitor Devices select the check box next to the desired host and click Edit Step 2 Click Add New Service under Current running services Note It may take five minutes or more for this dialog box to load You can place the c...

Page 277: ...figure the interval at which CS MARS should pull the logs from the Oracle database server Configuring the pull interval is a one time operation that applies to all of the Oracle database servers monitored by the MARS Appliance This section contains the following topics Configure the Oracle Database Server to Generate Audit Logs page 11 1 Add the Oracle Database Server to MARS page 11 2 Configure I...

Page 278: ...all the logs that you want to audit The following example is turning on the audit session SQL audit session Audit succeeded Step 5 Repeat the previous step for all the logs that you want to audit Step 6 Create a user account on this server and grant select privilege for the view dba_audit_trail Our example assumes the user has login name pnuser SQL grant select on dba_audit_trail to pnuser You ll ...

Page 279: ...dd Step 7 Enter the User Name Password and Oracle Service Name User Name the Oracle Database User Name Password the Oracle Database User password Oracle Service Name the Oracle Service Name The Oracle Service Name is the GLOBAL_DBNAME username server which can be found inside a file called listener ora Step 8 Click Test Connectivity to verify the configuration Step 9 Click Submit Configure Interva...

Page 280: ...co Security MARS Local Controller 78 17020 01 Chapter 11 Configuring Database Applications Oracle Database Server Generic Step 2 Enter the new time interval in seconds The default value is 300 five minutes Step 3 Click Submit ...

Page 281: ...ers running Microsoft Windows to MARS as reporting devices The Microsoft Windows computer needs to run InterSect Alliance SNARE for IIS from which MARS receives web log data Note Synchronize clocks of the Microsoft Windows system and the MARS to ensure times match between them Install and Configure the Snare Agent for IIS To configure IIS to publish logs to MARS you must install and configure a lo...

Page 282: ...Figure 12 1 Configure SNARE for Web Logging Step 2 In Target Host enter the IP address of the MARS Step 3 In Log Directory enter the directory where the logs are to be placed Step 4 In Destination click the Syslog radio button Step 5 Click OK To configure IIS for web logging Step 1 Click Start Programs Administrative Tools Internet Services Manager ...

Page 283: ...020 01 Chapter 12 Configuring Web Server Devices Microsoft Internet Information Sever Figure 12 2 Configure IIS for Web Logging Step 2 In the Tree tab on the left right click Default Web Site Step 3 On the shortcut menu select Properties Figure 12 3 Enable Logging ...

Page 284: ...e Logging is checked b From the Active log format list select W3C Extended Log Format c Click Properties Figure 12 4 Select General Log Settings d In the General Properties tab set the New Log Time Period to Daily Note The Log file directory must match the one previously set using the Audit Configuration program e In the Extended Properties tab make sure all available properties are selected ...

Page 285: ...tion To add configuration information for the host Step 1 Click Admin Security and Monitor Devices Add Step 2 From the Device Type list select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP Addresses if adding a new host Step 4 Select the Windows from Operation System list Step 5 Click Logging Info Step 6 For this configuration you m...

Page 286: ...e and add each new interface s name IP address and mask Step 9 Add as many IP addresses and masks to the interface as you need by clicking Add IP Network Mask Step 10 Click Apply Step 11 Click Reporting Applications tab Step 12 From the Select Application list select Generic Web Server Generic Step 13 Click Add Figure 12 7 Selecting the Windows Web Log format Step 14 Select W3C_EXTENDED_LOG format...

Page 287: ... the following URL http www cisco com cgi bin tablebuild pl cs mars misc Note Synchronize clocks of the UNIX or Linux system and the MARS to ensure times match between them Install and Configure the Web Agent on UNIX or Linux For MARS to recieve logs from a webserver you must install the Web agent agent pl version 1 1 on the target webserv and direct the agent to publish logs to the MARS Appliance...

Page 288: ...h the logs to the MARS at regular intervals The following example gets new entries from the access log and pushes them to MARS every five minutes crontab e 5 10 15 20 25 30 35 40 45 50 55 0 cd opt webagent agent pl weblogagent1 conf 5 10 15 20 25 30 35 40 45 50 55 0 cd opt webagent agent pl weblogagent2 conf Web Server Configuration To configure the Apache web server for the agent Step 1 In the fi...

Page 289: ...peration System list Step 5 Click Logging Info Step 6 For this configuration you must check the Receive host log box Figure 12 8 Unix or Linux Web Server Logging mechanism Step 7 Click Submit Step 8 Continue adding the interfaces For the first interface enter its name IP address and mask For multiple interfaces click Add Interface and add each new interface s name IP address and mask Step 9 Add as...

Page 290: ...ller 78 17020 01 Chapter 12 Configuring Web Server Devices Generic Web Server Generic Step 14 From the Web Log Format list select appropriately Step 15 Click Submit Note Once you have edited a device you must click Activate for the changes to take effect ...

Page 291: ...ance NetCache Generic This section contains the following topics Configure NetCache to Send Syslog to MARS page 13 1 Add and Configure NetCache in MARS page 13 2 Configure NetCache to Send Syslog to MARS Synchronize clocks of the NetCache device and the MARS to make sure times match between them Note MARS supports only HTTP proxy logs and MMS streaming media proxy logs To configure NetCache to sen...

Page 292: ... window select Streaming then MMS Step 14 Under MMS Enable verify that the Enables MMS protocol support check box is selected Step 15 Click Commit Changes to save your changes Step 16 In the left side of the window select System then Logging Step 17 In the right side of the window under Maximum Log File Size enter a number less than or equal to 100 megabytes Step 18 Under How to Switch Log Files s...

Page 293: ...he Generic Step 3 Enter the device name and its reporting IP address Step 4 From the Web log format list select the web log format that matches the value you selected in Step 5 of Configure NetCache to Send Syslog to MARS page 13 1 Step 5 From the Streaming media log format list select a streaming media log format Step 6 Click Submit ...

Page 294: ...13 4 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 13 Configuring Web Proxy Devices Network Appliance NetCache Generic ...

Page 295: ... For the Cisco Secure ACS Solution Engine this agent must reside on a remote logging host This agent provides MARS with three event logs in syslog format The logs are as follows Passed authentication log requires Cisco Secure ACS 3 3 or later Failed attempts log RADIUS accounting log To support NAC and the 802 1x features Cisco Secure ACS uses the RADIUS authentication protocol and the cisco av pa...

Page 296: ...ute specific commands on reporting devices and mitigation devices The following sections detail supporting a Cisco Secure ACS server Bootstrap Cisco Secure ACS page 14 3 Install and Configure the PN Log Agent page 14 7 Add and Configure the Cisco ACS Device in MARS page 14 12 Supporting Cisco Secure ACS Solution Engine MARS supports the Cisco Secure ACS Solution Engine via a remote logging host Ci...

Page 297: ... task Configure Cisco Secure ACS to Generate Logs page 14 3 Define AAA Clients page 14 5 Optional Configure TACACS Command Authorization for Cisco Routers and Switches page 14 7 Configure Cisco Secure ACS to Generate Logs To configure Cisco Secure ACS to generate the audit logs required by MARS follow these steps Step 1 Log in to the Cisco Secure ACS server or Solution Engine Step 2 Select System ...

Page 298: ...hen Failure Code Message Type Step 5 Click Submit Step 6 Click CVS Passed Authentications and verify that the following attributes appear in the Logged Attributes list AAA Server User Name Caller ID NAS Port NAS IP Address System Posture Token EAP Type Name Step 7 Click Submit Step 8 Click CVS RADIUS Accounting and verify that the following attributes appear in the Logged Attributes list ...

Page 299: ...ollowing RADIUS accounting attributes Framed IP address cisco av pair Step 10 Click Submit For additional details on the RADIUS attributes supported by Cisco Secure ACS see to the following URL http www cisco com en US products sw secursw ps2086 products_user_guide_chapter09186a00 802335ea html Define AAA Clients To support the 802 1x features of NAC you must also define the Cisco switches as AAA ...

Page 300: ... the following configuration must also be completed Ensure DHCP snooping is enabled on each network access device that you plan to define as an 802 1x client in MARS Note The attack path can not be calculated for a NAC 802 1x security incident when the events triggering the incident are reported to the MARS Appliance by Cisco Secure ACS However the MARS Appliance knows the switch port to block so ...

Page 301: ...terface interface_name shutdown set port disable port_name For more information on configuring command authorization sets in Cisco Secure ACS see the following URL http www cisco com en US products sw secursw ps2086 products_user_guide_chapter09186a00 802335ec html wp697557 Install and Configure the PN Log Agent MARS includes the PN Log Agent to monitor Cisco Secure ACS active log files failed att...

Page 302: ...tion Guide for Cisco Secure ACS Remote Agents Step 2 Select Start All Programs Protego Networks PNLogAgent Pn Log Agent Step 3 Click Edit PN MARS Config Result The PN Log Agent Configuration dialog box appears Step 4 In the MARS IP Address field enter the address of the MARS Appliance and click OK Step 5 Select Edit Log File Config Add Step 6 From the Edit pull down menu select Add Result The Add ...

Page 303: ...g AAA Devices Install and Configure the PN Log Agent Step 9 Add all 3 applications and their active log files Failed Attempts active Passed Authentications active RADIUS Accounting active Result The configured files appear in the List of Log Files to Monitor list Step 10 Select File Activate ...

Page 304: ...ent is running uninstall the old agent a To uninstall the old agent click Start Control Panel Add Remove Programs b Select PnLogAgent in the list of currently installed programs and click Remove c Select Yes to confirm the removal Step 2 Reboot the server Step 3 Install the new agent You can download this tool from the following URL http www cisco com cgi bin tablebuild pl cs mars misc Step 4 Re c...

Page 305: ...twork dropped connection on reset condition while attempting to send syslog message Connection reset by peer while attempting to send syslog message Connection refused by target while attempting to send syslog message No route exists to host Please check the network connectivity Attempt to send syslog returned error code error_code The log file doesn t have all required attributes Attribute missin...

Page 306: ...e logging host Step 4 In the Reporting IP field enter the IP address of the interface in Cisco Secure ACS server or the remote logging host from which the syslog messages will originate Step 5 Under Enter interface information enter the interface name IP address and netmask value of the interface in Cisco Secure ACS server or remote logging host from which the syslog messages will originate This a...

Page 307: ...e Cisco ACS 3 x option supports both Cisco Secure ACS 3 x and Cisco Secure ACS 4 0 No explicit 4 0 option exists for Cisco Secure ACS Step 9 Click Submit to add this application to the host Result Cisco ACS 3 x appears in the Device Type list Step 10 Click the Vulnerability Assessment Info link to define the host information that MARS uses to determine false positive attacks against this host Cont...

Page 308: ...14 14 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 14 Configuring AAA Devices Add and Configure the Cisco ACS Device in MARS ...

Page 309: ...network topology configure it to report data to the MARS and query the data using free form query User needs to specify the incoming data format so that MARS can parse and retrieve session information from arbitrary logs Note While the raw message for an event does include the header information MARS removes the header prior to sending the payload to the custom parser When writing a parser log tem...

Page 310: ...tes that you define MARS uses this logical container to select which custom log templates to apply to traffic received from a reporting device of that device type You must perform this task before you can begin to define a custom log parser Step 1 Go to Admin Custom Setup tab Step 2 Click the User Defined Log Parser Templates Figure 15 1 User Defined Log Parser Template Step 3 On the next screen c...

Page 311: ...running on a host and the host can be configured to send logs to the MARS Appliance Step 5 Enter the Vendor Model and Version for the Device or Application For Example Cisco PIX 7 0 Step 6 Click Submit Figure 15 3 User Defined Device Application Type Add Parser Log Templates for the Custom Device Application While the raw message for an event does include the header information MARS removes the he...

Page 312: ...ant to parse A log template is composed of one or more Event Types that describe the contents of the message Using the Event Types MARS parses the message when it is received Step 5 Enter a value in the Log ID field This value is a unique string value that identifies the log message The Log ID field provides an opportunity to map this message number or another moniker used by the device to the cus...

Page 313: ...ing Custom Devices Adding User Defined Log Parser Templates Figure 15 4 Mapping Log to Event Type Figure 15 5 Define Event Type Step 9 Add new Event type and its information and click Submit optional Step 10 Click Apply the Patterns link will become enabled Step 11 Click the Patterns link ...

Page 314: ...parsed and stored in MARS events Step 14 Currently MARS supports the following parsed value fields in its events Source address Destination address Source port Destination Port Protocol NAT Source address NAT Destination address NAT Source port NAT Destination Port NAT Protocol Device Time stamp Session Duration Received Time stamp Exchanged Bytes Reported User Step 15 The parsing format can now b...

Page 315: ...protocol field Step 19 The Value Type gives indication to the parser on what kind of value to expect so that suitable parsing action can be applied on the matching sub pattern string By Choosing Protocol String as the value type above we indicate that the protocol field is coming in the form of a string as defined in the file etc protocols in a UNIX system For example TCP is the string that will b...

Page 316: ...gexp d which matches against all unsigned decimal numbers The parsed field where the above value is stored is the Source Address which is specified as a dotted quad Notice the somewhat complicated regexp that only capture IP addresses in the correct range 0 0 0 0 through 255 255 255 255 Figure 15 9 Third Position of Pattern Definition Step 22 The above is for a source port PORT_NUMBER is the Patte...

Page 317: ... Local Controller 78 17020 01 Chapter 15 Configuring Custom Devices Adding User Defined Log Parser Templates Figure 15 10 The above example is a 12 KEY VALUE sub pattern pieces Figure 15 11 Log template for the device type Vendor1 Model1 1 2 ...

Page 318: ...pache Webserver1 1 Step 24 Define the log template for a HTTP Status OK log message And associate a system defined event type In order to find the event type specify the search string HTTP Status and find it defined as above Step 25 The parsing patterns for HTTP Status OK are specified to match the following example raw message reported in an event 155 98 65 40 21 Nov 2004 21 08 47 0800 GET shash ...

Page 319: ...nce the log message starts with a value pattern Figure 15 15 Position 2 Key Pattern for HTTP Status OK Step 27 The Parsed Field above is a Date Time field In addition to Value Pattern a value format is required since a date time can be specified in arbitrarily different ways Details on how to specify the value format are given in Appendix F Several pattern names with a few of the commonly used dat...

Page 320: ...sco Security MARS Local Controller 78 17020 01 Chapter 15 Configuring Custom Devices Adding User Defined Log Parser Templates Figure 15 16 Position 3 Key Pattern for HTTP Status OK Figure 15 17 Pattern log for HTTP Status OK ...

Page 321: ...depends on whether it was defined as a custom appliance or software device If it is software based you must first define a host and then add a reporting application Otherwise you can select the appliance type directly from the Device Type list The following example adds an instance of the newly defined Apache Webserver1 1 software application Step 1 Go to the Admin tab Step 2 Click the Security an...

Page 322: ...es Adding User Defined Log Parser Templates Figure 15 19 Adding the Customer Application to MARS Step 8 Select either SNMP TRAP or SYSLOG as the Reporting Method in the resulting window and click Submit This option determines what type of traffic will be processed by the custom log parser Step 9 Click Done ...

Page 323: ...and using an on demand query determine whether an event has been received that shows that traffic from source Y to destination X has been blocked 2 If such events are found the administrator can continue by determining which ACL is actually blocking the traffic To do so the administrator would click the policy query icon in the row of one of the selected events MARS then queries Security Manager t...

Page 324: ...d Password Failed Success MARS requests the device ID from Security Manager by providing the hostname and IP address If obtainable MARS provides the domain name and device type MARS displays an error message in a pop up window Number of matching devices Multiple None One MARS requests from Security Manager all access rules that match the device ID and five tuples If available MARS provides action ...

Page 325: ...More About Cisco Security Manager Device Lookup MARS requests the Policy Table of a Security Manager device by supplying the following criteria to Security Manager Device Name Derived from MARS Device Name IP Address Derived from MARS Reporting IP Domain Name If available derived from the device name in MARS for example c3550 225 125 clab cisco com Device Type If available from MARS The Device Loo...

Page 326: ...r MARS displays the policy table in a pop up window The matching access rule is displayed in highlight If MARS was unable to provide the interface direction and action information multiple matched access rules may be highlighted Sample Cisco PIX Firewall Syslog Messages with Direction and Protocol Information 10 33 10 2 142 PIX 6 302013 Built outbound TCP connection 2021 for inside 10 1 1 10 4000 ...

Page 327: ...cy query icon The Security Manager Policy Table Lookup icon displays for NetFlow events even though they are not triggered by an ACL This extra event data allows you to determine whether there is a policy permitting that traffic which ensures you are able to tune accordingly Note Because this is NetFlow data it may not match the exact ACL or match multiple ACLs The same events received by MARS can...

Page 328: ...ntegration deals with identifying the required and optional points of integration configuring the applications and devices and ensuring proper authorization among the two management platforms This checklist assumes a greenfield install of both Security Manager and MARS The following checklist describes the tasks required to understand the decision making process and the basic flow required to inte...

Page 329: ...f Cisco IOS software Note MARS supports PIX 7 0 and ASA 7 0 1 releases however it does not support FWSM 3 1 FWSM support is restricted to FWSM 1 1 2 2 and 2 3 For current device support information see Supported Devices and Software Versions for Cisco Security MARS Note FWSM support is supported only in Cisco Security Manager Enterprise Edition Professional 50 and higher The Professional version i...

Page 330: ...ARS Appliance the supporting devices and the reporting devices and mitigation devices on your network Tip It is a recommended security practice to have all devices including MARS Appliances synchronized to the same time Result You have verified that all intermediate gateways permit the log management and notification traffic between the devices and the MARS Appliance For more information see Deplo...

Page 331: ... queried using the reporting IP address of the device as a match criterion This technique can be useful for verifying that the device is properly bootstrapped You may also need to enable alternate settings on the to provide richer data For more information on these possible settings see Task 5 in the Checklist for Provisioning Phase page 1 2 found in the STM Task Flow Overview chapter Result The c...

Page 332: ...ts from that device are not parsed This query essentially identifies events that are not parsed Select the Unknown Device Event Type in the Events field This query returns events from known devices that for some reason the event is not parsed by MARS for example if the MARS signature list is not current with the device event lists and it returns events reported by unknown devices For both queries ...

Page 333: ...curity Manager server you must return to the MARS web interface and add the Security Manager server Result The correct settings are enabled on each Security Manager server The MARS Appliance can request and receive queries from no more than one Security Manager server After adding the Security Manager server to the MARS web interface you can test the connectivity by performing a policy lookup quer...

Page 334: ...Secure ACS on the Common Services 3 0 server you must update the administrative access settings to ensure that the MARS Appliance has the necessary access to the Security Manager server Before MARS can query the policies defined on the Security Manager server you must enable HTTPS on the Security Manager server For more information on enabling HTTPS see 7 Using Security Manager for mitigation resp...

Page 335: ...e device This name must exactly match the hostname shown in the Cisco Security Manager user interface MARS maps this name to the reporting IP address This name is used in topology maps queries and as the primary management station in the Security and Monitoring Device list Access IP This s address is used to pull query data from a Security Manager server using HTTPS enabling MARS to discover setti...

Page 336: ...Manager server click Test Connectivity Result If the username and password are correct and the MARS Appliance is configured as an administrative host for the device the Connectivity successful dialog box appears when the discovery operation completes Otherwise an error message appears which you can click on the View Error link for more information Step 10 To add this device to the MARS database cl...

Page 337: ...d to invoke the Security Manager policy table lookup One of the following three pop up windows may appear Multiple Events window Lists all Security Manager device events in the session this window appears in this step when there are two or more events in the session Multiple Devices window Lists all matching Security Manager devices that meet criteria available to MARS this window appears in this ...

Page 338: ...k the Security Manager icon in the Policy field of the appropriate event One of the following two pop up windows may appear Multiple Devices window Policy Table window In this procedure the Multiple Device pop up window is displayed as shown in Figure 16 5 Figure 16 5 MARS Multiple Devices Pop up Window Step 6 Click the radio button of the appropriate Security Manager Device Click Submit The Polic...

Page 339: ...e deployed view You must login to Security Manager or the specific device to examine or alter the access rule generating the MARS event or incident If the committed and deployed views are identical locating the policy is simplified A MARS event can be generated from a deployed access rule not visible in the committed view Step 7 Login to Cisco Security Manager or the specific device to alter the s...

Page 340: ...er Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 16 Policy Table Lookup on Cisco Security Manager Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS ...

Page 341: ... The MARS web interface runs within a single brower window The MARS product functions are categorized with labeled tabs each tab subdivided with subtabs Note Do not use the browser navigation buttons with the MARS Appliance GUI for example Back Forward Refresh or Stop Logging In Step 1 To login to the Local Controller enter its IP or DNS address into the browser address field The login box appears...

Page 342: ...umber and type of reporting devices For most networks the Summary page populates shortly after configuration Some values are only relevant after an interval of time For example the values in the 24 Hour Events and 24 Hour Incidents tables Basic Navigation The Local Controller uses a tab based hyperlinked user interface When you mouse over an alphanumeric string or an icon that is a clickable hyper...

Page 343: ... Controller 78 17020 01 Chapter 17 Network Summary Navigation within the MARS Appliance Figure 17 3 Summary Tab Figure 17 4 Incidents Tab Figure 17 5 Query Reports Tab Figure 17 6 Rules Tab Figure 17 7 Management Tab Figure 17 8 Administration Tab ...

Page 344: ...comments to the MARS development engineering team Figure 17 10 Help Page Click About to display the software version number running on the MARS Click Documentation to display URLs to MARS documentation on the Cisco Systems Inc website http www cisco com Your Suggestions Welcomed The Feedback button appears at the bottom of most pages a shown in Figure 17 10 When you click the feedback button or na...

Page 345: ...etwork Summary Navigation within the MARS Appliance Figure 17 11 Feedback Dialog Box To send your comments to the MARS development engineering team type in your email address and comments then click Submit When you click the Include log file a MARS log file is sent with your message ...

Page 346: ...ummary pages you can very quickly evaluate the state of the network The Summary pages include the Dashboard Network Status and My Reports a shown in Figure 17 12 Figure 17 12 Summary Tab Dashboard Note When you first view the Summary page after upgrading the Local Controller expect a small delay while the Java Server pages recompile ...

Page 347: ...0 01 Chapter 17 Network Summary Summary Page Figure 17 13 The Working Areas on the Dashboard 1 Subtabs 5 Tabs 2 Case Bar Local Controller only 6 Recent incidents information 3 Links to Cases assigned to you 7 HotSpot and Attack diagrams 4 Charts 143155 5 1 2 4 3 7 6 ...

Page 348: ... information and helps you understand if an attack truly has materialized It gives you the context of the attack by giving you all the events on that session Sessionization works across NAT network address translation boundaries if a session traverses a device that does NAT on that session the Local Controller is able to sessionize events even if they are reported by two devices on either side of ...

Page 349: ...ains the same until you log out This setting only applies to the pages that have the Page Refresh pull down Figure 17 16 Page Refresh Note You can change the refresh rate with the dropdown list Diagrams The Summary page has two diagrams the Hot Spot Graph and the Attack Diagram Local Controller uses the configuration and topology discovery information that you provide to generate these diagrams Th...

Page 350: ...uds by clicking them if you have the SNMP information To see the diagrams you need the Adobe SVG viewer plug in The Adobe SVG viewer plug in should automatically install Note If you click No on the SVG auto installer the Local Controller does not prompt you to install it again If you want to run the auto installer open the browser and click Tools Internet Options General Delete Cookies Table 17 1 ...

Page 351: ...m s viewing quality to search and to manipulate the SVG image Alt click to use the hand to move the image Ctrl click to use the magnifying glass to zoom in Ctrl click and drag to select an area Ctrl shift click to use the magnifying glass to zoom out 1 Displays SVG Help 2 Displays clouds for selected devices on a full page 3 Displays all devices on a full page 4 Selects zone to be displayed Global...

Page 352: ...efine the complete physical topology Much like when you draw a network diagram on a piece of paper you can use a cloud to depict networks in which you have no direct interest but which are needed to represent to complete the diagram For example you may want to display only gateway devices or mitigation devices representing other reporting devices as part of a cloud To toggle the display status of ...

Page 353: ... view the latest report and so on by clicking on the buttons in the chart s window Reading Charts These are stacked charts You can tell which severity of incident your network has most experienced for the day by looking for the dominant shade In the figure below low priority green incidents cover less area than high priority red incidents because they have occurred less often Figure 17 20 A Day s ...

Page 354: ... or drop of a different color lower down in the stack A perfectly flat line indicates that Local Controller received no data during that time period Figure 17 21 A Flat Line in a Week s Top Rules Fired In the following Incidents chart you can see the top incidents for the week starting eight days in the past Figure 17 22 Eight Days of Incidents 1 The flat line in the Top Rules Fired chart 143159 1...

Page 355: ... the radio button next to the report that you want to see as a chart Step 3 Click Submit Local Controller now displays the chart that you selected on the My Reports page Note Reports must be scheduled to run periodically that is every hour or every day If you activate a report allow for some time for the data to accumulate You can display any number of charts on the My Reports page however expect ...

Page 356: ...17 16 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 17 Network Summary Summary Page ...

Page 357: ...P address destination IP address reporting device Session Information page Query Results page Build Report page Report Results page View Case page the current case can reference another case Any user can create or alter any case You can assign a case to a MARS user on the same machine and can change the status of a case to assigned resolved or closed The contents of a case are displayed by categor...

Page 358: ... reports but the data reported in the case remains the same as the time it was captured Note As of MARS software version 4 1 1 the Case Management feature replaces the incident escalation feature The Case Management homepage is the Cases subtab of the Incidents tab as shown in Figure 18 1 Figure 18 1 Case Management Tab Local Controller All new assigned resolved and closed cases can be accessed fr...

Page 359: ...l Controller does not have a Case Bar All Cases are selected from the Incident Cases page The Cases page has an additional dropdown filter to display cases per Local Controller Hide and Display the Case Bar The Case Bar displays by default When displayed the Case Bar appears at the top of each page The Case Bar must be displayed to create or modify a case Hiding the Case Bar To hide the Case Bar p...

Page 360: ...ure 18 4 Figure 18 4 Case Bar Hidden on the Incidents Page Displaying the Case Bar To Display the Case Bar follow these steps Step 1 Navigate to the Cases subtab Incidents Cases as shown inFigure 18 4 Step 2 Click Show Case Bar The Case Bar as shown in Figure 18 3 now appears on all pages Create a New Case To create a new case perform the following procedure Step 1 Display the Case Bar as describe...

Page 361: ...mple_Case assigned to the administrator with a yellow priority color default is Green Step 4 Type or paste any annotations into the text space Step 5 Click Create New Case The newly created case is numbered and becomes the current case displayed in the Case Bar as shown in Figure 18 6 Figure 18 6 Case Bar Shows a Newly Created Case as the Current Case Proceed to the section Add Data to a Case for ...

Page 362: ...he Current Case To replace the Current Case case with another complete the following procedure Step 1 Expand the Case Bar as explained in the previous procedure Step 2 Click Deselect The Case Bar drop down list displays No Case Selected as shown in Figure 18 4 Step 3 To select a different Current Case select a case from the Case Bar drop down list Add Data to a Case To add data to a case complete ...

Page 363: ...and Notification Information section on page 22 10 Note Make sure that the MARS email server is configured See Configure the E mail Server Settings section on page 22 4 for further information To generate a case report and to email it follow these steps Step 1 Select a case from the Cases page or from the Case Bar dropdown list Step 2 Click the Case ID number to navigate to the View Case page Step...

Page 364: ... groups or individual users you want to receive the Case Document then click Add Tip Select All Users from the dropdown menu to display all individual user accounts The selected recipients appear in the left hand area of the dialog box Step 7 Click Submit to send the Case Document to the recipients The email is sent and the case history is updated to show the email event as the lastest item of the...

Page 365: ...an be captured in a case report with Case Management and escalated to the relevant personnel Incidents Overview An attack can consist of a reconnaissance activity for instance a port scan followed by a penetration attempt such as a buffer overflow and followed by malicious activity on the target host for example a local privilege escalation attack or the installation of backdoors An incident which...

Page 366: ...followed by a DoS attack The Incidents Page Click the Incidents tab to navigate to the Incidents page The Incidents page displays recent incidents Incidents are collections of events and sessions that meet the criteria for a rule each having helped to cause the rule to fire An incident s duration only includes the events that contributed to the incident firing ...

Page 367: ...es for Incidents page 19 4 for more information Incident Path The icon that takes you to the incident s path diagram Incident Vector The icon that takes you to the source event type and destination diagram 1 The Incident ID Link to the Incident Detail page 2 Incident Severity Icon 3 The events that compose the Incident Launches the Event Type Details popup window 4 Query icon Link to the Query pag...

Page 368: ...t have fired that incident Incident Details Page Clicking the Incident ID takes you to its Incident Details page The Incident Details page is rich in information and information gathering tools This page answers questions such as who did it what event types happened when it happened and to whom it happened Figure 19 3 The Incident Details Page On the top of this page are the tools that let you sea...

Page 369: ...his high density information table lets you drill deep into incidents Click the Query icon anywhere on this page to query on a particular criteria Click the Raw Events icon for raw events for a particular session You can click the Tune link to tune incidents for False Positives see The False Positive Page page 19 8 or click the Mitigate link to mitigate an attack Figure 19 5 Incident Table 143426 ...

Page 370: ...tem confirmed false positives and unconfirmed false positives Vulnerability scanning often identifies the false positive events but at times you must investigate events to determine their validity To understand the false positive nomenclature and what tasks you are expected to perform within the user interface we must study the possibilities among three variables surrounding possible attacks legit...

Page 371: ...le then the incident triggers When an event triggers an incident we refer to that event as a firing event False positive analysis is performed for such firing events to reduce the number of false alarms Using built in event vulnerability data learned topology paths sessionized event data ACL analysis of layer 2 and 3 reporting devices supporting data from 3rd party vulnerability analysis VA softwa...

Page 372: ...you can see groupings of False Positives You can filter categories by clicking on the Select False Positive drop down list Your choices are Unconfirmed false positive type For this type the MARS needs user confirmation to determine if the target host is vulnerable to the event type in question User confirmed false positive type For this type a user has provided confirmation that a firing event is ...

Page 373: ...se Positive to False Positive Step 1 After you determine that a false positive is false and you have clicked the Yes button click Next Step 2 On the next page decide whether or not you want MARS to keep this event type in the database by selecting the appropriate radio button Dropping these events completely that stops logging those events Log to DB only that logs the events to the DB Step 3 Once ...

Page 374: ...atic and Dynamic Network Information Topology information obtained from access to relatively permanent Layer 2 and Layer 3 devices is called Static Information in the HTML interface Dynamic Information refers to frequently changing information such as host names or DHCP leased IP addresses obtained through devices or agents that report dynamic events such as 802 1X access control configurations th...

Page 375: ...etwork Access Control protocol The switch Reporting IP address must be configured on the CS MARS Security and Monitoring Information page Admin Security and Monitor Devices Cisco DHCP Snooping enabled on the switch The switch performs Remote Access Dial In User Service RADIUS authentication authorization and accounting through a Cisco Access Control Server ACS The Cisco ACS is running pnLogAgent t...

Page 376: ...ation as shown in Figure 19 9 CS MARS recommends enforcement devices and mitigation commands For static information if the network is entirely discovered and CS MARS has command level access to a Layer 2 enforcing device the Push button appears red otherwise it is gray In Figure 19 9 CS MARS does not have sufficient static information to identify a Layer 2 enforcement device but can suggest mitiga...

Page 377: ...tion and Mitigation Mitigation Figure 19 9 Path Information Pop up Window Step 4 Click Dynamic Info to view Layer 2 mitigation recommendations derived from 802 1X configurations The Dynamic Mitigation window appears with host name IP address MAC address and connection status as shown in Figure 19 10 ...

Page 378: ...ep 7 Click Push to download the recommended mitigation command to the enforcement device The mitigation confirmation dialog appears as shown in Figure 19 11 If the Push button is gray the mitigation command must be manually configured on the enforcement device Note The Push button is red and functional when the 802 1X target host is present on the network and CS MARS has command access to the enfo...

Page 379: ...e Source IP Port or Destination IP link of a session When examining an attacking host the Source IP address is more relevant Step 3 The current connection information pop up window appears to display any static connection information Step 4 Click Dynamic Info to display current connection information as shown in Figure 19 11 Dynamic information can be derived from 802 1X configurations Cisco Secur...

Page 380: ...information for the specified IP address as shown in Figure 19 13 Figure 19 13 Dynamic Information History of a Specified IP Address Step 7 Click the Push button if available or mitigate from the device If you select the push button a confirmation screen appears Note To mitigate a device of Access Type SNMP you must have the SNMP Read Write Community String Click the Yes button to confirm the miti...

Page 381: ...disclosed in the raw messages of the events Layer 2 Path and Mitigation Configuration Example This section provides a starting point for configuring MARS to perform Layer 2 L2 path analysis and mitigation using a Cisco switch It contains the following sections Prerequisites for Layer 2 Path and Mitigation page 19 17 Components Used page 19 17 Network Diagram page 19 18 Procedures for Layer 2 Path ...

Page 382: ...ociated routers must be discovered via SNMP or a combination of SNMP and Telnet including the MSFC module in the Catalyst switch The SNMP community string is necessary for L2 switches to be discovered Note L2 devices must be added manually there is no automatic discovery for these devices Make sure all the L2 devices switches have the SNMP RO community strings specified in the web interface even i...

Page 383: ...h CatOS ANY Step 3 Enter the Device Name of the switch Step 4 Enter the Access IP address and Reporting IP address the IP address of the device as it appears to the MARS of the switch The Reporting IP address is usually the same as the Access IP address but if you are using FTP as Access Type it must be a different IP address The Reporting IP address is required if the device is sending syslog dat...

Page 384: ... Test Connectivity button to have the MARS discover the device Step 7 Click the Submit button Add the Cisco Catalyst 6500 with SNMP as Access Type Layer 2 only Step 1 Click Admin Security and Monitor Devices Add Figure 19 16 Configure Cisco Switch CatOS Step 2 From the Device Type drop down list select Cisco Switch CatOS ANY Step 3 Enter the Device Name of the switch Step 4 Enter the Access IP add...

Page 385: ...Test Connectivity button to have the MARS discover the device Step 6 Click the Submit button Add the Cisco 7500 Router with TELNET as the Access Type Step 1 Click Admin Security and Monitor Devices Add Figure 19 17 Configure Cisco IOS 12 2 Step 2 From the Device Type drop down list select Cisco Switch IOS 12 2 Step 3 Enter the Device Name of the switch Step 4 Enter the Access IP address optional a...

Page 386: ...ssword needed to access the switch For Enable Password enter the password to get into Cisco enable mode Enter its SNMP RO Community TELNET For the Login ID enter the user name and Password needed to access the switch For Enable Password enter the password to get into Cisco enable mode Enter its SNMP RO Community mandatory Step 5 Click the Test Connectivity button to have the MARS discover the devi...

Page 387: ...his example we use Windows RPC DCOM Overflow click the graph icon under the Graph column to view the topology paths To view sessions by performing a Query Step 1 Click QUERY REPORTS and submit a query using the appropriate query criteria Note that in our example we limit the scope of the query so it runs faster In the following Query Event Data screen we use the result format All Matching Sessions...

Page 388: ...a screen Step 2 After you Apply changes to and Submit your query the Query Results screen appears Figure 19 20 Query Results screen Step 3 In the Query Results screen in the same row as the Event Type you want to examine in this example we use Windows RPC DCOM Overflow click the icon under the Graph column to view the topology paths The first topology path to appear is the Layer 3 topology graph ...

Page 389: ...Controller 78 17020 01 Chapter 19 Incident Investigation and Mitigation Layer 2 Path and Mitigation Configuration Example Figure 19 21 Layer 3 topology graph Under Topology Path Graph click the Layer 2 Path button to view the Layer 2 topology graph ...

Page 390: ...50 connected to CatSw it is critical to prevent it from attacking other hosts in the same subnet or other parts of the network The MARS provides one click mitigation that lets you isolate the compromised host from the rest of the network To perform mitigation perform these steps Step 1 On the Incident Details screen click the Mitigate link that corresponds with the Session or Event Type you want t...

Page 391: ...1 252 250 Step 2 If the device where the mitigation command to be downloaded is a Layer 2 device such as in the example Mitigation Confirmation Dialog a red Push button appears that you can click to mitigate the compromised host If you select the push button the Mitigation Confirmation Dialog appears Note If the device where the mitigation command to be downloaded is a Layer 3 device the Push butt...

Page 392: ...on and Mitigation Layer 2 Path and Mitigation Configuration Example Figure 19 24 Mitigation Confirmation screen Note The SNMP RW community string must be enabled for the MARS to download a mitigation command to a device using the Access Type SNMP Step 3 Click Yes to confirm the mitigation of the device ...

Page 393: ...rom other pages bring you to the query page which then partially populate the query s criteria Once you have submitted a query you can save it as a report or a rule Figure 20 1 The Local Controller Query Table 1 Click to set the query type and time range criteria 2 Click Clear to return query values to default values 3 Quick query fields permit entry of values without opening dialog box for the fi...

Page 394: ...rce IP destination IP or a service into the quick query field Figure 20 3 Running a free form query Step 2 Click the name of the query None appears as the name if you have none saved or Edit to enter the rest of the query You can also click the parentheses icon to add parentheses for nested queries or click the trash can icon to remove parentheses Step 3 Under Search String enter strings to query ...

Page 395: ... the option of having it run as a batch query Figure 20 4 Construct a Query to Run in Background Batch Query Step 2 Click Submit to make your selection Figure 20 5 Choosing the Query Submission Method To submit as a standard inline query click Submit Inline To submit your query as a batch query click Submit Batch Your query is submitted and you are automatically taken to the Batch Query tab If you...

Page 396: ...the MARS is valid the results of your batch query are emailed to you when the query has completed and can also be viewed by clicking QUERY REPORTS Batch Query View Results Note When you click View Results while the query is in progress the results compiled up to that moment are recomputed This can make the display take longer to appear than after the results are compiled To Stop a Batch Query Step...

Page 397: ... queries and their results are not viewable by others Selecting the Query Type Figure 20 8 Clicking the Query Type or Edit link You can select different query criteria by clicking the Query Type link or Edit button This lets you determine a query s result format rank time whether it only uses firing events and the number of rows returned Figure 20 9 The Query Criteria Result Page Result Format Eve...

Page 398: ... top source network groups that exists in MARS Ranked by either number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria If a network is excluded it is excluded from all results Destination Network Ranking Returns top destination networks that exists in MARS Ranked by either number of sessions that cont...

Page 399: ...ll Matching Sessions Returns all sessions that contain events that meet the criteria Sessions that contain a common set of event types are grouped together They are also sub grouped by session source IP address and session destination IP address Sessions in the same sub group are ordered by time Real Time results are available for this Result Type All Matching Events Returns events Ranked by time ...

Page 400: ... in real time are All Matching Sessions page 20 7 All Matching Events page 20 7 and All Matching Event Raw Messages page 20 7 Real Time results appear in a normal browser window Moving the scroll bar stops the rolling behavior Clicking the Resume button on the bottom of the page allows the scrolling to resume Figure 20 10 Click the Resume Button to Start the Page Rolling Use Only Firing Events Sel...

Page 401: ...variety of different variables events devices addresses from the filter page The following number correspond with the numbers in the preceding graphic 1 Check the boxes next to the items in the Sources Selected field to select them and click the Toggle Equal button to change them between equal and not equal 2 Click the Select All button to select all items in the Sources Selected field Note if you...

Page 402: ...eld by clicking them Enter a group name and click the Grouped As button to group them 11 Once you have chosen the query criteria that interests you click Apply to return to the Query page Repeat this selection process for other query data Step 4 Click the Submit button to run the query Query Criteria The following list describes the selections in the Query Event Data table Source IP Pre NAT source...

Page 403: ...he same variable IP addresses IP addresses present on devices in the system or user entered dotted quads IP ranges The range of addresses between two dotted quads Networks Topologically valid networks Devices The hosts and reporting devices present in the system Service ANY No constraint is placed on the source or destination ports or protocol Service variables Any one set of destination port and ...

Page 404: ...o or more line query FOLLOWED BY Time conditional query e g Y must happen after X that defines a two or more line query Rule Empty field Rules Chosen field When this field is empty it acts like an ANY selection No constraint is placed on the sub set of events Rule Restricts the query to the sub set of events that contributed to the incidents of the specified rules firing Action Empty field Empty A...

Page 405: ...ents display as a continuously scrolling screen You can configure query criteria to filter what is displayed When viewing raw events sessionization is not impeded all the parsed raw events are sessionized per normal MARS operation MARS The Real time Event viewer is available for the following query result formats that support ranking by time Order Rank field set to Time Matched Incident Ranking Al...

Page 406: ...y home page as shown in Figure 20 13 Figure 20 13 Query Home Page Step 2 Click Edit The Query edit dialog appears as shown in Figure 20 14 Figure 20 14 Configuring Real Time Event Viewer Query Step 3 Do the following substeps a From the Result Format dropdown list select a format that can be ranked by time The formerly grayed out Real Time radio button becomes clickable b Click the Real Time radio...

Page 407: ...zed Events option displays Event Session Incident ID Event Type Source IP Port Destination IP Port Protocol Time Reporting Device Path Mitigation and Tune fields c Click Apply The Query Event Data screen appears with the Save as Report and Save as Rule buttons gray and inactive as shown in Figure 20 15 Figure 20 15 Real Time Event Query to Submit Step 4 Modify the parameters of the Query Event Dat...

Page 408: ...y The real time event viewer session will timeout if paused for more than 30 minutes Restart button Restarts the display from the current time This button appears when you pause the scrolling display Resume button Restarts the display from the time when paused This button appears when you pause the scrolling display Clear Terminates the real time query Step 5 Click the active links within a real t...

Page 409: ...cking Submit Tip To view the most recent real time events you can click Submit at any time or Pause and Restart to reinitialize the Real Time Event Viewer The most recent events are always at the bottom of the output queue and their freshness when you view them is limited by the number of events in the queue and the scroll speed of the display This ends the Procedure for Invoking the Real Time Eve...

Page 410: ...sage Top Destinations by Sessions Activity Web Usage Top Sources Attacks All Top Rules Fired Attacks All Top Sources 2 Performing a batch query Advantages You can modify any of the query criteria Best suited for data that spans a short time period Disadvantages This type of query can be slow and may take a substantial amount of time to complete Only Admin users can perform a batch query If you wan...

Page 411: ...example we use Activity All Top Destinations Click the Query column to edit the report The Build Report window appears Figure 20 20 Build Report window Step 3 In the lower portion of the Build Report window change the Time Range the report Activity All Top Destinations covers to the duration you want it to cover Step 4 Click the Submit button to run the report and return to the Main Report window ...

Page 412: ...SV comma separated values file Step 3 Click the View Report button Note The Status column shows the percent completion of the report You can view a partially completed report but it might not contain the data you require The Status column updates when the page refreshes per the Page Refresh Rate setting on the Query Reports Batch Query page Note In general do not use the browser refresh or other b...

Page 413: ...form a Batch Query To perform a batch query follow these steps Step 1 Click the QUERY REPORTS Query tab The Query window appears Figure 20 22 Query window Step 2 In the Query window click the Edit button to change the query criteria The Query Event Data window appears Figure 20 23 Query Event Data window ...

Page 414: ...ation of the query to the past 2 days Click either Apply button to apply your changes to the query The Query Save Submit window appears Figure 20 24 Query Save Submit window Step 4 The Query Save Submit window asks you to choose from the options of Save as Rule Save as Report or Submit Batch To submit your query as a batch query click Submit Batch Your query is submitted and you are automatically ...

Page 415: ...edefined System Reports are treated as global reports Global Controller receives report data once its connected to the Local Controller Previous report results prior to managing the Local Controller will not be pushed up to Global Controller Thus viewing of reports will not include the information before the Local Controller becomes active When you view a report you are viewing the last instance t...

Page 416: ...presents the total count of the top N matched result types ranked by number of sessions as determined by which ones occurred most frequently over the period of time You can use these reports to determine your network s condition relative to the studied sessions For example you can use this view to identify attacks that launched at frequent intervals This view does not present spikes in network act...

Page 417: ... Report Step 1 On the Reports page click the Add button Step 2 In the Report Name and Report Description fields enter a report name and description Click the Next button Step 3 Select the schedule parameters for the report Step 4 Select a View Type for the report You can receive these reports in your email or view them in the UI Your choices are Total View Peak View Recent View and CSV see Report ...

Page 418: ...ong report results are retained in the database per MARS model number To Delete a Report Step 1 Click the radio button next to the report Step 2 Click the Delete button to delete the report Step 3 On the Delete Confirmation page click Delete To Edit a Report You can not edit system generated reports Editing report criteria is meant for minor tweaking to previously generated report Step 1 Click the...

Page 419: ...ort s query criteria will not re generate a new result New edited criteria is based on the previously generated report In some situation such as filtering out specific IP source user should create a new report Note Email notification of a global generated report will be sent from the Global Controller and not the Local Controller ...

Page 420: ...20 28 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 20 Queries and Reports Reports ...

Page 421: ...tever the method of attack attacks share common traits and you can use rules to define these traits to identify and mitigate attacks Rules create incidents Rules connect the information you receive from your networks reporting devices linking them together to form a chain of events that describes an unfolding intrusion They classify incoming events as firing events by matching them against the rul...

Page 422: ...he CS MARS rule set Think Like a Black Hat Ignore for a moment the benign users who do legitimate business on your networks Get inside the mind of the black hat that wants to take your network down The person who should concern you is the one with a plan Good plans have a sequence of steps contingencies and metrics to determine success or failure The more fully you can anticipate these plans the f...

Page 423: ... FTP server code download target to secondary target buffer overflow The attacker is now using your compromised host as a launching point for further attacks One you ve mapped out the anticipated attack to watch for you can define a monitoring plan The following task flow outlines the tasks involved in implementing a monitoring plan Step 1 Ensure your reporting devices are providing all the data y...

Page 424: ...de page You can create custom inspection rules by editing or duplicating system inspection rules by adding your own from the Inspection Rules page or by using the Query interface Customized inspection rules are called User Inspection Rules and are displayed on the Inspection Rules page Inspection rules can be created on both the Global Controller and the Local Controllers Global User Inspection Ru...

Page 425: ... on the time frame that the probe was sent and its subtlety Rule logic is simple You have a row Every row has cells The logical expressions connecting different cells are and while the expressions connecting items inside a cell are either or or and not depending which clause is chosen the equal to or not equal to By studying the system inspection rules you can identify three commonly used rules at...

Page 426: ...w one of two general structures a one line failure Failure or multi line failures separated by the OR operator 1 N Failure OR Failure In the HTML interface system rules are displayed in rows and columns The row number is called the Offset A rule can have more than one row or offset as shown in Figure 21 2 Figure 21 2 Rule with Multiple Offsets Table 21 1 Rule Fields and Arguments Rule Field Field ...

Page 427: ...s offset Target01 to Target20 The same variable in another field or offset signifies that the IP address for each count is the same IP address Network Groups Defined network groups Topologically valid network groups as defined under Management IP Management Networks Topologically valid network groups as defined under Management IP Management Devices The hosts and reporting devices present in the s...

Page 428: ...s that the IP address for each count is the same IP address Network Groups Defined network groups Topologically valid network groups as defined under Management IP Management Networks Topologically valid network groups as defined under Management IP Management Devices The hosts and reporting devices present in the system The hosts and reporting devices present in the system IP addresses IP address...

Page 429: ...ables signify that the specified destination port source port and protocol are unique for each count These variables are local to the offset DISTINCT_ANY_DEST_PORT DISTINCT_TCP_DEST_PORT DISTINCT_UDP_DEST_PORT Identical variables in different fields or offsets signify that the specified port and protocol for each count are identical to each other ANY_BOTH_PORT5 ANY_DEST_PORT1 to ANY_DEST_PORT5 ANY...

Page 430: ...tivity or condition and therefore they map to the same event type within MARS Event types are sorted into event groups such as Probe PortSweep Stealth to catch any of the network conditions identified by the group Variables Signify any single event type defined under Management Event Management only useful for lines in tandem with the same variable ANY Any of the active event types can match this ...

Page 431: ...ed in MARS DEVICE01 to DEVICE10 Reporting Devices Identifies one or more hosts or reporting devices for which events are inspected Valid values are one or more devices as defined under Admin System Setup Security and Monitor Devices Defined Device Types Reported User Identifies the active user on the host when this event was recorded Not all events include this data The value of this condition can...

Page 432: ...occurring in the same session in a three second period increment the active count by one This inherent threshold ensures that a event floods of the same type does not increase the active count arbitrarily and incorrectly fire the rule Example usage When a backdoor rootkit install is detected the count should be 1 as it is only going to be reported once and it is not something you expect to ever se...

Page 433: ...condition is met OR A boolean or used to construct a compound condition two or more lines Either this line or the next line can be satisfied to meet the compound condition FOLLOWED BY Identifies a compound condition two or more lines specifically a sequential order of occurrence Also referred to as a time conditional rule e g Y must happen after X The condition of this line must be met and then th...

Page 434: ... can assume that if no more than three login attempts have occurred over a 10 minute period that counter can be reset Usage Guideline The Time Range value combined with the Count value can affect the operation of your MARS Each time an event is captured that satisfied a unique instance of an inspection rule a monitoring session is constructed to track possible future occurrences until either the C...

Page 435: ...s the list of administrators to whom an alert should be sent An e mail address must be defined for the selected administrators Syslog Identifies the list of hosts to whom an alert should be sent You can select any number of devices to which you want a syslog message sent Page Identifies the list of administrators to whom an alert should be sent The message format is text A pager number must be def...

Page 436: ... Particular Port on the Same Host Figure 21 3 Rule for Excessive Denies to a Particular Port on the Same Host In this example the rule fires when 100 of the specified events occur from any source IP address to the same destination IP address and the destination port numbers are identical Example B Same Source Causing Excessive Denies on a Particular Port Figure 21 4 Rule for Same Source Doing Exce...

Page 437: ...esponse System To view a list of System Inspection rules see Appendix D System Rules and Reports Change Rule Status Active and Inactive The CS MARS correlation engine continuously tests only active rule criteria against incoming events to identify incidents Inactive rules do not consume resources used for realtime operations Note A rule cannot be deleted it can be made active or inactive To change...

Page 438: ...ach subsequent field Note You only edit the Source IP Destination IP and Device fields of a system inspection rule See Duplicate a Rule page 21 17 for further information on modifying system inspection rules Note A rule cannot be deleted it can be made active or inactive Edit a Rule with Inline Editing You can perform inline editing to rules from the Incidents Detail page or from the Inspections R...

Page 439: ...he previous field Previous does not appear for the Rule Name page Step 4 Repeat as required Step 5 Click Apply after making all edits Tip To skip to the end click the Count argument after which only the Action and Time Range fields must be reviewed Step 6 Add Open and Close parentheses as required then click Submit If no parentheses are required just click Submit Step 7 Click Activate to include t...

Page 440: ...he search criteria from the Sources Available field to the Sources Selected field 6 To add a new item to the sources click the Add button To edit or delete an existing source click the Edit or Delete button 7 Click an item or items in the Sources Selected field and use the Remove button 8 To move IP values up into the Sources Selected field click the Equal up icon or the Not Equal up icon 9 Check ...

Page 441: ...age by clicking the Rules Drop Rules tabs Drop rules instruct the MARS to either drop a false positive completely from the appliance or to keep it in the database On the Drop Rules page you add edit duplicate activate an inactive rule or inactivate an active rule Inactive rules do not fire Note For releases 4 2 3 and earlier of MARS you cannot define drop rules for a NetFlow based event For these ...

Page 442: ...ule Step 1 Check the box next to the rule Step 2 Click Edit on the field that you want to change Step 3 Follow the rule s wizard and complete any other changes to the rule Step 4 Click Submit Note When the rule or rules are complete click Activate Add a Drop Rule Step 1 Click Add Step 2 Enter a name and description for the rule and click Next Step 3 Select your sources Figure 21 8 Drop Rule Creati...

Page 443: ...more information 7 Click an item or items in the Sources Selected field and use the Remove button 8 To move IP values up into the Sources Selected field click the Equal Up icon or the Not Equal Up icon 9 Check the radio button next to IP or Range and enter an IP address or a range of IP addresses into their respective fields 10 Select items in the Sources Selected field by clicking them Enter a gr...

Page 444: ...lect the systems that you want to receive the SNMP trap information Note For SNMP and Syslog you need to configure the receiving systems for this feature to work Step 6 Click the Change Recipient button to add or edit recipients for alerts for that notification type email syslog page or SNMP Step 7 Check the box next to the role group or system that you want to receive alerts Click the Add button ...

Page 445: ...ck etc When you select a group from a dropdown filter only those rules and reports that are members are displayed on the page When you select a rule group on the Incidents page only those incidents related to the rules of the selected group display Report and rule groups can also be used when constructing queries For instance there are at least 16 system rules that detect suspicious network access...

Page 446: ...e System COBIT DS9 4 Configuration Control System COBIT DS9 5 Unauthorized Software System CS MARS Distributed Threat Mitigation Cisco DTM System CS MARS Distributed Threat Mitigation Cisco DTM System CS MARS Incident Response System CS MARS Incident Response System CS MARS Issue System Client Exploits Virus Worm and Malware System Client Exploits Virus Worm and Malware System Configuration Change...

Page 447: ...Add Group Dialog Box Step 3 Enter the new group name in the Name field Step 4 Click the checkboxes of the rules to be added to the new rule group Tip The dropdown list above the list of rules can limit the display of rules to active system rules active user rules or inactive rules The search function displays only those rules that match a search string for example New Malware Traffic Match The ast...

Page 448: ...igate to the Inspection Rules page as shown in Figure 21 10 Step 2 Select the rule group to edit in the Group pulldown filter Step 3 Click Edit Group The Add Group dialog box appears as shown in Figure 21 11 The rule group name appears in the Name field and the included rules appear as selected rules in the lefthand pane of the dialog box Step 4 To add additional rules click the checkbox of all th...

Page 449: ...e for Cisco Security MARS Local Controller 78 17020 01 Chapter 21 Rules Rule and Report Groups Step 4 Click Yes The rule group no longer appears in the Group dropdown filters on the Incident and Inspection Rules pages ...

Page 450: ...up Dialog Box Step 3 Enter the new report group name in the Name field Step 4 Click the checkboxes of the reports to be added to the new report group Tip The dropdown filter above the list of reports can filter the display of reports to display system reports user reports or all reports The search function displays only those reports that match a search string for example Spy for Spyware The aster...

Page 451: ...To edit a report group follow these steps Step 1 Navigate to the Reports page as shown in Figure 21 13 Step 2 Select the report group to edit from the Group pull down list Step 3 Click Edit Group The Add Report Group dialog box appears as shown in Figure 21 14 The report group name appears in the Name field and the reports that comprise the report group appear in the lefthand pane of the dialog bo...

Page 452: ...s in the report group dropdown lists on the Report and Query pages Display Incidents Related to a Rule Group To display incidents that occur from the firing of rules in a specific rule group follow these steps Step 1 Navigate to the Incidents page Step 2 Select the rule group in the dropdown filter above the Matched Rules column as shown in Figure 21 16 The Incidents page will display only those i...

Page 453: ...p in the Load Report as On Demand Query with Filter dropdown filter as shown in Figure 21 17 Only the reports that comprise the report group can now display in the Select Report dropdown list as shown in Figure 21 18 Figure 21 17 Selecting A Report Group to Make a Query Figure 21 18 Selecting a Report Within the Report Group to Make a Query Step 3 Select the report in the secondary dropdown list T...

Page 454: ...in Figure 21 19 Step 3 Select the rule group in the dropdown list above the list of rules as shown in Figure 21 14 The list of rules will display only those rules in the selected rule group Figure 21 19 Rule Group Used to Populate Rule Criterion in Query Step 4 Click the checkboxes of the rules to include in the query Step 5 Click Add The selected items appear in the lefthand pane of the Query dia...

Page 455: ... signal transmitted to people or devices as notification that a MARS rule has fired and that an incident has been logged Alert actions can only be configured through the Action parameter of a rule An alert action determines which alert notification types are sent to which MARS user accounts or user groups MARS can transmit alerts by the methods listed in Table 22 1 ...

Page 456: ...t data from the XML file with a custom application For example you can integrate the XML data with trouble ticketing software See Appendix A Cisco Security MARS XML API Reference for further information on the MARS XML notification schema and usage guidelines MARS SMS text message notifications can be up to 160 characters in length Because the MARS SMS incident notification exceeds 160 characters ...

Page 457: ...red Rule Id 134473 Fired Rule System Rule CS MARS Database Partition Usage Incident Id 597842933 For more details about this incident please go to https MyLatest Incidents IncidentDetails jsp Incident_Id 597842933 Table 22 2 Alert Notification Procedures Alert Related Procedures Description Configure the E mail Server Settings To send Email SMS and XML notifications MARS requires that you configur...

Page 458: ...IncidentDetails jsp Incident_Id 597842933 For all recent incidents please go to https MyLatest Incidents https MyLatest cisco com Incidents https 10 2 3 7 Incidents https 192 168 1 101 Incidents Example 22 2 MARS XML Notification Email Attachment Configure the E mail Server Settings To send alert actions MARS must be configured to communicate with an e mail server To configure the e mail server se...

Page 459: ...ocedure configures alerts for pre existing rules When you create a rule the Action parameters are configured after the count number parameter Note Drop rules do not have Action parameters and cannot trigger alerts To modify or create an alert for an existing rule follow these steps Step 1 Click the RULES tab to navigate to the Inspection Rules page Step 2 Identify the Rule to configure and click t...

Page 460: ...he check boxes of the alert actions you require then click The alert action appears in the left hand area Proceed to Step 13 to complete the procedure Delete an existing alert action from MARS Click the check box of the alert action in the right hand area then click Delete A delete verification window appears Click Yes The alert action is deleted from the right hand area Proceed to Step 13 to comp...

Page 461: ...ion in the Name and Description fields If editing an existing alert you can modify the name or description Step 5 Click the check box of a notification type to select or deselect it Recipients for the notification types are as follows E mail Users or user groups can receive an e mail Page Users or user groups can receive an alpha numeric electronic page on their pagers or pager enabled mobile tele...

Page 462: ...erence Syslog Specified devices can receive syslog messages SNMP Specified devices can receive SNMP trap information Distributed Threat Mitigation For more information on this feature see Technology Preview Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS page 1 Note For SNMP and Syslog you must configure the receiving systems to receive notificatio...

Page 463: ...left hand area To remove items Ctrl click the items in the left hand area then click Remove The items are then deleted from the left hand area Step 8 If you are not adding a user skip to Step 9 To add a new user do the following substeps a Click Add The User Configuration page appears in a separate window as shown in Figure 22 6 b Enter the User Configuration information then click Submit You are ...

Page 464: ...u selected appear in the Action field of the rule description Note An inactive rule is made active by applying an alert action To inactivate a rule select the rule and click Change Status This ends the Configure a Rule to Send an Alert Action procedure Create a New User Role Identity Password and Notification Information To create a new MARS user complete the following steps New user accounts and ...

Page 465: ...ty Analyst has full use of the MARS except cannot access the Admin tab Step 3 Create or change the user s password if necessary Step 4 Enter the user s credentials and personal information which may include any of the following First name Last name Organization name Email address Short Message Service SMS number for example 8885551212 servprov com Work telephone number Home telephone number FAX nu...

Page 466: ...n the Provider Baudrate field enter the baud rate specified by the provider This is the baud rate the service provider requires for the specified phone number Common values are 1200 2400 4800 and 9600 Step 10 Click Submit to close the User Configuration page and return to the User Management tab This ends the Create a New User Role Identity Password and Notification Information procedure Create a ...

Page 467: ...fication and Security Analyst are system groups and cannot be edited Step 1 Navigate to the Management User Management tab Step 2 Select the User Group to edit from the Select Group dropdown list The members of the group are displayed Step 3 Click Edit Group The User Group dialog box appears Step 4 Check the users to add to the group from the list on the right hand side Click Add The checked names...

Page 468: ...22 14 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 22 Sending Alerts and Incident Notifications Add a User to a Custom User Group ...

Page 469: ...ne false positives Activating In general you need to activate changes in the Management tabs if the changes are part of a rule To activate a set of management additions or changes Step 1 When changes or additions are complete activate them by clicking Activate Figure 23 1 Clicking the Activate Button Event Management To open the Event Management sub tab click the Management Event Management tabs O...

Page 470: ...ck Search Event Groups Using and creating event groups is one of the most powerful ways to leverage rules You can take any of the events presented here group them and then use them with rules to concentrate your searches for attacks To filter by event groups or severity From the appropriate list select the group or severity Edit a Group of Events Note You can not edit system defined groups Step 1 ...

Page 471: ...evices and mitigation devices You can define assets as networks IP ranges or hosts You can also defined named variables for use within inspection rules The vulnerability assessment information that you define for a host specifically the operating system type and patch level and the known services that run on the host assists MARS in determining false positives Tip You can filter the list of object...

Page 472: ...ck Add or Remove to move highlighted items as needed Step 6 Click Submit Add a Group Step 1 Select Management IP Management The IP Management page appears Step 2 Click Add Group Step 3 In the Name field enter a name for the group Step 4 In the Available field click a group to highlight it To de highlight an item click it again Step 5 Click Add to move the selected Event Type Groups into the Chosen...

Page 473: ... to forward syslog messages using alerts A host that is discovered by the system as part of topology discovery For example when processing the ARP cache table on a Cisco Catalyst Switch A host involved in a session that at one time or another was considered suspicious such as a potential target of an attack In this case MARS will have performed a Nessus and nmap port sweep of the host to identify ...

Page 474: ...r network enter the name associated with this host NetBIOS provides name registration and resolution services MARS uses this setting to provide attack path analysis and address resolution Step 8 Add as many IP address and masks to the interface by clicking Add IP Mask Step 9 Under Enter Interface Information enter the values for the interface name IP address and network mask Step 10 If you have a ...

Page 475: ...source port destination port and protocol The Service Management page displays services and their descriptions ports and protocols On the Service Management page you can work with the services on your networks Search for a Service Step 1 Enter the text that you want to search for in the Search field Step 2 Click Search To filter by service groups From the appropriate list select the group Add a Gr...

Page 476: ...ion of MARS users user credentials are stored the MARS Appliance in SHA 1 cryptographic hash format Each MARS Appliance only has one Administrative account pnadmin This account is the only account with privileges to access the command line interface via SSH or direct console connection The User Management page allows you to manage other users and administrators of the MARS system including the rol...

Page 477: ...this role to identify users who will receive notifications such as e mail SMS or pager notifications No limit exists on the number of user accounts that can be defined in MARS While roles are system defined you can define edit and delete user groups For more information see Create a User Group page 23 12 and Add or Remove a User from a User Group page 23 12 Good security practices suggest strong p...

Page 478: ...dmins security analysts or operators Operator has read only privileges Security Analyst has full use of Local Controller except cannot access the Admin tab Step 3 Create or change the user s password if necessary Step 4 Enter the user s credentials and personal information The information can include the following First name Last name Organization name Email address Short Message Service SMS numbe...

Page 479: ... service provider Step 3 In the Provider Phone No field enter the service provider s telephone number This is the number the service provider uses for accepting alpha numeric messages using the IXO TAP protocol The format is like a regular phone number such as 18001234567 The format of 1 800 1234567 is also acceptable If dialing 9 is required to access a number outside your private branch exchange...

Page 480: ...de with Ctrl click Click Remove The selected names move to the righthand side of the dialog box Step 5 Click Submit Add or Remove a User from a User Group To add or remove a user from a custom User Group do the following steps Note Admin Operator Notification and Security Analyst are system groups and cannot be edited The user is automatically added to the User Group that corresponds to their role...

Page 481: ...uide for Cisco Security MARS Local Controller 78 17020 01 Chapter 23 Management Tab Overview User Management Filter by Groups From the Select Group list select the group Only the members of the group are displayed ...

Page 482: ...23 14 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 23 Management Tab Overview User Management ...

Page 483: ...ge the Default Password of the Administrator Account page 24 7 Understanding Certificate and Fingerprint Validation and Management page 24 7 Hardware Maintenance Tasks MARS 100 100E 200 GCM and GC page 24 11 For information about upgrading backing up and restoring data on the MARS Appliance see the following sections of the Install and Setup Guide for Cisco Security Monitoring Analysis and Respons...

Page 484: ...ul to debug an application Trace Enables trace debug information warning error and fatal logging messages Trace messages record finer grained informational events than debug messages Viewing the MARS Backend Log Files To view the appliance s log files or to change their levels or source navigate to Admin System Maintenance View Log Files Figure 24 1 Backend log viewing options You can view the app...

Page 485: ...t is available and it covers the time period you are investigating However this option is only available if you have enabled data archiving and waited the requisite time for the initial archival operation to occur it is a scheduled operation that runs nightly around 2 00 a m Once the initial archive is performed the event data is written to the archive server frequently often within 5 to 8 minutes...

Page 486: ...dentified under Admin System Maintenance Data Archiving Step 4 Click Submit Note While MARS is generating your files you can still use the system for other tasks Result The Retrieving Progress 0 screen appears When the operation is complete the Raw Message Files screen appears identifying a new Gzip archive file with a filename based on specified time range Step 5 To download and view the generate...

Page 487: ...eve Raw Messages From a Local Controller Use this selection if archiving is not enabled or if you need to view event data that was received within the past hour To retrieve event data from the Local Controller follow these steps Step 1 Click Admin System Maintenance Retrieve Raw Messages Figure 24 3 Retrive Raw Messages Page 4 2 x Step 2 Specify the time range by specifying values in the Start and...

Page 488: ...r of event files to be generated for this query Note Requesting large numbers of files can take some time Step 7 Select the list of devices for which you want to pull event data in the Reporting Devices list You can select a specific device by name or All Devices Step 8 Click Submit Note While MARS is generating your files you can still use the system for other tasks Result The Retrieving Progress...

Page 489: ...ult password and setup administrator notification follow these steps Step 1 Click the Management User Management tab Step 2 Check the box next to Administrator and click Edit Step 3 Enter the new Administrator password and the Administrator e mail address Step 4 Click Submit Understanding Certificate and Fingerprint Validation and Management Many reporting devices use certificates or fingerprints ...

Page 490: ...ssion times out before administrative intervention the communication fails but no internal system log is generated to record the failure to accept the changed certificate or fingerprint Also if a back end process initiates the request such as auto discovery then the session attempt always fails and no attempt to obtain administrative acceptance is initiated In such cases any data the MARS Applianc...

Page 491: ...ept Accept first time and prompt when changed Always prompt on new and changed For details on these options see Understanding Certificate and Fingerprint Validation and Management page 24 7 Step 4 Click Submit Upgrading from an Expired Certificate or Fingerprint If you have selected a global response option other than Automatically always accept see Setting the Global Certificate and Fingerprint R...

Page 492: ... Setup Security and Monitor Devices page for which MARS has detected a certificate conflict and click Edit Step 3 Click Test Connectivity The dialog box displays stating Do you want to accept following certificate for the device named device_name Step 4 Verify the certificate value Step 5 If the value is correct click Yes Upgrade a Fingerprint Manually A manual upgrade allows you to upgrade any fi...

Page 493: ...CS MARS Failure Saving Certificates Fingerprints Activity CS MARS Device Connectivity Errors Hardware Maintenance Tasks MARS 100 100E 200 GCM and GC Replacing the Lithium Cell CMOS Battery This section pertains only to the MARS 100 100E 200 GCM and GC appliances Note Take proper electrostatic discharge ESD measures before physically touching the appliance If the CMOS battery needs replacement foll...

Page 494: ...icates that the drive is functioning normally A blinking orange light indicates that the drive is performing I O operations No light indicates that the disk has no power Partition Checking The appliance automatically runs checks on different partitions of the hard drive after the system has been re booted 25 to 30 times or if the appliance has not been re booted in 180 days Hotswapping Hard Drives...

Page 495: ...ves in total A subunit always comprises the same two hard drive slots For instance a MARS 110 or GC2 will always have the same pairings in a subunit Slots 0 and 1 physical hard drive pairings Rebuilding a Degraded Array Either drive in a subunit can serve in place of its partner should either drive become degraded unavailable physically inoperative or data corrupted A physical drive degraded but s...

Page 496: ... OF PORTS 8 PORT 0 WDC WD2500JB 19GVA0 WD WCAL73129135 232 88 GB 488397168 BLOCKS OK UNIT 0 PORT 1 WDC WD2500JB 19GVA0 WD WCAL73291174 232 88 GB 488397168 BLOCKS OK UNIT 0 PORT 2 WDC WD2500JB 19GVA0 WD WCAL73157538 232 88 GB 488397168 BLOCKS OK NO UNIT PORT 3 WDC WD2500JB 98GVA0 WD WMAL72243570 232 88 GB 488397168 BLOCKS OK UNIT 0 PORT 4 WDC WD2500JB 00GVA0 WD WCAL73883655 232 88 GB 488397168 BLOC...

Page 497: ...array OK The array and subunits are in good order and operating at optimal efficiency Rebuilding A subunit is being rebuilt Array efficiency is not yet optimal Degraded At least one physical disk in the array cannot be accessed OF UNITS 1 UNIT 0 RAID 10 931 54 GB 1953580032 BLOCKS REBUILDING 75 Units Indicates the number of virtual drives the entire RAID configuration represents In this case the a...

Page 498: ...oes not appear for that port Table 24 2 lists how hard drive bays map to the port numbers SUBUNIT 1 RAID 1 REBUILDING 1 SUBUNIT 0 CBOD DEGRADED PHYSICAL PORT 6 LOGICAL PORT 0 SUBUNIT 1 CBOD OK PHYSICAL PORT 3 LOGICAL PORT 1 A MARS RAID 10 configuration comprises multiple RAID 1 subunits each RAID 1 subunit configured with two drives The MARS 100 and 100e appliances have subunits numbered 0 1 and 2...

Page 499: ...ce Storage Capacity1 1 The stated storage capacity is the sum of the rated capacity of all the hard drives and does reflect bytes reserved for the RAID overhead on each drive Hard Drive Slot to Port Number MARS 100e 100 750 GB RAID 10 6 x 250 GB Drives Hot swappable Slot 6 is Port 0 Slot 5 is Port 1 Slot 4 is Port 2 Slot 3 is Port 3 Slot 2 is Port 4 Slot 1 is Port 5 MARS 200 GC GCM 1 TB RAID 10 8 ...

Page 500: ...nter hotswap remove disk where disk is the hard drive slot number of the hard drive to remove A message informs you that it is safe to remove the hard drive Note Make sure that you remove the correct physical hard drive If you remove the wrong one accidently then reinsert it that drive will register as a degraded drive Step 3 Unlock the MARS drive bay door with the supplied key Note A ring with tw...

Page 501: ...ertains only to the MARS 100 100E 200 GCM and GC appliances The following CLI output example hotswaps a hard drive in drive slot 6 port 2 of a MARS 200 Physical port 2 remains degraded until RAID subunit 2 is rebuilt Example 24 2 Hotswap Procedure CLI Output Example pnadmin hotswap remove 6 removing port c0 p2 Done Disk 6 can now be safely removed from the system pnadmin hotswap add 6 rescanning c...

Page 502: ... Status REBUILDING Unit Type RAID 10 Stripe Size 64k Size 931 54 GB 1953580032 blocks of subunits 4 Subunit 0 RAID 1 OK Subunit 0 CBOD OK Physical Port 7 Logical Port 0 Subunit 1 CBOD OK Physical Port 4 Logical Port 1 Subunit 1 RAID 1 OK Subunit 0 CBOD OK Physical Port 6 Logical Port 0 Subunit 1 CBOD OK Physical Port 3 Logical Port 1 Subunit 2 RAID 1 REBUILDING 6 Subunit 0 CBOD OK Physical Port 5 ...

Page 503: ... operation Step 1 Establish a direct console connection to MARS with a keyboard and an external monitor Note You can access the RAID utility only with a direct console connection Step 2 Reboot the MARS Appliance Press Alt 3 to access the RAID utility when the following message appears Press Alt 3 to access 3ware Configuration Screen The 3ware Disk Array Configuration utility RAID Utility home scre...

Page 504: ...es Perform this procedure when a hotswap attempt and the RAID Utility Rebuild procedure have failed Step 1 Insert the replacement drive into the hard drive slot Step 2 Establish a direct console connection to MARS with a keyboard and an external monitor Note You can access the RAID Utility only with a direct console connection Step 3 Reboot the MARS Appliance Press Alt 3 to access the RAID utility...

Page 505: ...erify the following conditions The full complement of ports are reported All RAID 0 subunits are shown as OK or REBUILDING All RAID 1 subunits are OK A degraded physical port at this stage can indicate a defective hard drive and improperly inserted hard drive a loose hard drive cable connection or a defective RAID controller card An array that has not completed rebuilding in two hours could indica...

Page 506: ...rives available for inclusion in an array Step 8 Select all of the drives To select a drive move the cursor over a drive and press Enter An asterisk in the leftmost column indicates the drive is selected Step 9 Select Create Array and press Enter The RAID configuration options appear Step 10 Select the following RAID options RAID Configuration 10 Write Cache Status disable Stripe Size 64 KB Step 1...

Page 507: ...8 17020 01 Chapter 24 System Maintenance Hardware Maintenance Tasks MARS 100 100E 200 GCM and GC An array that has not completed rebuilding in two hours could indicate a defective RAID controller card This ends the Delete and Create the RAID 10 Array procedure ...

Page 508: ...24 26 User Guide for Cisco Security MARS Local Controller 78 17020 01 Chapter 24 System Maintenance Hardware Maintenance Tasks MARS 100 100E 200 GCM and GC ...

Page 509: ...ts resources for XML development XML Incident Notification Data File and Schema XML incident notification sends an email notification of an incident with an attached XML data file The XML data file contains all incident details that can be viewed on the GUI except for Path Mitigation data The XML data file can be sent as a plain text file or as a compressed gzip file The filename is constructed wi...

Page 510: ...stination ipaddress 248 64 35 88 SourcePort 15330 SourcePort DestinationPort 3890 DestinationPort Protocol 6 Protocol SessionEndPoints Event id 286914062 EventType id 1135 TimeStamp May 23 2007 8 13 09 AM PDT TimeStamp ReportingDevice id 128783 RawMessage Wed May 23 08 13 09 2007 lt 134 gt PIX 2 106001 Inbound TCP connection denied from 10 3 50 200 15330 to 248 64 35 88 3890 flags FIN on interface...

Page 511: ...ts Source ipaddress 10 3 50 200 Destination ipaddress 248 64 35 88 SourcePort 15330 SourcePort DestinationPort 3890 DestinationPort Protocol 6 Protocol EventEndPoints NATtedEndPoints Source ipaddress 10 3 50 200 Destination ipaddress 248 64 35 88 SourcePort 15330 SourcePort DestinationPort 3890 DestinationPort Protocol 6 Protocol NATtedEndPoints FiringEventFlag false FiringEventFlag Event Session ...

Page 512: ...tcp connection spoof from 10 3 50 200 to 133 67 205 96 on interface inside RawMessage FalsePositiveType NOT_AVAILABLE FalsePositiveType EventEndPoints Source ipaddress 10 3 50 200 Destination ipaddress 133 67 205 96 SourcePort 0 SourcePort DestinationPort 0 DestinationPort Protocol 6 Protocol EventEndPoints NATtedEndPoints Source ipaddress 10 3 50 200 Destination ipaddress 133 67 205 96 SourcePort...

Page 513: ...969 4 00 00 PM PST EndTime UpdateTime Dec 31 1969 4 00 00 PM PST UpdateTime DynamicInfo NetworkAddressObj NetworkAddressObj id 1766489909 IPAddress 105 74 127 53 IPAddress MAC DNSName DynamicInfo HostName MACAddress AAAUser EnforcementDeviceAndPort ReportingDevice StartTime Dec 31 1969 4 00 00 PM PST StartTime EndTime Dec 31 1969 4 00 00 PM PST EndTime UpdateTime Dec 31 1969 4 00 00 PM PST UpdateT...

Page 514: ...ication of your choice or view components their relationships constraints attributes annotations and usage guidelines within your XML development environment MARS uses a best effort approach to create XML incident notification data If an error occurs during data compilation MARS does not stop the process but sends the data even if it is partial Validating the data file against the schema would res...

Page 515: ...Atomic Grouping and Possessive Quantifiers page B 14 Back References page B 15 Assertions page B 16 Conditional Subpatterns page B 19 Comments page B 20 Recursive Patterns page B 20 Subpatterns as Subroutines page B 21 Callouts page B 22 PCRE Regular Expression Details The syntax and semantics of the regular expressions supported by PCRE are described below Regular expressions are also described i...

Page 516: ... square brackets the metacharacters are as follows general escape character with several uses assert start of string or line in multiline mode assert end of string or line in multiline mode match any character except newline by default start character class definition start of alternative branch start subpattern end subpattern extends the meaning of also 0 or 1 quantifier also quantifier minimizer...

Page 517: ...x 07 cx control x where x is any character e escape hex 1B f formfeed hex 0C n newline hex 0A r carriage return hex 0D t tab hex 09 ddd character with octal code ddd or backreference xhh character with hex code hh x hhh character with hex code hhh UTF 8 mode only The precise effect of cx is as follows if x is a lower case letter it is converted to upper case Then bit 6 of the character hex 40 is i...

Page 518: ...ference or a binary zero followed by the two characters 8 and 1 Note that octal values of 100 or greater must not be introduced by a leading zero because no more than three octal digits are ever read All the sequences that define a single byte value or a single UTF 8 character in UTF 8 mode can be used both inside and outside character classes In addition inside a character class the sequence b is...

Page 519: ...ted They are p xx a character with the xx property P xx a character without the xx property X an extended Unicode sequence The property names represented by xx above are limited to the Unicode general category properties Each character has exactly one such property specified by a two letter abbreviation For compatibility with Perl negation can be specified by including a circumflex between the ope...

Page 520: ...e traditional escape sequences such as d and w do not use Unicode properties in PCRE Simple Assertions The fourth use of backslash is for certain simple assertions An assertion specifies a condition that has to be met at a particular point in a match without consuming any characters from the subject string The use of subpatterns for more complicated assertions is described below The backslashed as...

Page 521: ... and Character Classes page B 8 and Posix Character Classes page B 9 Circumflex need not be the first character of the pattern if a number of alternatives are involved but it should be the first thing in each alternative in which it appears if the pattern is ever to match that branch If all possible alternatives start with a circumflex that is if the pattern is constrained to match only at the sta...

Page 522: ...r in the class after an initial circumflex if present or escaped with a backslash A character class matches a single character in the subject In UTF 8 mode the character may occupy more than one byte A matched character must be in the set of characters defined by the class unless the first character in the class definition is a circumflex in which case the subject character must not be in the set ...

Page 523: ...haracters in both cases In UTF 8 mode PCRE supports the concept of case for characters with values greater than 128 only when it is compiled with Unicode property support The character types d D p P s S w and W may also appear in a character class and add the characters that they match to the class For example dABCDEF matches any hexadecimal digit A circumflex can conveniently be used with the upp...

Page 524: ...m left to right and the first one that succeeds is used If the alternatives are within a subpattern defined below succeeds means matching the rest of the main pattern as well as the alternative in the subpattern Internal Option Setting The settings of the PCRE_CASELESS PCRE_MULTILINE PCRE_DOTALL and PCRE_EXTENDED options can be changed from within the pattern by a sequence of Perl option letters e...

Page 525: ...parentheses it would match cataract erpillar or the empty string Step 2 It sets up the subpattern as a capturing subpattern This means that when the whole pattern matches that portion of the subject string that matched the subpattern is passed back to the caller via the ovector argument of pcre_exec Opening parentheses are counted from left to right starting from 1 to obtain numbers for the captur...

Page 526: ...name For further details see the pcreapi documentation Repetition Repetition is specified by quantifiers which can follow any of the following items a literal data character the metacharacter the C escape sequence the X escape sequence in UTF 8 mode with Unicode properties an escape such as d that matches a single character a character class a back reference see next section a parenthesized subpat...

Page 527: ... characters the loop is forcibly broken By default the quantifiers are greedy that is they match as much as possible up to the maximum number of permitted times without causing the rest of the pattern to fail The classic example of where this gives problems is in trying to match comments in C programs These appear between and and within the comment individual and characters may appear An attempt t...

Page 528: ...y anchored When a capturing subpattern is repeated the value captured is the substring that matched the final iteration For example after tweedle dume 3 s has matched tweedledum tweedledee the value of the captured substring is tweedledee However if there are nested capturing subpatterns the corresponding captured values may have been set in previous iterations For example after a b matches aba th...

Page 529: ... the simpler forms of atomic group However there is no difference in the meaning or processing of a possessive quantifier and the equivalent atomic group The possessive quantifier syntax is an extension to the Perl syntax It originates in Sun s Java package When a pattern contains an unlimited repeat inside a subpattern that can itself be repeated an unlimited number of times the use of an atomic ...

Page 530: ...ere may be more than one back reference to the same subpattern If a subpattern has not actually been used in a particular match any back references to it always fail For example the pattern a bc 2 always fails if it starts to match a rather than bc Because there may be many capturing parentheses in a pattern all digits following the backslash are taken as part of a potential back reference number ...

Page 531: ... foo that is not followed by bar Note that the apparently similar pattern foo bar does not find an occurrence of bar that is preceded by something other than foo it finds any occurrence of bar whatsoever because the assertion foo is always true when the next three characters are bar A lookbehind assertion is needed to achieve the other effect If you want to force a matching failure at some point i...

Page 532: ...hes the rest of the pattern If the pattern is specified as abcd the initial matches the entire string at first but when this fails because there is no following a it backtracks to match all but the last character then all but the last two characters and so on Once again the search for a covers the entire string from right to left so we are no better off However if the pattern is written as abcd or...

Page 533: ...dition is satisfied if the capturing subpattern of that number has previously matched The number must be greater than zero Consider the following pattern which contains non significant white space to make it more readable assume the PCRE_EXTENDED option and to divide it into three parts for ease of discussion 1 The first part matches an optional opening parenthesis and if that character is present...

Page 534: ...des a facility that allows regular expressions to recurse amongst other things It does this by interpolating Perl code in the expression at run time and the code can refer to the expression itself A Perl pattern to solve the parentheses problem can be created like this re qr p re x The p item interpolates Perl code at run time and in this case refers recursively to the pattern in which it appears ...

Page 535: ...ubpattern value is set If you want to obtain intermediate values a callout function can be used see Subpatterns as Subroutines page B 21 and the pcrecallout documentation If the pattern above is matched against ab cd ef the value for the capturing parentheses is ef which is the last value taken on at the top level If additional parentheses are added giving R the string they capture is ab cd ef the...

Page 536: ...ry point in the global variable pcre_callout By default this variable contains NULL which disables all calling out Within a regular expression C indicates the points at which the external function is to be called If you want to identify different callout points you can put a number less than 256 after the letter C The default value is zero For example this pattern has two callout points C1 dabc C2...

Page 537: ...string The strptime function processes the input string from left to right Each of the three possible input elements whitespace literal or format are handled one after the other If the input cannot be matched to the format string the function stops The remainder of the format and input strings are not processed The supported input field descriptors are listed below In case a text string such as a ...

Page 538: ...ndefined R Equivalent to H M S The second 0 60 60 may occur for leap seconds earlier also 61 was allowed T Equivalent to H M S U The week number with Sunday the first day of the week 0 53 The first Sunday of January is the first day of week 1 w The weekday number 0 6 with Sunday 0 W The week number with Monday the first day of the week 0 53 The first Monday of January is the first day of week 1 x ...

Page 539: ...entation EX The locale s alternative time representation Ey The offset from EC year only in the locale s alternative representation EY The full alternative year representation The O modifier specifies that the numerical input may be in an alternative locale dependent format Od or Oe The day of the month using the locale s alternative numeric symbols leading zeros are permitted but not required OH ...

Page 540: ...of the week as a decimal number 1 7 where Monday 1 V The ISO 8601 1988 week number as a decimal number 1 53 If the week starting on Monday containing 1 January has four or more days in the new year then it is considered week 1 Otherwise it is the last week of the previous year and the next week is week 1 z An RFC 822 ISO 8601 standard time zone specification Z The timezone name Similarly because o...

Page 541: ... be left by an attacker on a compromised host to maintain future remote access System Rule Backdoor Connect This correlation rule detects a connection to a backdoor server or a response from a backdoor server in your network there may or may not be any follow up activity on the destination host Backdoors e g Rootkits Trojan Horse programs and command shells provide extensive remote control of a ho...

Page 542: ...ows vulnerability as described in Microsoft Security Bulletin MS04 011 System Rule Client Exploit Success Likely This correlation rule detects a client workstation exploit followed by the client performing anomalous activities Client exploits include download of dynamically executable content via Web or email web requests containing scripts client side exploits via protocols such as IRC DHCP DNS P...

Page 543: ...reporting high utilization excessive scans or denies in the network etc This may indicate that the network is under denial of service attack System Rule DoS Network Device Attempt This correlation rule detects attacks on network devices such as switches routers firewalls along with relevant reconnaissance activity that may have preceded these attacks Such attacks if successful can crash the networ...

Page 544: ...lation rule detects replay attacks on a host preceded by reconnaissance attempts to that host if any Successful replay attacks may allow the attacker to gain access by bypassing authentication System Rule Misc Attacks Session Hijacking This correlation rule detects attempts to hijack a TCP connection to that host preceded by reconnaissance attempts to that host if any System Rule Misc Attacks TCP ...

Page 545: ...r host to a particular destination port This is a typical behavior of a compromised host looking to exploit hosts with a specififc vulnerability System Rule Network Activity Excessive IRC This correlation rule detects excessive Internet relay Chat IRC connections from the same source this indicates that a Remote Admin Trojan RAT is likely running on the source and is likely compromised System Rule...

Page 546: ... System Rule Operational Issue Firewall This rule detects operational errors e g bad network connectivity failover errors internal software hardware errors reported by a firewall this may indicate that the firewall is not functioning properly System Rule Operational Issue IDS This rule detects operational errors reported by a intrusion detection system IDS this may indicate that the device is not ...

Page 547: ... authenticating to a particular application These attempts can be optionally preceded by reconnaissance attempts Authentication failures may sometimes be caused by a user forgetting the password The applications covered by this rule exclude common ones such as Mail FTP SSH Telnet SNMP Network File Print share for which there are special rules System Rule Password Attack Network Share Attempt This ...

Page 548: ...cating to that host The password attack may be preceded by reconnaissance attacks to the host Authentication failures may sometimes be caused by a user forgetting the password System Rule Password Attack Web Server Attempt This correlation rule detects a password guessing attack to a Web server preceded by reconnaissance attacks to the host if any A password guessing attack consists of multiple lo...

Page 549: ...nning the Cisco Trust Agent CTA software and requires an out of band audit by an audit server to move it out of TRANSITION state to any one of HEALTHY INFECTED QUARANTINE CHECKUP or UNKNOWN states A host in a TRANSITION state is likely to have limited or no network access System Rule Security Posture Audit Server Issue Single Host This rule detects excessive number of logs indicating audit server ...

Page 550: ...m Rule Server Attack Database Attempt This correlation rule detects attacks on a database server preceded by reconnaissance attempts targeted to that host if any The attacks include buffer overflows denial of service attempts SQL Injection and other remote command execution attempts using database server privileges System Rule Server Attack Database Success Likely This correlation rule detects spe...

Page 551: ... remote command execution attempts privilege escalation attempts to become root denial of service attempts etc System Rule Server Attack Mail Success Likely This correlation rule detects specific attacks on mail services SMTP POP IMAP on a host followed by suspicious activity on the targeted host Suspicious activity may include the host scanning the network creating excessive firewall deny traffic...

Page 552: ...ted to that host if any The attacks include buffer overflows privilege escalation attempts to become root etc System Rule Server Attack SNMP Success Likely This correlation rule detects specific attacks on SNMP implementation on a host followed by suspicious activity on the targeted host Suspicious activity may include the host scanning the network creating excessive firewall deny traffic a backdo...

Page 553: ...orrelation rule detects worm propagation via means such as SMTP TFTP and network shares accompanied by suspicious follow up activity at the target destination host Suspicious follow up activity may include the host scanning the network creating excessive firewall deny traffic a backdoor opening up at the server etc List of System Reports This topic defines the complete list of system reports issue...

Page 554: ...ecause of policy misconfiguration on the AAA server or wrong user credentials Activity AAA Failed Auth Top NADs This report ranks the Network Access Devices NADs based on failed AAA authentications This report covers the following cases regular AAA auth 802 1x auth L2 IP and L3 IP auth L2 802 1x auth An authentication may fail because of policy misconfiguration on the AAA server or wrong user cred...

Page 555: ...e groups give a general feeling about the type of network activity reported to MARS Activity All Top Event Type Groups Activity All Top Event Type Groups Activity All Top Event Types This report ranks the event types of all events seen by MARS over the past hour This report is used by pages in the Summary tab Activity All Top Event Types Activity All Top Event Types Activity All Top Reporting Devi...

Page 556: ...Bytes Activity All Sessions Top Destinations by Bytes Activity Attacks Prevented Top Reporting Devices This report ranks security devices by the number of attacks prevented Activity Attacks Prevented Top Reporting Devices Activity Attacks Prevented Top Reporting Devices Activity Attacks Seen Top Event Types This report ranks the top attack event types Activity Attacks Seen Top Event Types Activity...

Page 557: ...ns from CS MARS Activity Database Login Failures All Events This report lists the event details for all database login failure events Activity Database Login Failures All Events Activity Database Login Failures All Events Activity Database Login Failures Top Servers This report ranks the database servers by the number of login failures Activity Database Login Failures Top Servers Activity Database...

Page 558: ...tions Activity Database Object Modification Successes Top Users Activity Database Object Modification Successes Top Users Activity Database Privileged Command Failures All Events This report lists event details for all privileged database command execution failures Activity Database Privileged Command Failures All Events Activity Database Privileged Command Failures All Events Activity Database Pr...

Page 559: ...ivity Database User Group Change Failures All Events Activity Database User Group Change Failures All Events Activity Database User Group Change Failures Top Users This report ranks the users by the number of failed database user group modification attempts Activity Database User Group Change Failures Top Users Activity Database User Group Change Failures Top Users Activity Database User Group Cha...

Page 560: ...op Users Activity Host Login Failures Top Users Activity Host Login Success All Events This report details all host login success event details Activity Host Login Success All Events Activity Host Login Success All Events Activity Host Login Success Top Host This report ranks hosts by successful logins Activity Host Login Success Top Host Activity Host Login Success Top Host Activity Host Object A...

Page 561: ...e events signalling Microsoft Windows registry changes Activity Host Registry Changes All Events Activity Host Registry Changes All Events Activity Host Registry Changes Top Host This report ranks hosts by the number of Microsoft Windows registry changes reported Activity Host Registry Changes Top Host Activity Host Registry Changes Top Host Activity Host Security Policy Changes All Events This re...

Page 562: ...DTM Successful Signature Tuning All Events This report lists all successful IOS IPS signature download activities both adition and deletion CS MARS Distributed Threat Mitigation DTM turns on ACTIVE IPS signatures on IOS routers Activity IOS IPS DTM Successful Signature Tuning All Events This report lists all successful IOS IPS signature download activities both adition and deletion CS MARS Distrib...

Page 563: ...s all destinations Cisco IOS IPS devices and IPS appliances to which Cisco Incident Control Server has deployed new ACLs and signatures in respond to a new virus worm malware outbreak Activity New Malware Traffic Match All Events This report details the traffic sources and the enforcing devices that match the ACLs and signatures deployed by the Cisco Incident Control Server in response to a newly ...

Page 564: ...onal Top Sources This report ranks the source addesses involved in recreational activities such as games adult web sites stock sites etc Activity Recreational Top Sources Activity Recreational Top Sources Activity Remote Access Login All Events This report details of remote access login events IPSec SSLVPN PPP L2TP etc Activity Remote Access Login All Events This report details of remote access lo...

Page 565: ...s assigned by each of them Activity Security Posture NAC Top NADs and Tokens This report displays the Network Access Devices NADs handling Network Admission Control transcations along with the tokens assigned by each of them Activity Security Posture NAC Top NADs This report ranks the network access devices NADs handling Network Admission Control transcations Activity Security Posture NAC Top NADs...

Page 566: ...ity Posture NAC Agentless Top Tokens This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent CTA software In this case the posture validation is done either locally by the Network Access Device or via the Audit Server The possible NAC tokens values in this report are HEALTHY CHECKUP I Activity Security Posture NAC Audit Server Issues All Events This rep...

Page 567: ...tokens values in this report are HEALTHY CHECKUP INFECTED QUARANTINE UNKNOWN The TRANSITION token is excluded since it is an intermediate state Activity Security Posture NAC L2IP Top Tokens This report captures the distribution of NAC tokens for end hosts that use Layer 2 IP method to validate their posture The possible NAC tokens values in this report are HEALTHY CHECKUP INFECTED QUARANTINE UNKNO...

Page 568: ... hosts may need DAT file updates the QUARANTINE hosts must do DAT file updates before network access and the INFECTED hosts must be remediated before network access Activity Security Posture Not Healthy All Events This report lists the detailed events for users whose security posture is not up to date ie in either a CHECKUP QUARANTINE or INFECTED state The software on these hosts need to be upgrad...

Page 569: ... ICMP traffic non standard traffic on standard port tunneled traffic etc Activity Unknown Events All Events This report tracks the events that are unknown to MARS Activity Unknown Events All Events Activity Unknown Events All Events Activity Virus Worms Top Event Types This report ranks the events that detect virus or worm activity in the network Activity Virus Worms Top Event Types Activity Virus...

Page 570: ...esses based on web use Activity Web Usage Top Sources Activity Web Usage Top Sources Attacks All All Events This event details details event type destination source for all attack events Attacks All All Events This event details details event type destination source for all attack events Attacks All Top Destinations This report ranks hosts by the number of attacks targetted at each host Attacks Al...

Page 571: ...he past hour Attacks Identity Spoofing Top Event Types Attacks Identity Spoofing Top Event Types Attacks Login Services Top Event Types This report ranks attacks on servers providing login services and remote shells Examples include Telnet SSH and Berkeley r protocols Attacks Login Services Top Event Types Attacks Login Services Top Event Types Attacks Mail Server Top Event Types This report ranks...

Page 572: ...the hosts are specifically configured to disallow access at these hours Attacks Password Restricted Times All Events Attacks Password Restricted Times All Events Attacks RPC Services Top Event Types This report ranks attacks on RPC based applications Attacks RPC Services Top Event Types Attacks RPC Services Top Event Types Attacks SANS Top 20 Top Event Types This report ranks the attacks that have...

Page 573: ...by OS or Host IDS agents Configuration Changes Server All Events This event details all configuration changes on hosts reported by OS or Host IDS agents Configuration Changes Server Top Event Types This report summarizes configuration changes to servers over the past hour Configuration Changes Server Top Event Types Configuration Changes Server Top Event Types Configuration Changes Server Top Repo...

Page 574: ...Report Detailed NAC Report Detailed NAC Report Detailed NAC Report Operational Issues Network All Events This report lists details about all operational issues on network devices Operational Issues Network All Events This report lists details about all operational issues on network devices Operational Issues Network Top Reporting Devices This report summarizes the events that may indicate operatio...

Page 575: ...s IOS IPS routers that are running low on memory for CS MARS Distributed Threat Mitigation DTM Because of low memory CS MARS may not be able to download and activate the complete set of ACTIVE IPS signatures to IOS IPS devices Resource Issues Network All Events This report lists event details for all events related to resource issues on network devices such as IDS routers firewalls etc Resource Is...

Page 576: ...ks the CPU utilization of the devices managed by PN MARS Resource Utilization CPU Top Devices Resource Utilization CPU Top Devices Resource Utilization CS MARS All Events This report lists event details for all events related to CS MARS resource utilization e g database partitions etc Resource Utilization CS MARS All Events This report lists event details for all events related to CS MARS resource...

Page 577: ...ion and mitigation enter access information Activate Making changes or edits known to the MARS after submitting changes D Devices The hosts and reporting devices present in the system Discovery The act of identifying either automatically or manually devices in networks Dynamic Vulnerability Scanning The MARS STM probes selected networks and their components for vulnerabilities E Event A security e...

Page 578: ...guration O Offset The offset of a firing event is the line number of the rule criteria that this firing event matches P Pre NAT Source Address Session endpoints Post NAT Source Address The source as appearing at the destination Post NAT Destination Address Session endpoints Pre NAT Destination Address The destination as appearing at the source Q Query A user defined request to the database for inf...

Page 579: ...ng devices to reconstruct the occurrence of a session Sessionizing takes two forms reconstructing a session oriented protocol such as TCP where the initial handshake and the session tear down and reconstructing a sessionless protocol such as UDP where the initial start and session end times are defined more based on first and last packets tracked within a restricted time period In other words pack...

Page 580: ...Glossary GL 4 User Guide for Cisco Security MARS Local Controller 78 17020 01 ...

Page 581: ... 21 19 pager number 22 11 23 11 seed file 2 20 service 23 8 user 22 10 23 9 user group 23 12 adding IP groups 23 4 adding service provider 22 11 23 11 admin roles see user management 23 9 Adobe SVG 17 10 alert action 21 15 Distributed Threat Management 21 15 Email 21 15 NONE 21 15 Page 21 15 SMS 21 15 SNMP 21 15 Syslog 21 15 alerts 22 1 all matching event raw messages 20 7 all matching events 20 7...

Page 582: ...t logs studied by MARS 14 1 Cisco Secure ACS MARS agent 14 7 Cisco Secure ACS NAC support 14 1 Cisco Secure ACS representing in MARS 14 12 Cisco Secure ACS sever support 14 2 Cisco Secure ACS solution engine support 14 2 Cisco Secure ACS supported versions 14 1 Cisco Secure ACS TACACS command authorization 14 7 Collapse All 19 5 columns seed file 2 22 Common Vulneratbilities and Exposures 23 2 com...

Page 583: ...og changing pulling time interval for Windows 10 11 event management 23 1 editing 23 2 Event Type 19 3 event type group ranking 20 6 event type ranking 20 5 Expand All 19 5 expired certificate 24 9 F false positive system determined 19 8 unconfirmed 19 8 user confirmed false positive 19 8 positive 19 8 false positives tuning 19 5 fingerprint validation 24 7 H hardware maintenance MARS 100 100E 200...

Page 584: ... 23 7 user 23 8 MARS audit trail 24 3 log files 24 2 matched incident ranking 20 7 Matched Rule 19 3 matched rule ranking 20 7 Microsoft Windows host bootstrap 10 4 mitigate 19 5 mitigation policy suggested content 1 1 monitoring policy suggested content 1 1 N NAC AAA server support 14 1 NAT connection report 20 7 NetFllow enable processing 2 34 NetFlow 2 30 configuration 2 30 Global NetFlow UPD P...

Page 585: ...blic networks 2 38 Q queries action ANY 20 12 actions 20 12 destination IP 20 11 ANY 20 11 devices 20 11 IP addresses 20 11 IP ranges 20 11 networks 20 11 post NAT destination addresses 20 11 pre NAT destination addresses 20 11 devices 20 11 display format all matching event raw messages 20 7 all matching events 20 7 all matching sessions 20 7 destination IP address ranking 20 6 destination rankin...

Page 586: ... pre NAT source addresses 20 10 variables 20 10 time range last 20 8 start and end times 20 8 zone 20 12 query display format 20 5 reporting device ranking 2 27 Query page 20 1 R rank by 20 7 bytes transmitted 20 8 incident count 20 8 session count 20 7 time 20 8 raw messages retrieve from local controller database 24 5 retrieving from archive server 24 3 remediation policy suggested content 1 1 r...

Page 587: ...dresses 21 7 IP ranges 21 7 Network Groups 21 7 networks 21 7 variables 21 7 runtime logging 24 1 S scheduling discovery 2 39 security contexts add discovered 4 12 define reporting options 4 13 make MARS aware of 4 11 security policies objectives of 1 1 security policy suggested content 1 1 see CVE 23 2 seed file CSV file 2 20 loading 2 24 service adding 23 8 deleting 23 8 editing 23 8 editing gro...

Page 588: ...19 5 Time 19 3 time ranges incidents 19 4 Topology toggle device display 17 12 traffic flows identify and enable 1 4 16 8 troubleshoot cannot add device 2 19 troubleshoot cannot re add device 2 19 tuning false positives 19 5 19 9 U unconfirmed false positive type 19 8 unknown event report 20 7 use only firing events 20 8 user adding 22 10 23 9 editing 23 12 removing 23 12 user confirmed false posi...

Reviews:

No comments

Related manuals for CS-MARS-20-K9 - Security MARS 20

UNITED 7700 Series Maintenance & Operation Manual preview
7700 Series
Brand: UNITED Pages: 8
3Ware 7000-2 - Escalade RAID Controller Features preview
7000-2 - Escalade RAID Controller
Brand: 3Ware Pages: 2
4 Moms Origami 4M-006-01 Instruction Manual preview
Origami 4M-006-01
Brand: 4 Moms Pages: 28
Dakota Digital BIM-17-2 Manual preview
BIM-17-2
Brand: Dakota Digital Pages: 6
Dakota Digital CMD-2000 Series Manual preview
CMD-2000 Series
Brand: Dakota Digital Pages: 10
Z-Wave RC-100 Quick Setup Manual preview
RC-100
Brand: Z-Wave Pages: 6
Ebyte E180-Z5812SP Product Manual preview
E180-Z5812SP
Brand: Ebyte Pages: 35
Garmin TR-1 Gold Installation Instructions preview
TR-1 Gold
Brand: Garmin Pages: 4
Walimex Pro Excellence Instruction Manual preview
Excellence
Brand: Walimex Pro Pages: 68
VAT 670 Series Installation, Operating, & Maintenance Instructions preview
670 Series
Brand: VAT Pages: 39
Samson 3730-6 Mounting And Operating Instructions preview
3730-6
Brand: Samson Pages: 124
Samson TROVIS 5500 Operating Instructions Manual preview
TROVIS 5500
Brand: Samson Pages: 86
VAC V100 Troubleshooting Manual preview
V100
Brand: VAC Pages: 5
T&D TR7 Series Safety Precautions And Instructions preview
TR7 Series
Brand: T&D Pages: 2
T&S B-0107 Installation And Maintenance Instructions preview
B-0107
Brand: T&S Pages: 5
VAT 264 Series Installation, Operating, & Maintenance Instructions preview
264 Series
Brand: VAT Pages: 26
Watts FEBCO 860 Small Series Installation Maintenance Repair Manual preview
FEBCO 860 Small Series
Brand: Watts Pages: 12
Bardiani Valvole BBZS5 Instruction, Use And Maintenance Manual preview
BBZS5
Brand: Bardiani Valvole Pages: 54

Brands by name

Popular brands

Load more brands