Add a Host

Within MARS, a host is manually or automatically defined as the result of one of the following options A reporting device or mitigation device defined under the Admin > Security and Monitoring Devices tab. A host managed by a reporting device defined under the Admin > Security and Monitoring Devices tab, such as a host running Cisco Security Agent and discovered by MARS when processing the logs provided by the CSA Management Console. An asset that you want to identify for the purpose of...

Add and Configure a Cisco Firewall Device in MARS

The process of adding a PIX security appliance, Cisco ASA, or FWSM to MARS involves many of the same steps, regardless of the version of software that is running. The process is exactly the same for PIX software versions 6.0, 6.1, 6.2, and 6.3. However, Cisco ASA, PIX 7.0, and FWSM provide the ability to define multiple security contexts, or virtual firewalls. Adding a Cisco ASA, PIX 7.0, and FWSM to MARS has two distinct steps. First, you must define the settings for the admin context. Then,...

Add and Configure a Csa Mc Device in MARS

Before you can identify the agents, you must add the CSA MC to MARS. All CSA agents forward notifications to the CSA MC, and the CSA MC forwards SNMP notifications to MARS. Once you define the CSA MC and activate the device. MARS can discover the agents that are managed by that CSA MC. However, you can also chose to manually add the agents. To add a CSA MC to MARS, follow these steps Click Admin > Security and Monitor Devices > Add. From the Device Type list, select Add SW security apps on...

Add and Configure a Generic Router in MARS

To add and configure a generic router device in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Generic Router version unknown from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and...

Add and Configure an Extreme Ware Switch in MARS

To add and configure an ExtremeWare switch in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Extreme ExtremeWare 6.x from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls,...

Add and Configure an Intru Shield Manager and its Sensors in MARS

Adding an IntruVert device has two distinct steps. First, you add configuration information for the for the IntruShield Manager host. Second, you add the sensors managed by that host. Add the IntruShield Manager Host to MARS, page 6-26 Add IntruShield Sensors Manually, page 6-26 Add IntruShield Sensors Using a Seed File, page 6-27 Add the IntruShield Manager Host to MARS To define the host and represent the management console for IntruShield, follow these steps Step 1 Click Admin > System...

Add Cisco IOS 122 Modules Manually

To add a module manually, follow these steps Step 1 Click Add Module. Step 2 Select Cisco IOS 12.2 from the Device Type list. _Chapter 3 Configuring Router and Switch Devices Step 3 Enter the name of the module in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For modules that support the discovery operation, such as router and firewall modules, MARS renames this field's value...

Add Modify and Delete a Rule Group

To add a rule group follow these steps Step 1 Navigate to the Inspection Rules page, as shown in Figure 21-10. Figure 21-10 Inspection Rules Page The Add Group dialog box appears, as shown in Figure 21-11. The Add Group dialog box appears, as shown in Figure 21-11. Step 3 Enter the new group name in the Name field. Step 4 Click the checkboxes of the rules to be added to the new rule group. Tip The dropdown list above the list of rules can limit the display of rules to active system rules,...

Add Multiple Reporting and Mitigation Devices Using a Seed File

The seed file is a comma-delimited file with the file extension .csv (comma-separated value). Most spreadsheet programs let you import and export files as CSV files. The following is a sample seed file as exported from a popular spreadsheet program 10.1.1.1, ,,,PIX,TELNET,,,cisco,,, ,,,,,,,, With the CSV file, you can enter the values, passwords, and information for each device that you want the MARS Appliance to monitor in its appropriate row and column. While the seed file is useful for...

Add Reporting and Mitigation Devices Individually

In general, you have two choices for adding devices that you want to monitor into your MARS. You can create a seed file or you can add each device manually. Seed file support is limited to a few device types, see Column E, page 2-23 for the devices supported. When manually configuring devices, select the devices that are most interesting to you. Once added, you can come back and edit them as necessary. Manual configuration is also useful when you add or change a single security device on your...

Adding Reporting and Mitigation Devices Using Automatic Topology Discovery

On the Admin page, under the Topology Discovery Information section, three links exist, allowing you to define the settings required to discover reporting and mitigation devices automatically. These links are Community String and Networks. Allows you to define SNMP RO community strings on a per network or IP range basis. Networks and SNMP RO stings can overlap. At least one SNMP string must be defined before discovery is attempted. Valid Networks. Identifies the set of networks and IP ranges...

Application Log Messages for the PN Log Agent

The PN Log Agent service writes events to the Application Log of Event Viewer on the Cisco Secure ACS server. The agent, identified in the log messages as PNLogAgentService, writes status messages, such as successful service start and stop. It also writes error messages for incomplete configuration and error conditions, such as when the service is out of memory. Table 14-1 categories the types of messages that can occur and explains their affects on the PNLog Agent service. Table 14-1 Possible...

Back to Being the Admin

You must now express the plan in terms of information that is reported to you. This attack plan contains an attack with a follow up of some kind. You might write your plan like attacker to target, buffer overflow attacker to target, root login (compromised host) At this point, the black hat has compromised the host. What happens next is up to the attacker. This makes the next few steps especially hard to predict. They want to be able to manipulate the world, they want to make change. Your newly...

Bootstrap the Sensor

Preparing a sensor to be monitored by MARS involves two steps Enable the Access Protocol on the Sensor, page 6-6 Enable the Correct Signatures and Actions, page 6-6 Enable the Access Protocol on the Sensor The configuration of the sensor depends on the version of the software that is running on the sensor. The following topics identify the requirements of each version Cisco IDS 4.x Software, page 6-6 Cisco IPS 5.x Software, page 6-6 For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over...

Chapter 10Configuring Generic Solaris Linux and Windows Application Hosts 101

Adding Generic Devices 10-1 Sun Solaris and Linux Hosts 10-2 Configure the Solaris or Linux Host to Generate Events 10-2 Configure Syslogd to Publish to the MARS Appliance 10-2 Configure MARS to Receive the Solaris or Linux Host Logs 10-3 Push Method Configure Generic Microsoft Windows Hosts 10-5 Install the SNARE Agent on the Microsoft Windows Host 10-5 Enable SNARE on the Microsoft Windows Host 10-6 Pull Method Configure the Microsoft Windows Host 10-6 Enable Windows Pulling Using a Domain...

Chapter 6Configuring Networkbased IDS and IPS Devices

Configure Sensors Running IDS 3.1 6-1 Add and Configure a Cisco IDS 3.1 Device in MARS 6-4 Cisco IDS 4.0 and IPS 5.x Sensors 6-5 Bootstrap the Sensor 6-5 Enable the Access Protocol on the Sensor 6-6 Enable the Correct Signatures and Actions 6-6 Add and Configure a Cisco IDS or IPS Device in MARS 6-6 Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File 6-8 View Detailed Event Data for Cisco IPS Devices 6-9 Cisco IPS Modules 6-9 Enable SDEE on the Cisco IOS Device...

Check Point Devices

The Check Point security product family can be distributed and tiered. As such, you must understand the deployment method, components, and release versions of this product family, their relationships, and how MARS interacts with them. You must also understand the many acronyms and abbreviations associated with this product family. Table 4-1 lists the abbreviations and acronyms used in the topics that follow. Table 4-1 Check Point Abbreviations and Acronyms Table 4-1 Check Point Abbreviations...

Checklist for Monitoring Phase

After you complete the provisioning phase, you must configure MARS to help you realize your broader security goals and requirements. During the monitoring phase, your primary goal is to effectively realize your monitoring, mitigation, and remediation policies. This phase involves defining the strategies, rules, reports, and other settings required to achieve this goal. You must prepare MARS to closely adhere to your corporate security policy before you begin monitoring traffic flows, as you...

Checklist for Provisioning Phase

Inventory and review possible reporting devices, mitigation devices, and supporting devices. Reporting devices provide logs about user and network activities and device status and configuration. Mitigation devices can be used to respond to detected attacks. They also act as reporting devices. Supporting devices provide network services to reporting devices, mitigation devices, or a MARS Appliance. Identifying which devices on your network to monitor depends on multiple factors, including their...

Checklist for Security ManagertoMARS Integration

Security Manager-to-MARS integration deals with identifying the required and optional points of integration, configuring the applications and devices, and ensuring proper authorization among the two management platforms. This checklist assumes a greenfield install of both Security Manager and MARS. The following checklist describes the tasks required to understand the decision-making process and the basic flow required to integrate MARS with a Security Manager server and the reporting and...

Circumflex and Dollar

Outside a character class, in the default matching mode, the circumflex character is an assertion that is true only if the current matching point is at the start of the subject string. If the startoffset argument of pcre_exec() is non-zero, circumflex can never match if the PCRE_MULTILINE option is unset. Inside a character class, circumflex has an entirely different meaning (see Square Brackets and Character Classes, page B-8 and Posix Character Classes, page B-9). Circumflex need not be the...

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...

Configure a Rule to Send an Alert Action

To send alert notifications to individual users or groups of users, configure the Action parameters of a rule to create an alert action. This procedure configures alerts for pre-existing rules. When you create a rule, the Action parameters are configured after the count number parameter. Drop rules do not have Action parameters and cannot trigger alerts. To modify or create an alert for an existing rule, follow these steps Step 1 Click the RULES tab to navigate to the Inspection Rules page....

Configure Cisco Secure ACS to Generate Logs

To configure Cisco Secure ACS to generate the audit logs required by MARS, follow these steps Step 1 Log in to the Cisco Secure ACS server or Solution Engine. Step 2 Select System Configuration > Logging. Step 3 Verify that CVS Failed Attempts, CVS Passed Authentications and CVS RADIUS Accounting Logging are enabled. Step 4 Click CSV Failed Attempts, and verify that the following attributes appear in the Logged Attributes list Step 6 Click CVS Passed Authentications, and verify that the...

Configure CSA Management Center to Generate Required Data

To bootstrap CSA, you must configure the CSA MC to forward SNMP notifications to the MARS Appliance. In addition, you can export the list of CSA agents in a format that MARS can import. However, this export operation is not necessary, as MARS discovers the agents as they generate notifications. This section contains the following topics Configure CSA MC to Forward SNMP Notifications to MARS, page 7-6 Export CSA Agent Information to File, page 7-6 _Chapter 7 Configuring Host-Based IDS and IPS...

Configure eEye REM to Generate Required Data

To configure eEye REM to provide the correct data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where eEye REM 1.0 is installed. M ICA WINNT> y > B w5g cmrf_Kiae Microsoft Uindoirs 2B0B IUei*sion 5.00,21951 < C> Copyright 1985-2BB9 Micros ft Corp. C-NDocunents and Settin fi fldrain i trat& r> srvnetcn arwnetcnJ is not recognized as an internal or external uperable yroyrun ur batch file. C SDucun ntx mid Sett in g s fi dm in istr tur i...

Configure ePolicy Orchestrator to Generate Required Data

To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console. Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List. Step 3 In the Log On to Server dialog box, enter the username and password required to access the ePolicy Orchestrator server, and click OK. Step 4 In the tree, select McAfee...

Configure Found Scan to Generate Required Data

To configure FoundScan to provide data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where FoundScan is installed. Microsoft Uindotrs 2000 Wars ion 8,00,2195 < C> Copyright 1985-2099 Nicros ft Corp. C SDbCufients and SettirysNfldnln i tratar> rvnetcn 'srunetcn' Is not racupized as an internal or external camand C'SDncumnts mid Sell inysXAdmin strdtur vrneLcn C'SDocunents und Sett in 5fs fi drain is trat or cd Step 2 In the SQL Server Network Utility...

Configure Kiwi Syslog Server to Forward Events to MARS

We recommend the following settings in the configuration options of the Kiwi Syslog Daemon to ensure good integration of Kiwi with MARS Expand the File > Setup > Rules > Actions tree. Right on Actions and click Add an Action. Enter a name for the action, such as Forward to pncop. For the following fields, enter the following values Destination IP address or hostname Enter the IP address of the MARS Appliance. Send with RFC 3164 header information Selected if the syslog server receives...

Configure MARS to Receive the Solaris or Linux Host Logs

To add a generic device to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Add SW security apps on existing host Step 2 From the Device Type list, select Add SW Security apps on a new host. Figure 10-2 Adding a Generic Device to receive logs Figure 10-2 Adding a Generic Device to receive logs Step 3 Enter the Device Name, and its Reporting IP address. Step 4 Select Operating System as Generic. Step 5 Select Logging Info and select Receive, then click...

Configure Sensors Running IDS

Step 1 Log in to the Cisco IDS device. Step 2 Change to directory that has all the configurations files that need to be edited Step 3 You need to edit 4 files (organizations, hosts, routes and destinations) that are in this directory. In the organizations file add a line indicating your organization name or grouping where 1 is the item number followed by the organization name protego . If there is already item in this file, simply increase the item number (has to be unique). Figure 6-1 Add MARS...

Configure the AV Server to Publish Events to MARS Appliance

To configure the AV server to publish events to MARS, follow these steps Step 1 Log in to the Windows server running Symantec AV. Step 2 To identify the Local Controller as a valid SNMP trap destination, click Administrative Tools > Services > SNMP Service > Traps > Trap destinations. Step 3 Enter the IP address of the Local Controller in the Trap Destination page, and click OK to close all open windows. Step 4 Select Start > All Programs > Symantec System Center Console. Step 5 In...

Configure the Email Server Settings

To send alert actions, MARS must be configured to communicate with an e-mail server. To configure the e-mail server settings, follow these steps Step 1 Click Admin > Configuration Information. The Device Configuration window appears, as shown in Figure 22-1. Configure a Rule to Send an Alert Action H Figure 22-1 MARS Device Configuration Window Figure 22-1 MARS Device Configuration Window Step 2 In the IP Port field of the Mail Gateway section, enter the IP address and Email Domain Name of...

Configure the Solaris or Linux Host to Generate Events

MARS Appliance can receive syslog information from a Linux Solaris host. To configure the Linux Solaris applications, you must configure the following applications to write to syslog To configure these applications to write to the system log, follow these steps Step 1 xferlog (which provides transfer logging information from the FTP server) For ftpd, add the following to etc ftpd ftpaccess log transfers real,guest,anonymous inbound,outbound log syslog+xferlog Step 2 inetd trace messages (which...

Configuring Vulnerability Assessment Devices

Vulnerability assessment (VA) devices provide MARS with valuable information about many of the possible targets of attacks and threats. They provide information useful for accurately assessing false positives. This information includes the operating system (OS) running on a host, the patch level of the OS, the type of applications running on the host, as well as detailed logs about the activities occurring on that host. This chapter explains how to bootstrap and add the following VA devices to...

Configuring Web Server Devices

To use web logging with MARS, you need to configure the host, the webserver, and MARS. MARS can process up to 100 MB of web log data per receive from your host. _ Note Web logging is only supported on hosts running Microsoft IIS on Windows, Apache on Solaris or Linux, or iPlanet on Solaris. This chapter explains how to bootstrap and add the following web sever devices to MARS Microsoft Internet Information Sever, page 12-1 Apache Web Server on Solaris or RedHat Linux, page 12-7 Sun Java System...

Constructing a Rule

Each step of your plan corresponds to a line of a rule. Each line identifies a set of conditions. A rule can have a single line, two lines, or multiple lines. You link these lines together using the logical operators, AND, OR, FOLLOWED-BY (in time). For more information on the conditions and operators found in a rule, see Table 21-1 on page 21-6. The first step of the example plan, identified in Back to Being the Admin, page 21-3, involved probing the target host. You can express a probe by...

Create a New Case

To create a new case, perform the following procedure Step 1 Display the Case Bar as described in the section, Hide and Display the Case Bar. The Add a New Case Dialog box appears, as shown in Figure 18-5. Figure 18-5 Add a New Case Dialog Box Figure 18-5 Add a New Case Dialog Box Step 3 Select a severity color, change the state from new to assigned if appropriate, select the owner, replace the default summary name (default is New Case). Figure 18-5 shows a case with case summary of...

Creating a Report

You can create a report through the Query page, or you can create a report from scratch on the Reports page. These instructions detail creating a report from the Reports page, but are applicable to editing reports and to creating reports from the Query page. Step 1 On the Reports page, click the Add button. Step 2 In the Report Name and Report Description fields, enter a report name and description. Click the Next button. Step 3 Select the schedule parameters for the report. Step 4 Select a...

Date Time Format Specfication

The date time field parsing is supported using the Unix strptime () standard C library function. The strptime() function is the converse function to strftime() and converts the character string pointed to by s to values which are stored in the tm structure pointed to by tm, using the format specified by format. Here format is a character string that consists of field descriptors and text characters, reminiscent of scanf(3). Each field descriptor consists of a character followed by another...

Define AAA Clients

To support the 802.1x features of NAC, you must also define the Cisco switches as AAA clients within Cisco Secure ACS. When defining a AAA client, verify the following settings RADIUS (IETF) is selected in the Using Authentication box, as other RADIUS implementations may not support 802.1x correctly. The Log Update Watchdog Packets from this AAA Client box is selected. Figure 14-1 displays the correct settings for such a client. Figure 14-1 Configure a AAA Client to Support 802.1x Figure 14-1...

Define an Opsec Application that Represents MARS

To integrate a third-party OPSEC application with Check Point components, you must define the application and associate it with the host on which the application is running. In addition to identifying this OPSEC application to the Check Point system, this procedure results in the generation of the client SIC DN for the MARS Appliance. Both the client SIC DN and the server SIC DN, obtained in Obtain the Server Entity SIC Name, page 4-27, are required to enable secure communications between the...

Define Vulnerability Assessment Information

For each host that you define in MARS, you can specify information about that host that assists MARS in assessing whether that host is vulnerable to the attacks that MARS detects. For example, you can identify the operating system running on the host, even providing the latest or nearest patch level. When an attack is detected that is targeted toward a specific operating system, then MARS can quickly determine whether the host is running the operating system that is targeted. For hosts that are...

Determine Devices to Monitor and Restrictions

To configure Check Point devices, you must identify the central management server and managed components, bootstrap them, and add and configure them in the MARS web interface. The Check Point product line and release, as well as the number of devices managed, determines which tasks you must perform to configure MARS to monitor your Check Point devices. Representing a Check Point device in MARS involve two steps 1. Define a primary management station. This primary management station represents...

Display Dynamic Device Information

To display current, session, and all historical information for an IP address on an 802.1X connection, follow these steps Click on the Incident ID to display the session summaries as shown in Figure 19-8. Click on the Source IP Port or Destination IP link of a session. When examining an attacking host, the Source IP address is more relevant. The current connection information pop-up window appears to display any static connection information. Click Dynamic Info to display current connection...

Duplicate a Rule

Duplicating a rule creates a new rule that is a copy of an existing system or user inspection rule. You can edit all of the fields of a duplicate rule, but only the Source IP, Destination IP, and Device fields of a system inspection rule. The original rule is left unchanged after duplication. You cannot delete a rule after it is created by Duplicate or Add. To duplicate a rule, follow these steps Select the checkbox of the rule to duplicate. The name of duplicated rule is the name of the...

Enable Cisco IOS Routers and Switches to Send Net Flow to MARS

For more information on NetFlow and configuring the settings in Cisco IOS, refer to Before you configure NetFlow from MARS, you must first configure it on the router or switch. To enable NetFlow on a Cisco IOS router or switch and to push those events to the MARS Appliance, follow these steps Step 1 Log in to the Cisco IOS router or switch with administrator's privileges. Step 2 Enter the following commands Note Commands in this mode are written to the running configuration file as soon as you...

Enable FTPbased Administrative Access

To enable configuration discovery using FTP access, you must place a copy the Cisco router's or switch's configuration file on an FTP server to which the MARS Appliance has access. This FTP server must have Note TFTP is not supported. You must use an FTP server. You must copy the running configuration from the Cisco router or switch. For information on copying the running configuration, refer to your device documentation or the following URL .shtml

Enable L2 Discovery Messages

To enable L2 discovery on your Cisco switches, you must enable the spanning tree protocol (STP) and provide the SNMP RO community string. All L 2 devices must support SNMP STP MIB (IETF RFC 1493). The discovered information includes interfaces, Layer 3 (L3) routes, L2 spanning trees, L2 forwarding tables, MAC addresses, and so on. _ Note STP is enabled by default on all Cisco switches. Therefore, unless you have altered this setting, no changes are necessary. For more information on configuring...

Enable NACspecific Messages

Cisco routers and switches that are running Cisco IOS Software release 12.2 or CatOS can enable network Admission Control (NAC) specific data. This data includes Client logs. These logs relate the activities of the client software. RADIUS server logs. These logs relate the authorization communications between clients and the posture validation servers. Network access device logs. These logs relate connection attempts by clients and final authorizations provided by the AAA server enforcing the...

Enable Syslog Messages on CatOS

To configure a Cisco switch running CatOS to send syslog information to MARS, follow these steps Step 1 To enable the syslog server on the switch, enter Step 2 To identify the MARS Appliance as a destination for syslog messages, enter the following command set logging server < IP address of MARS Appliance> Step 3 The remaining commands tell the switch what kinds of logging information to provide and at what level. The commands in the following example can be changed to suit your...

Incident Details Table

Each row of the Incident Details table represents either a session or the information common to a group of sessions. You can see all of the collapsed session information by clicking the plus signs to expand the group. You can expand or collapse all of the incident's information by clicking the Expand All or Collapse All buttons. OffsetlSession lEwentType 1 incident ID Source IP Port D esti nati on IP Po rt Built teardown permitte d IP connection 0 1 Builtfteardown p ermitte d IP connection 0...

Manually Add a Child Enforcement Module or Log Server to a Check Point Primary Management Station

If you have not enabled configuration discovery on the primary management station or if one or more of the managed firewalls uses a log server that is not managed by the primary management station, you can manually define firewalls or log servers. Your goal should be to represent all of the firewalls managed by this primary management station and all log servers used by those firewalls and the primary management station. While MARS does not discover configuration settings of the firewalls, it...

Mars Mib Format

The MARS management information base (MIB) is defined for all MARS releases. The SNMP notification contains the same content as the syslog generated by MARS. The MARS MIB definition is as follows enterprises.16686.1.0 string MARS-1-101 enterprises.16686.2.0 string < alert_content> The MARS private enterprise number is 16686 and < alert_content> is defined as follows < < priorityInfo> > < current_time> MARS-1-101 Rule < ruleid> (< rulename> ) fired and caused <...

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources. Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to...

Ordering Documentation

You can find instructions for ordering documentation at this URL You can order Cisco documentation in these ways Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Overview of Cisco Security Manager Policy Table Lookup

When MARS receives a syslog from a Cisco PIX firewall, Cisco Adaptive Security Appliance (Cisco ASA), Cisco Firewall Services Module (Cisco FWSM), or Cisco IOS, and can derive the five tuple information required to establish an event (source IP, destination IP, source port, destination port, and protocol) the Security Manager Policy Table Lookup icon J g appears in the Reporting Device column of the MARS session display. Clicking the icon invokes a query to the Security Manager, the result of...

Perform

This section explains how to create and view a long-duration query on the MARS. There are two ways to perform a long-duration query on the MARS 1. Modifying an existing report. The report is compiled relatively quickly. You can compile data gathered over a longer time period Disadvantage. This type of query can only be used without any changes to query criteria other than time range, and can only be used with the following reports Activity All - Top Destination Ports Activity All - Top...

Perform a Batch Query

This type of long-duration query can take a long time to perform and is more suitable for a shorter duration of time. Note Only Admin users can perform a batch query. To perform a batch query, follow these steps Step 1 Click the QUERY REPORTS > Query tab. The Query window appears. Figure 20-22 Query window Click the cells below to change query criteria Query type Event Types ranked by Sessions, 0hh 10mm 0ss Edit clear Query type Event Types ranked by Sessions, 0hh 10mm 0ss Edit clear Step 2...

Posix Character Classes

Perl supports the POSIX notation for character classes. This uses names enclosed by and within the enclosing square brackets. PCRE also supports this notation. For example, matches 0, 1, any alphabetic character, or . The supported class names are digit decimal digits (same as d) graph printing characters, excluding space print printing characters, including space punct printing characters, excluding letters and digits space white space (not quite the same as s) word word characters (same as w)...

Prerequisites for Mitigation with 8021X Network Mapping

To perform mitigation with 802.1X network mapping with CS-MARS, the following prerequisites are required Cisco switch running Cisco CatOS or IOS and configured with IEEE 802.1X Port Based Network Access Control protocol The switch Reporting IP address must be configured on the CS-MARS Security and Monitoring Information page (Admin > Security and Monitor Devices). Cisco DHCP-Snooping enabled on the switch The switch performs Remote Access Dial-In User Service (RADIUS) authentication,...

Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS

Do the following steps to view a Cisco Security Manager policy table from the Cisco Security MARS Step 1 Log on to MARS as an Administrator or Security Analyst. Step 2 Identify the incident or event to investigate. In this procedure, and incident to investigate appears on the Recent Incidents section of the Dashboard, as shown in Figure 16-2. Chapter 16 Policy Table Lookup on Cisco Security Manager_ Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS H...

Procedure for Invoking the Real Time Event Viewer

To invoke the real-time event viewer, complete the following steps Step 1 Navigate to the Query home page as shown in Figure 20-13. SUMMARY INCIDENTS QUERY REPORTS RULES MANAGEMENT ADMIN HELP QUERY REPORTS CS-MARS Standalone earth2 vO.O Load Report as On-Demand Query with Filter Load Report as On-Demand Query with Filter Click the cells below to chenge quer c Click the cells below to chenge quer c I Saw As Report Save As Rule Submit Inline Summary Incidents Query Reports Rules Management Admin...

Pull Method Configure the Microsoft Windows Host

As an alternative to the push method, you can configure MARS to pull event log data (security, application, and system event logs) from Microsoft Windows hosts. The pull method requires four steps 1. Ensure that the Windows host and MARS Appliance clocks are synchronized. It is recommend that you configure a NTP server for this purpose. For more information, see Specify the Time Settings, page 5-10. 1. Select an existing or define a new user account on the Windows host that the MARS Appliance...

Reporting and Mitigation Devices Overview

After you complete the initial configuration of Local Controller as described in Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, you must determine a monitoring strategy to use for your network. You must also determine a mitigation strategy, if you chose to take advantage of the MARS mitigation features. For guidance on how to determine the monitoring and mitigation strategies, see STM Task Flow Overview, page 1-1. This chapters assumes that you have made...

Reset the Opsec Application Certificate of the MARS Appliance

If you encounter an error when pulling the certificate as part of defining the Check Point devices in the MARS web interface, you must reset the certificate before you can attempt to pull it again. This procedure details how to reset the certificate, or SIC, associated with the OPSEC Application that is associated with the host that represents the MARS Appliance. To reset the OPSEC application certificate, follow these steps Step 1 Log in to the correct Check Point user interface using an...

Retrieve Raw Messages From the Database of a Local Controller

Use this selection if archiving is not enabled or if you need to view event data that was received within the past hour. To retrieve event data from the database, follow these steps Step 1 Click Admin > System Maintenance > Retrieve Raw Messages. Step 1 Click Admin > System Maintenance > Retrieve Raw Messages. Specify the time range by specifying values in the Start and End fields. Select Retrieve from Database. Select one of the following options Save to Local. This option retrieves...

Rule and Report Group Overview

Rule and report groups help you manage rules and reports by speeding access to those rules and reports relevant to your task at hand. You can create groups, or use the groups provided with CS-MARS (System groups). Groups act as filters to limit the display of rules, reports, and incidents in the CS-MARS HTML interface. All groups can be modified or deleted. CS-MARS provides over 100 system rules and 150 system reports. More can be added by creating custom rules and reports, and by performing...

Seed File Header Columns

Table 2-4 describes the columns in the seed files and identifies valid values. If you do not enter a value for a given column, you must enter a comma to delineate that column. Note Remember that you do not have to add all of the devices' configuration information at once. You can start by adding the device's name and its access IP address. You can always return later, when the MARS starts to report to you, and provide more details. Table 2-4 Seed File Column Description Table 2-4 Seed File...

Selecting the Access Type

The access type refers to the administrative protocol that MARS uses to access a reporting device or mitigation device. For most devices monitored by MARS, you can choose from among four administrative access protocols SNMP. SNMP access provides administrative access to the device using a secured connection. It allows for the discovery of the settings using SNMPwalk, such as routes, connected networks, ARP tables, and address translations. If granted read-write access, SNMP also allows for...

Selecting the Devices to Monitor

All monitoring strategies involve selecting the types of devices to monitor and how much data to provide the MARS Appliance. All devices on your network, be they hosts, gateways, security devices, or servers, provide some level of data that MARS can use to improve the accuracy of security incident identification. However, careful consideration of what data to provide can improve the attack identification response time by ensuring that MARS does not perform necessary or redundant event...

Specify Log Info Settings for a Child Enforcement Module or Log Server

There are two occasions when you must define the log settings manually If you do not discover the settings of the primary management station, which does discover the log settings. If the child enforcement module does not propagate its logs up to the primary management station. Three options exist for manually specifying the log settings Management. Identifies that the child enforcement module propagates it logs up to the primary management station, the MLM or the SmartCenter server. You do not...

Square Brackets and Character Classes

An opening square bracket introduces a character class, terminated by a closing square bracket. A closing square bracket on its own is not special. If a closing square bracket is required as a member of the class, it should be the first data character in the class (after an initial circumflex, if present) or escaped with a backslash. A character class matches a single character in the subject. In UTF-8 mode, the character may occupy more than one byte. A matched character must be in the set of...

STM Task Flow Overview

This chapter describes the project phases and task flows that you should follow when you deploy MARS as a security threat mitigation (STM) system in your network. First, however, you must develop a set of policies that enables the application of security measures. Identify security objectives for your organization. Document the resources to protect. Identify the network infrastructure with current maps and inventories. Identify the critical resources (such as research and development, finance,...

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL For...

Symantec Man Hunt Side Configuration

Step 1 Login to the Symantec ManHunt with appropriate username and password. Step 2 In the main screen, click Setup > Policy > Response Rules, then Response Rules window will appear. Step 3 In the Response Rules window, click Action > Add response Rules. Step 4 Click in the field of Response Action Figure 6-16 ManHunt Response Rule Config Figure 6-16 ManHunt Response Rule Config Step 5 In the left menu, click SNMP Notification and enter the following information a. SNMP Manager IP address...

The Incidents Page

Click the Incidents tab to navigate to the Incidents page. The Incidents page displays recent incidents. Incidents are collections of events and sessions that meet the criteria for a rule, each having helped to cause the rule to fire. An incident's duration only includes the events that contributed to the incident firing. to, p.rtB c 1 347917458 PIX firewall login * ' failed n - no x late 2 System Rule Client Exploit - Sysbug Trojan q e of traffic System Rule DoS Network - Attempt System Rule...

To add a custom Device Application type

Step 1 Go to Admin > Custom Setup tab Step 2 Click the User Defined Log Parser Templates Figure 15-1 User Defined Log Parser Template Figure 15-1 User Defined Log Parser Template Step 3 On the next screen, click Add button which is located next to the Device Application type list Figure 15-2 Device Type Definition System Setup System Maintenance User Management System Parameters Custom St ADMIN I PN-MARS Standalone pnmars34 v3.3 Step 4 Choose the Type - Appliance or Software. Appliance - A...

To Delete a Batch Query

Click QUERY REPORTS, then click the Batch Query tab. Click Delete. In the confirmation window, click Delete to confirm. Note You can only see your own batch queries and their results. The batch queries of others and their results are not viewable by you, and your batch queries and their results are not viewable by others. Figure 20-8 Clicking the Query Type or Edit link Figure 20-8 Clicking the Query Type or Edit link You can select different query criteria by clicking the Query Type link or...

Upgrade PN Log Agent to a Newer Version

You can determine which version of the PN Log Agent is running on your server by selecting Help > About in the PN Log Agent Configuration dialog box. This program is updated independently of the MARS Appliance software updates. Therefore, the version number does not correspond to any release of the MARS Appliance software. Beginning with the 4.1.3 release of the pnLog agent, the agent requires a minimum of Cisco Security Monitoring, Analysis, and Response System, release 4.1.3 running on the...

Verify the Connectivity Paths for Layer 3 and Layer

Once you have a session, you can view the Layer 3 and Layer 2 topology paths. There are several ways to obtain a session. To view sessions that are part of an Incident Step 1 Click the Incidents tab to navigate to the Incidents page. Click an Incident ID of an incident you want to view (in this example we use Incident number 356120290). The Incident Details screen appears. Figure 19-18 Incident Details screen Figure 19-18 Incident Details screen Step 2 In the Incident Details screen, in the...

View a Query Result in the Report

To view a query in the Report tab, follow these steps Figure 20-21 Main Report window (bottom) ( Activity All - Every hour Normal None Top Query Type Destination IPs This report ranks the Activity All Events and Netflow - Top Destination Ports p Activity All Run on Normal None Destination only Ports by Bytes p Activity All Run on Normal None Sessions - Top demand Destinations by only Bytes Query Type Destination Ports ranked by Sessions Time lhh 0mm 0ss session destinations of Jun 17, 2 15 52...

Viewing the Appliances Log Files

To view the appliance's log files or to change their levels or source, navigate to Admin > System Maintenance > View Log Files. Figure 24-1 Back-end log viewing options < * Last p Days l Hrs p Mins Select Level aN 3D Select Source Backend - Submit) You can view the appliance's back-end logs either by selecting a number of days, hours, and minutes or you can view logs by selecting a start and ending date and time. You can select the levels of logs that you want. Your choices are All,...

XML Incident Notification Data File and Schema

XML incident notification sends an email notification of an incident with an attached XML data file. The XML data file contains all incident details that can be viewed on the GUI except for Path Mitigation data. The XML data file can be sent as a plain-text file or as a compressed gzip file. The filename is constructed with the incident ID number, for example CS-MARS-Incident-13725095.xml. The compressed version of the same data file would be CS-MARS-Incident-13725095.xml.gz An XML application...

XML Overview

The XML schema are written in conformance with the standard World Wide Web Consortium (W3C) XML schema language. A schema by definition, describes all data and data structures required to create your application. Many XML development environments provide enough capability to view the schema in a way that you can identify all components, their relationships, constraints, attributes, annotations, and usage guidelines at a glance. Some applications generate hyperlinked reference documentation. By...

To add Parser Templates for a Device Application

Step 1 Go to the Admin > Custom Setup tab. Step 2 Click the User Defined Log Parser Templates. Step 3 Select the newly created existing Device or Application from the dropdown. Step 4 To add a log template, click Add which located in the Log Template area. A log template ties directly to the particular message that you want to parse. A log template is composed of one or more Event Types that describe the contents of the message. Using the Event Types, MARS parses the message when it is...

Restrictions for Policy Table Lookup

A Local Controller can be configured to retrieve the policy tables from only one Cisco Security Manager server at a time. The Policy Table Lookup icon in MARS is displayed only for traffic logs which are reported by the following MARS device types - Cisco Adaptive Security Appliance (Cisco ASA) - Cisco Firewall Services Module (Cisco FWSM) MARS displays the Cisco Security Manager security policy committed views, not the deployed views. The access rule causing the MARS event may not be visible...

Install and Configure the Snare Agent for IIS

To configure IIS to publish logs to MARS, you must install and configure a log agent. This agent is free from the InterSect Alliance. You can download the Snare Agent for IIS Servers from the following URL After you have downloaded and install the SNARE on the the Windows webserver, you can continue with the procedures in this section that detail the correct configuration for MARS, To configure SNARE for web logging, follow thees steps Step 1 Click Start > Programs > InterSect Alliance >...

Sending Alerts and Incident Notifications

A Cisco Systems MARS alert action is a signal transmitted to people or devices as notification that a MARS rule has fired, and that an incident has been logged. Alert actions can only be configured through the Action parameter of a rule. An alert action determines which alert notification types are sent to which MARS user accounts or user groups. MARS can transmit alerts by the methods listed in Table 22-1. E-mail, SMS, and pager alerts send the incident ID, matched rule name, severity, and...

Bootstrap the Cisco Firewall Device

You should configure your Cisco firewall devices to act as reporting devices and manual mitigation devices because they perform multiple roles on your network. MARS can benefit from the proper configuration of specific features IDS IPS signature detection. While it does not boast the most efficient or comprehensive set of signatures, the built-in IDS and IPS signature matching features of the Cisco firewall device can be critical in detecting an attempted attack. Accept Deny Logs. The logging...

To Run a Batch Query

Step 1 Enter your data for either a simple or free-form query. If your query is expected to take a long time to run, instead of Submit Inline, you may given the option of having it run as a batch query. Figure 20-4 Construct a Query to Run in Background (Batch Query) Query type Event Types ranked by Sessions, Oh lOm Eds PE I71 Events Device Reported User Keyword Operation Rule Action ANY I Save As Report Save As Rule Submit Inlin Step 2 Click Submit to make your selection. Figure 20-5 Choosing...

Add and Configure a Qualys Guard Device in MARS

Adding an internal QualysGuard API Server as a reporting device entails identifying the server or appliance from which the reports are pulled and providing credentials that MARS can use to log in to the device to pull the reports. You can specify whether you want to pull saved scan reports that are run on a schedule or whether you want to initiate and retrieve an on-demand scan report. To add a QualysGuard device, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add....

False Positive Confirmation

When investigating incidents, you will invariably come across false positive events. In some cases, firing events are classified automatically by MARS as system-confirmed false positives and unconfirmed false positives. Vulnerability scanning often identifies the false positive events, but at times you must investigate events to determine their validity. To understand the false positive nomenclature and what tasks you are expected to perform within the user interface, we must study the...

Bootstrap the Net Screen Device

To prepare the NetScreen device to be monitored by MARS, follow these steps Step 1 Login to the NetScreen with appropriate username and password. Step 2 In the main screen, on the left hand column click Network > Interfaces. Step 3 Click Edit next to the appropriate interface to configure for MARS to have access to SNMP and Telnet SSH. Step 4 Under Service Options, select one of the following values MARS can only use one of the access methods to perform configuration discovery. This value...

Add a Check Point Primary Management Station to MARS

The primary management station represents one of the following The SmartCenter server in a SmartCenter or SmartCenter Pro installation. A CMA of a Provider-1 or SiteManager-1 installation. Note Check Point 4.1, NG FP1, and NG FP2 devices are not officially supported. They cannot be configured to retrieve configuration information using CPMI. However, they can be configured to retrieve logs using LEA. To configure one of these devices to work with the MARS, leave the Access IP field blank on the...

MARSside Configuration

To add configuration information for the host Step 1 Click Admin > Security and Monitor Devices > Add Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP Addresses if adding a new host. Step 4 Select the Windows from Operation System list Step 6 For this configuration, you must check the Receive host log box Figure 12-6 Windows Web Server Logging mechanisms Figure 12-6 Windows Web Server...

Add an IPS Module to a Cisco Switch or Cisco ASA

You can enable in-line IPS functionality and signature detection in multi-purpose Cisco platforms. You can identify an IDS-M2 running in a Cisco Switch or an ASA-SSM running in a Cisco ASA. To represent either of these modules, you must define the settings for the module as part of the base platform, which must be previously defined under Admin > System Setup > Security and Monitor Devices. To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps Step 1 Click Admin > System...

Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File

After you import a Cisco IPS or IDS device into MARS using a seed file, you must define the networks that are monitored by that sensor. To define the networks monitored by a sensor, follow these steps Click Admin > System Setup > Security and Monitor Devices. Select the check box next to the Cisco IPS or IDS device that was imported using a seed file. and click Edit. To specify the networks being monitored by the sensor, do one of the following To manually define the networks, select the...

Case Management Overview

The Case Management feature can capture, combine, and preserve user-selected MARS data within a specialized report called a case. The following data can be added to a case Incident device information (source IP address, destination IP address, reporting device) View Case page (the current case can reference another case) Any user can create or alter any case. You can assign a case to a MARS user on the same machine, and can change the status of a case to assigned, resolved, or closed. The...

Select the Access Type for LEA and CPMI Traffic

Check Point devices use special access types for configuration discovery and event log queries. For configuration discovery, the protocol is CPMI. For event log queries, the protocol is LEA. Each of these protocols has specific configurable attributes, including whether to use bulk encryption, what cipher to use, and what port to use for communications. You must understand what the supported settings are so that you can verify the Check Point devices are configured correctly. MARS supports only...