About This Manual

This manual describes the features and functionality of the Local Controller. The layout of this manual is as follows Chapter 1, STM Task Flow Overview, recommends a taskflow for planning and implementing your security threat mitigation system. It ties back to your corporate security policies and presents a structure deployment and configuration strategy based on two phases provisioning and monitoring. Part 1 Provisioning Phase. This part details provisioning your network devices to communicate...

Add a Check Point Certificate Server

When defining a Check Point module that uses secured communications, you must identify the certificate sever that authenticates the SICs provided by the client and the server. Typically, a SmartCenter server or the CMA has its own certificate server, however, your configuration may use a central server. If that is the case, you must define the certificate server as part of a defining a base or child enforcement module. Note This procedure assumes you have been refer to it, and that you are in...

Add a Cisco Security Manager Server to MARS

The Security Manager server is represented in MARS by defining a host with a software application residing on that host. Once you have identified the reporting devices to a Local Controller, you can add the Security Manager server that manages the policies for those reporting devices. Each Local Controller can query one Security Manager server only you cannot define more than one Security Manager server per Local Controller. You can define the same Security Manager server on multiple Local...

Add a Community String for a Network

To add a community string for a network IP, follow these steps Step 1 To open the Community Strings and Networks page, click Admin > Community Strings and Networks. Step 2 Click the Network IP radio button. Step 3 Enter the Community String, Network IP address, and Mask. Step 4 Click Add. Step 5 Repeat Step 2 through Step 4 for all the community strings that you want to add. Step 6 Click Submit to commit these additions.

Add a Community String for an IP Range

To add a community string for an IP range, follow these steps Step 1 To open the Community Strings and Networks page, click Admin > Community Strings and Networks. Step 2 Click the IP Range radio button. Step 3 Enter the Community String and its IP Range. Step 5 Repeat Step 2 through Step 4 for all the community strings that you want to add. Step 6 Click Submit to commit these additions. You can add multiple community strings for the same network by adding similar entries. Add Valid Networks...

Add a Host

Within MARS, a host is manually or automatically defined as the result of one of the following options A reporting device or mitigation device defined under the Admin > Security and Monitoring Devices tab. A host managed by a reporting device defined under the Admin > Security and Monitoring Devices tab, such as a host running Cisco Security Agent and discovered by MARS when processing the logs provided by the CSA Management Console. An asset that you want to identify for the purpose of...

Add a Network IP Range or Variable

Step 1 Select Management > IP Management. Figure 23-2 Add a Network, IP Range, or Variable Figure 23-2 Add a Network, IP Range, or Variable Step 3 In the Type list select network, IP range, or variable. Step 4 For each type enter the appropriate information. Network name, network IP, network mask Variable variable name Step 5 Click Submit.

Add a New User

Defining a new user involves specifying the user name, password, role, contact information, and notification information. To add a new user, follow these steps Step 1 From the Management > User Management tab, click Add. The User Configuration page appears, as shown in Figure 23-4. Is885551212 1 ( Cell phone or pager number e.g 4082345678 ) Step 2 From the Role field, select a Role for the user. Admin has full use of Local Controller. Notification Only for a non-user of the Local Controller...

Add a Service Provider Cell phonePager

When configuring a notification by pager, add a service provider (cell phone or pager company) by completing the following procedure Step 1 From the Service Provider field, select New Provider. Additional fields appear, as shown in Figure 23-5. The pull-down menu is populated as you add new service providers. Figure 23-5 Select a New Provider and Provide Contact Details Figure 23-5 Select a New Provider and Provide Contact Details Step 2 In the Provider Name field, enter the name of the service...

Add an Inspection Rule

Rules that you add are called User Inspection Rules. Navigate to the Inspection Rules page. Click Add. Enter a name and description for the rule, then click Next. Select Source IP address . The following numbers correspond to the numbers shown in Figure 21-6. 1 Check the boxes next to the items in the Sources Selected field to select them, and click the Toggle Equal button to change them between equal and not equal. Click the Select All button to select all items in the Sources Selected field....

Add an ISS Real Secure Device as a HIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 8 Click the HIDS radio button. Figure 6-10 Configure ISS Real Secure HIDS Figure 6-10 Configure ISS Real Secure HIDS Step 10 For multiple interfaces, click on General Tab, and add...

Add an ISS Real Secure Device as a NIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 7 Click Add. Step 8 Click the NIDS radio button, if it is not already selected. Figure 6-9 Configure ISS Real Secure NIDS Figure 6-9 Configure ISS Real Secure NIDS Step 9 For attack...

Add and Configure a Cisco Firewall Device in MARS

The process of adding a PIX security appliance, Cisco ASA, or FWSM to MARS involves many of the same steps, regardless of the version of software that is running. The process is exactly the same for PIX software versions 6.0, 6.1, 6.2, and 6.3. However, Cisco ASA, PIX 7.0, and FWSM provide the ability to define multiple security contexts, or virtual firewalls. Adding a Cisco ASA, PIX 7.0, and FWSM to MARS has two distinct steps. First, you must define the settings for the admin context. Then,...

Add and Configure a Cisco IDS 31 Device in MARS

To add and configure a Cisco IDS device in MARS, follow these steps Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Cisco IDS 3.1 from the Device Type list. Step 3 Enter the hostname of the sensor in the Device Name field. The Device Name value must be identical to the configured sensor name. Step 4 Enter the administrative IP address in the Access IP field. Step 5 Enter the administrative IP address in the Reporting IP field. The Reporting IP address...

Add and Configure a Cisco Switch in MARS

MARS monitors Cisco switches running either CatOS or Cisco IOS 12.2. To add the configuration information that MARS uses to monitor a Cisco switch running Cisco IOS 12.2 or later, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. If the switch is running any version of CatOS, select Cisco Switch-CatOS ANY from the Device Type list. If the switch is running Cisco IOS 12.2 or later, select Cisco Switch-IOS 12.2 from the Device Type list. Step 3...

Add and Configure a Csa Mc Device in MARS

Before you can identify the agents, you must add the CSA MC to MARS. All CSA agents forward notifications to the CSA MC, and the CSA MC forwards SNMP notifications to MARS. Once you define the CSA MC and activate the device. MARS can discover the agents that are managed by that CSA MC. However, you can also chose to manually add the agents. To add a CSA MC to MARS, follow these steps Click Admin > Security and Monitor Devices > Add. From the Device Type list, select Add SW security apps on...

Add and Configure a Found Scan Device in MARS

To add a FoundScan device in MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select Add SW Security apps on a new host or Add SW security apps on existing host from the Device Type list. Step 3 Enter the device name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 Click the Reporting Application tab Step 6 From the Select Application list, select Foundstone FoundScan 3.0 Step 7 Click Add. Database Name The name for this database....

Add and Configure a Generic Router in MARS

To add and configure a generic router device in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Generic Router version unknown from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and...

Add and Configure an Entercept Console and its Agents in MARS

Adding an Entercept device has two distinct steps. First, you add configuration information for the for the Entercept Console host. Second, you add the agents managed by that console. Add and Configure an Entercept Console and its Agents in MARS, page 7-3 Add Entercept Agents Manually, page 7-4 Add Entercept Agents Using a Seed File, page 7-4 Add the Entercept Console Host to MARS Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW...

Add and Configure an Extreme Ware Switch in MARS

To add and configure an ExtremeWare switch in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Extreme ExtremeWare 6.x from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls,...

Add and Configure an Intru Shield Manager and its Sensors in MARS

Adding an IntruVert device has two distinct steps. First, you add configuration information for the for the IntruShield Manager host. Second, you add the sensors managed by that host. Add the IntruShield Manager Host to MARS, page 6-26 Add IntruShield Sensors Manually, page 6-26 Add IntruShield Sensors Using a Seed File, page 6-27 Add the IntruShield Manager Host to MARS To define the host and represent the management console for IntruShield, follow these steps Step 1 Click Admin > System...

Add and Configure Check Point Devices in MARS

After you identify and bootstrap the Check Point reporting devices and install the policies that enable the required traffic flows, you must represent those devices in MARS, which uses this information to communicate with the devices. When adding a Check Point device, you add two types of devices Primary management station. The primary management station represents the SmartCenter server or CMA that manages other Check Point components. In the web interface, the bases module is defined as a...

Add and Configure ePolicy Orchestrator Server in MARS

Before MARS can begin processing SNMP traps from ePolicy Orchestrator, you must define the ePolicy Orchestrator server as software running on a host. When ePolicy Orchestrator is defined as a reporting device, MARS can process any inspection rules that you have defined using ePolicy Orchestrator event types. After you add the ePolicy Orchestrator server to MARS, the appliance can discover the agents that are managed by the ePolicy Ochestrator server as events are generated by those agents. You...

Add and Configure Net Cache in MARS

To add the NetCache device in MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Network Appliance NetCache Generic. Chapter 13 Configuring Web Proxy Devices_ Network Appliance NetCache Generic H Step 3 Enter the device name and its reporting IP address. Step 4 From the Web log format list, select the web log format that matches the value you selected in Step 5 of Configure NetCache to Send Syslog to MARS, page 13-1....

Add and Configure the Cisco ACS Device in MARS

To add the host and Cisco Secure ACS software application to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host. You can also select Add SW Security apps on an existing host if you have already defined the host within MARS, perhaps as part of the Management > IP Management settings or if you are running another application on the host, such as Microsoft Internet Information Services....

Add and Configure the eEye REM Device in MARS

To add the eEye REM device in MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select Add SW Security apps on a new host or Add SW security apps on existing host from the Device Type list. Step 3 Enter the device name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 Click the Reporting Applications tab. Step 6 From the Select Application list, select eEye REM 1.0. Step 7 Click Add. Step 8 Enter the following information Database Name...

Add Cisco IOS 122 Modules Manually

To add a module manually, follow these steps Step 1 Click Add Module. Step 2 Select Cisco IOS 12.2 from the Device Type list. _Chapter 3 Configuring Router and Switch Devices Step 3 Enter the name of the module in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For modules that support the discovery operation, such as router and firewall modules, MARS renames this field's value...

Add Discovered Contexts

When you select Discover on a Cisco ASA, PIX 7.0 or FWSM, MARS discovers the contexts that are defined for that firewall device. However, you must still manually add discovered contents. _ Note You cannot discover a module install in a Cisco ASA you must manually define IPS modules. However, the discovered contexts do appear under the Module area on the main page. (PIX 7.0 and FWSM) Click Add Available Context. (Cisco ASA) Click Add Available Module. Step 2 Select a security context from the...

Add Modify and Delete a Report Group

To add a report group follow these steps Step 1 Navigate to the Report page, as shown in Figure 21-13. The Add Group dialog box appears, as shown in Figure 21-14. The Add Group dialog box appears, as shown in Figure 21-14. Figure 21-14 Add Report Group Dialog Box Figure 21-14 Add Report Group Dialog Box Step 3 Enter the new report group name in the Name field. Step 4 Click the checkboxes of the reports to be added to the new report group. Step 3 Enter the new report group name in the Name...

Add Modify and Delete a Rule Group

To add a rule group follow these steps Step 1 Navigate to the Inspection Rules page, as shown in Figure 21-10. Figure 21-10 Inspection Rules Page The Add Group dialog box appears, as shown in Figure 21-11. The Add Group dialog box appears, as shown in Figure 21-11. Step 3 Enter the new group name in the Name field. Step 4 Click the checkboxes of the rules to be added to the new rule group. Tip The dropdown list above the list of rules can limit the display of rules to active system rules,...

Add Multiple Reporting and Mitigation Devices Using a Seed File

The seed file is a comma-delimited file with the file extension .csv (comma-separated value). Most spreadsheet programs let you import and export files as CSV files. The following is a sample seed file as exported from a popular spreadsheet program 10.1.1.1, ,,,PIX,TELNET,,,cisco,,, ,,,,,,,, With the CSV file, you can enter the values, passwords, and information for each device that you want the MARS Appliance to monitor in its appropriate row and column. While the seed file is useful for...

Add Reporting and Mitigation Devices Individually

In general, you have two choices for adding devices that you want to monitor into your MARS. You can create a seed file or you can add each device manually. Seed file support is limited to a few device types, see Column E, page 2-23 for the devices supported. When manually configuring devices, select the devices that are most interesting to you. Once added, you can come back and edit them as necessary. Manual configuration is also useful when you add or change a single security device on your...

Add Security Contexts Manually

You can manually define security contexts in PIX 7.0, Cisco ASA, or FWSM. (PIX 7.0 and FWSM) Click Add Context. (Cisco ASA) Click Add Module. Device Type Cisco PIX 7.0 v Device Type Cisco PIX 7.0 v Step 2 In the Device Type list, do one of the following For Cisco ASA, select Cisco ASA 7.0. For PIX 7.0, select Cisco PIX 7.0. For FWSM, select Cisco FWSM x.y, where x.y is the version number of the software running on the module. Step 3 Enter the name of the firewall device in the Device Name...

Add the Cisco 7500 Router with Telnet as the Access Type

Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-17 Configure Cisco IOS 12.2 Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-17 Configure Cisco IOS 12.2 From the Device Type drop-down list, select Cisco Switch-IOS 12.2. Enter the Device Name of the switch. Enter the Access IP address (optional) and Reporting IP address of the switch. The Reporting IP address is usually the same as the Access IP address, but if you are creating an FTP device it must...

Add the Cisco Catalyst 5000 with SNMP as the Access Type

Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-15 Configure Cisco Switch CatOS Device Discovery-Cisco Switch-CatOS ANY Figure 19-15 Configure Cisco Switch CatOS Device Discovery-Cisco Switch-CatOS ANY Step 2 From the Device Type drop-down list, select Cisco Switch-CatOS ANY. Step 2 From the Device Type drop-down list, select Cisco Switch-CatOS ANY. Step 3 Enter the Device Name of the switch. Step 4 Enter the Access IP address and Reporting IP address (the IP address of...

Add the Cisco Catalyst 6500 with SNMP as Access Type Layer 2 only

Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-16 Configure Cisco Switch CatOS Device Discovery-Cisco Switch-CatOS ANY 1. Enter the reporting IP (the IP address where events originated from) to ensure that the system processes the events Device Type Cisco Switch-CatOS ANY v Device Type Cisco Switch-CatOS ANY v Test Connectivity Cancel Submit on Test Connectivity Cancel Submit on From the Device Type drop-down list, select Cisco Switch-CatOS ANY. Enter the Device Name of...

Add the MARS Appliance as a Host in Check Point

Representing the MARS Appliance in Check Point enables the following supporting tasks Generate a client SIC DN for the MARS Appliance. Define policies to allow SIC and syslog traffic between the Check Point components and the MARS Appliance. Direct log traffic to the MARS Appliance. To define the MARS Appliance as a host, follow these steps Step 1 Log in to the correct Check Point user interface using an account with administrative privileges. If you are using SmartCenter, use the...

Add the Net Screen Device to MARS

Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select the appropriate version of NetScreen ScreenOS from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls, MARS renames this field's value to match the...

Add the Oracle Database Server to MARS

To represent the Oracle database server in the web interface, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 From the Select Application list, select Oracle Database Server Generic. Step 6 Click Add. Enter the User Name, Password and Oracle Service Name...

Add the VPN 3000 Concentrator to MARS

To add the VPN 3000 Concentrator to MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select either Cisco VPN Concentrator 4.0.1 or Cisco VPN Concentrator 4.7 from the Device Type list. Enter the name of the VPN Concentrator in the Device Name field. Enter the IP address used to administer the VPN Concentrator in the Access IP field. Enter the IP address from which the syslog messages are sent to MARS in the Reporting IP field. Select SNMP from the...

Adding Reporting and Mitigation Devices

Three methods exist for adding reporting devices and mitigation devices to MARS Manually add the devices one at a time. Add multiple devices using a seed file. Discover devices automatically using SNMP RO community strings. From the Security and Monitor Devices page, you can add or edit the reporting devices and mitigation devices that MARS monitors. To access this page, click Admin > System Setup > Security and Monitor Devices. You can search for, add, edit, delete, change display status,...

Adding Reporting and Mitigation Devices Using Automatic Topology Discovery

On the Admin page, under the Topology Discovery Information section, three links exist, allowing you to define the settings required to discover reporting and mitigation devices automatically. These links are Community String and Networks. Allows you to define SNMP RO community strings on a per network or IP range basis. Networks and SNMP RO stings can overlap. At least one SNMP string must be defined before discovery is attempted. Valid Networks. Identifies the set of networks and IP ranges...

Application Log Messages for the PN Log Agent

The PN Log Agent service writes events to the Application Log of Event Viewer on the Cisco Secure ACS server. The agent, identified in the log messages as PNLogAgentService, writes status messages, such as successful service start and stop. It also writes error messages for incomplete configuration and error conditions, such as when the service is out of memory. Table 14-1 categories the types of messages that can occur and explains their affects on the PNLog Agent service. Table 14-1 Possible...

Back to Being the Admin

You must now express the plan in terms of information that is reported to you. This attack plan contains an attack with a follow up of some kind. You might write your plan like attacker to target, buffer overflow attacker to target, root login (compromised host) At this point, the black hat has compromised the host. What happens next is up to the attacker. This makes the next few steps especially hard to predict. They want to be able to manipulate the world, they want to make change. Your newly...

Basic Navigation

The Local Controller uses a tab-based, hyperlinked user interface. When you mouse over an alphanumeric string or an icon that is a clickable hyper-link, the mouse cursor changes to a pointing finger cursor Figure 17-2 shows some of the clickable objects on the Dashboard page. 1 10300958.0 Inactive Try it-Dub0S.03.0S 09 01 Z3 1 10300958.0 Inactive Try it-Dub0S.03.0S 09 01 Z3 Link to the item's detail page or popup corresponding query field is populated with Pulldown lists filter what is...

Bootstrap the Check Point Devices

Bootstrapping the Check Point devices involves preparing those devices to send data to the MARS Appliance, as well as enabling the MARS Appliance to discover the Check Point configuration settings. In addition to preparing the Check Point devices, you must gather the information required to represent the Check Point devices in the MARS web interface. You bootstrap the central Check Point management server, whether it be a CMA or a SmartCenter server by defining the MARS Appliance as a target...

Bootstrap the Sensor

Preparing a sensor to be monitored by MARS involves two steps Enable the Access Protocol on the Sensor, page 6-6 Enable the Correct Signatures and Actions, page 6-6 Enable the Access Protocol on the Sensor The configuration of the sensor depends on the version of the software that is running on the sensor. The following topics identify the requirements of each version Cisco IDS 4.x Software, page 6-6 Cisco IPS 5.x Software, page 6-6 For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over...

Bootstrap the VPN 3000 Concentrator

To configure a Cisco VPN 3000 Concentrator to generate and publish events to the MARS Appliance, you must verify that the correct events are generated in the correct format, and you must direct the Cisco VPN 3000 Concentrator to publish syslog events to the MARS Appliance. To configure Cisco VPN 3000 Concentrator to send syslog events to MARS, follow these steps Step 1 Open your browser and log in to the Cisco VPN 3000 Concentrator Series Manager. Step 2 From the tree on the left, select...

Chapter 10Configuring Generic Solaris Linux and Windows Application Hosts 101

Adding Generic Devices 10-1 Sun Solaris and Linux Hosts 10-2 Configure the Solaris or Linux Host to Generate Events 10-2 Configure Syslogd to Publish to the MARS Appliance 10-2 Configure MARS to Receive the Solaris or Linux Host Logs 10-3 Push Method Configure Generic Microsoft Windows Hosts 10-5 Install the SNARE Agent on the Microsoft Windows Host 10-5 Enable SNARE on the Microsoft Windows Host 10-6 Pull Method Configure the Microsoft Windows Host 10-6 Enable Windows Pulling Using a Domain...

Chapter 6Configuring Networkbased IDS and IPS Devices

Configure Sensors Running IDS 3.1 6-1 Add and Configure a Cisco IDS 3.1 Device in MARS 6-4 Cisco IDS 4.0 and IPS 5.x Sensors 6-5 Bootstrap the Sensor 6-5 Enable the Access Protocol on the Sensor 6-6 Enable the Correct Signatures and Actions 6-6 Add and Configure a Cisco IDS or IPS Device in MARS 6-6 Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File 6-8 View Detailed Event Data for Cisco IPS Devices 6-9 Cisco IPS Modules 6-9 Enable SDEE on the Cisco IOS Device...

Chapter 8Configuring Antivirus Devices

Symantec AntiVirus Configuration 8-1 Configure the AV Server to Publish Events to MARS Appliance 8-1 Export the AntiVirus Agent List 8-7 Add the Device to MARS 8-7 Add Agent Manually 8-7 Add Agents from a CSV File 8-8 McAfee ePolicy Orchestrator Devices 8-8 Configure ePolicy Orchestrator to Generate Required Data 8-8 Add and Configure ePolicy Orchestrator Server in MARS 8-12 Cisco Incident Control Server 8-13 Configure Cisco ICS to Send Syslogs to MARS 8-14 Add the Cisco ICS Device to MARS 8-15...

Check Point Devices

The Check Point security product family can be distributed and tiered. As such, you must understand the deployment method, components, and release versions of this product family, their relationships, and how MARS interacts with them. You must also understand the many acronyms and abbreviations associated with this product family. Table 4-1 lists the abbreviations and acronyms used in the topics that follow. Table 4-1 Check Point Abbreviations and Acronyms Table 4-1 Check Point Abbreviations...

Checklist for Monitoring Phase

After you complete the provisioning phase, you must configure MARS to help you realize your broader security goals and requirements. During the monitoring phase, your primary goal is to effectively realize your monitoring, mitigation, and remediation policies. This phase involves defining the strategies, rules, reports, and other settings required to achieve this goal. You must prepare MARS to closely adhere to your corporate security policy before you begin monitoring traffic flows, as you...

Checklist for Provisioning Phase

Inventory and review possible reporting devices, mitigation devices, and supporting devices. Reporting devices provide logs about user and network activities and device status and configuration. Mitigation devices can be used to respond to detected attacks. They also act as reporting devices. Supporting devices provide network services to reporting devices, mitigation devices, or a MARS Appliance. Identifying which devices on your network to monitor depends on multiple factors, including their...

Checklist for Security ManagertoMARS Integration

Security Manager-to-MARS integration deals with identifying the required and optional points of integration, configuring the applications and devices, and ensuring proper authorization among the two management platforms. This checklist assumes a greenfield install of both Security Manager and MARS. The following checklist describes the tasks required to understand the decision-making process and the basic flow required to integrate MARS with a Security Manager server and the reporting and...

Circumflex and Dollar

Outside a character class, in the default matching mode, the circumflex character is an assertion that is true only if the current matching point is at the start of the subject string. If the startoffset argument of pcre_exec() is non-zero, circumflex can never match if the PCRE_MULTILINE option is unset. Inside a character class, circumflex has an entirely different meaning (see Square Brackets and Character Classes, page B-8 and Posix Character Classes, page B-9). Circumflex need not be the...

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL Use the Cisco Product Identification (CPI) tool to locate...

Configure a Rule to Send an Alert Action

To send alert notifications to individual users or groups of users, configure the Action parameters of a rule to create an alert action. This procedure configures alerts for pre-existing rules. When you create a rule, the Action parameters are configured after the count number parameter. Drop rules do not have Action parameters and cannot trigger alerts. To modify or create an alert for an existing rule, follow these steps Step 1 Click the RULES tab to navigate to the Inspection Rules page....

Configure Cisco Secure ACS to Generate Logs

To configure Cisco Secure ACS to generate the audit logs required by MARS, follow these steps Step 1 Log in to the Cisco Secure ACS server or Solution Engine. Step 2 Select System Configuration > Logging. Step 3 Verify that CVS Failed Attempts, CVS Passed Authentications and CVS RADIUS Accounting Logging are enabled. Step 4 Click CSV Failed Attempts, and verify that the following attributes appear in the Logged Attributes list Step 6 Click CVS Passed Authentications, and verify that the...

Configure CSA Management Center to Generate Required Data

To bootstrap CSA, you must configure the CSA MC to forward SNMP notifications to the MARS Appliance. In addition, you can export the list of CSA agents in a format that MARS can import. However, this export operation is not necessary, as MARS discovers the agents as they generate notifications. This section contains the following topics Configure CSA MC to Forward SNMP Notifications to MARS, page 7-6 Export CSA Agent Information to File, page 7-6 _Chapter 7 Configuring Host-Based IDS and IPS...

Configure eEye REM to Generate Required Data

To configure eEye REM to provide the correct data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where eEye REM 1.0 is installed. M ICA WINNT> y > B w5g cmrf_Kiae Microsoft Uindoirs 2B0B IUei*sion 5.00,21951 < C> Copyright 1985-2BB9 Micros ft Corp. C-NDocunents and Settin fi fldrain i trat& r> srvnetcn arwnetcnJ is not recognized as an internal or external uperable yroyrun ur batch file. C SDucun ntx mid Sett in g s fi dm in istr tur i...

Configure ePolicy Orchestrator to Generate Required Data

To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console. Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List. Step 3 In the Log On to Server dialog box, enter the username and password required to access the ePolicy Orchestrator server, and click OK. Step 4 In the tree, select McAfee...

Configure Extreme Ware to Generate the Required Data

To bootstrap an ExtremeWare switch, you must configure two features. First, you must configure the switch to send syslog messages to the MARS Appliance. Next, you must configure the SNMP RO community for MARS to access available L2 information. To prepare the ExtremeWare device to generate the data required by MARS, follow these steps Step 1 For syslog configuration, add this command configure syslog add < MARS's IP address> local7 debug enable syslog Step 2 For SNMP configuration add these...

Configure Found Scan to Generate Required Data

To configure FoundScan to provide data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where FoundScan is installed. Microsoft Uindotrs 2000 Wars ion 8,00,2195 < C> Copyright 1985-2099 Nicros ft Corp. C SDbCufients and SettirysNfldnln i tratar> rvnetcn 'srunetcn' Is not racupized as an internal or external camand C'SDncumnts mid Sell inysXAdmin strdtur vrneLcn C'SDocunents und Sett in 5fs fi drain is trat or cd Step 2 In the SQL Server Network Utility...

Configure Intru Shield Version 18 to Send SNMP Traps to MARS

Step 1 Log in to the IntruShield Manager version 1.8. Step 3 In the Resource Tree, click My Company. Step 4 Click the Alert Notification tab. Step 5 Click the SNMP Forwarder sub-tab. Figure 6-12 IntruShield SNMP Forwarder Configuration Figure 6-12 IntruShield SNMP Forwarder Configuration Figure 6-13 IntruShield Target SNMP Server Figure 6-13 IntruShield Target SNMP Server Step 7 On the SNMP Forwarder page, enter a. Enable SNMP Forwarder Select the Yes radio button. b. Target Server (IP Address)...

Configure Kiwi Syslog Server to Forward Events to MARS

We recommend the following settings in the configuration options of the Kiwi Syslog Daemon to ensure good integration of Kiwi with MARS Expand the File > Setup > Rules > Actions tree. Right on Actions and click Add an Action. Enter a name for the action, such as Forward to pncop. For the following fields, enter the following values Destination IP address or hostname Enter the IP address of the MARS Appliance. Send with RFC 3164 header information Selected if the syslog server receives...

Configure MARS to Receive the Solaris or Linux Host Logs

To add a generic device to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Add SW security apps on existing host Step 2 From the Device Type list, select Add SW Security apps on a new host. Figure 10-2 Adding a Generic Device to receive logs Figure 10-2 Adding a Generic Device to receive logs Step 3 Enter the Device Name, and its Reporting IP address. Step 4 Select Operating System as Generic. Step 5 Select Logging Info and select Receive, then click...

Configure Sensors Running IDS

Step 1 Log in to the Cisco IDS device. Step 2 Change to directory that has all the configurations files that need to be edited Step 3 You need to edit 4 files (organizations, hosts, routes and destinations) that are in this directory. In the organizations file add a line indicating your organization name or grouping where 1 is the item number followed by the organization name protego . If there is already item in this file, simply increase the item number (has to be unique). Figure 6-1 Add MARS...

Configure the AV Server to Publish Events to MARS Appliance

To configure the AV server to publish events to MARS, follow these steps Step 1 Log in to the Windows server running Symantec AV. Step 2 To identify the Local Controller as a valid SNMP trap destination, click Administrative Tools > Services > SNMP Service > Traps > Trap destinations. Step 3 Enter the IP address of the Local Controller in the Trap Destination page, and click OK to close all open windows. Step 4 Select Start > All Programs > Symantec System Center Console. Step 5 In...

Configure the Device Running CatOS to Generate Required Data

You can configure the following message types For information on configuring these settings, refer to the following topics Enable SNMP RO Strings on CatOS, page 3-11 Enable NAC-specific Messages, page 3-4 Enable L2 Discovery Messages, page 3-12 Enable Syslog Messages on CatOS, page 3-11

Configure the Email Server Settings

To send alert actions, MARS must be configured to communicate with an e-mail server. To configure the e-mail server settings, follow these steps Step 1 Click Admin > Configuration Information. The Device Configuration window appears, as shown in Figure 22-1. Configure a Rule to Send an Alert Action H Figure 22-1 MARS Device Configuration Window Figure 22-1 MARS Device Configuration Window Step 2 In the IP Port field of the Mail Gateway section, enter the IP address and Email Domain Name of...

Configure the Solaris or Linux Host to Generate Events

MARS Appliance can receive syslog information from a Linux Solaris host. To configure the Linux Solaris applications, you must configure the following applications to write to syslog To configure these applications to write to the system log, follow these steps Step 1 xferlog (which provides transfer logging information from the FTP server) For ftpd, add the following to etc ftpd ftpaccess log transfers real,guest,anonymous inbound,outbound log syslog+xferlog Step 2 inetd trace messages (which...

Configuring Generic Solaris Linux and Windows Application Hosts

Application hosts are simply hosts on your network that are running important applications. Many of the supported reporting devices and mitigation devices cannot be represented in MARS until the base host on which they are running is defined. Examples of such applications include CheckPoint Firewalls and all forms of web servers. MARS provides for the definition of the following host types Generic. Identifies no specific operating system, as well as any that are not directly supported. Windows....

Configuring Host Based IDS and IPS Devices

Host-based intrusion detection and prevention devices provide MARS with detailed information about attacks seen at the host level, rather than the network level. They also provide information about the host operating system and successful prevention of attacks, both of which provide more targeted data for false positive analysis. This chapter explains how to bootstrap and add the following host-based IDS and IPS devices to MARS Entercept Entercept 2.5 and 4.0, page 7-1 Cisco Security Agent 4.x...

Configuring Router and Switch Devices

User Guide for Cisco Security MARS Local Controller User Guide for Cisco Security MARS Local Controller Enable Syslog Messages on CatOS 3-11 Enable L2 Discovery Messages 3-12 Add and Configure a Cisco Switch in MARS 3-13 Adding Modules to a Cisco Switch 3-14 Add Available Modules 3-14 Add Cisco IOS 12.2 Modules Manually 3-15 Extreme ExtremeWare 6.x 3-17 Configure ExtremeWare to Generate the Required Data 3-17 Add and Configure an ExtremeWare Switch in MARS 3-18 Generic Router Device 3-18 Add...

Configuring Vulnerability Assessment Devices

Vulnerability assessment (VA) devices provide MARS with valuable information about many of the possible targets of attacks and threats. They provide information useful for accurately assessing false positives. This information includes the operating system (OS) running on a host, the patch level of the OS, the type of applications running on the host, as well as detailed logs about the activities occurring on that host. This chapter explains how to bootstrap and add the following VA devices to...

Configuring Web Server Devices

To use web logging with MARS, you need to configure the host, the webserver, and MARS. MARS can process up to 100 MB of web log data per receive from your host. _ Note Web logging is only supported on hosts running Microsoft IIS on Windows, Apache on Solaris or Linux, or iPlanet on Solaris. This chapter explains how to bootstrap and add the following web sever devices to MARS Microsoft Internet Information Sever, page 12-1 Apache Web Server on Solaris or RedHat Linux, page 12-7 Sun Java System...

Constructing a Rule

Each step of your plan corresponds to a line of a rule. Each line identifies a set of conditions. A rule can have a single line, two lines, or multiple lines. You link these lines together using the logical operators, AND, OR, FOLLOWED-BY (in time). For more information on the conditions and operators found in a rule, see Table 21-1 on page 21-6. The first step of the example plan, identified in Back to Being the Admin, page 21-3, involved probing the target host. You can express a probe by...

Create a New Case

To create a new case, perform the following procedure Step 1 Display the Case Bar as described in the section, Hide and Display the Case Bar. The Add a New Case Dialog box appears, as shown in Figure 18-5. Figure 18-5 Add a New Case Dialog Box Figure 18-5 Add a New Case Dialog Box Step 3 Select a severity color, change the state from new to assigned if appropriate, select the owner, replace the default summary name (default is New Case). Figure 18-5 shows a case with case summary of...

Create and Install Policies

You must create firewall policies that permit the MARS Appliance to access the relevant ports of the Check Point central management server and any remote log servers. The default ports are as follows TCP port 18190. Used by CPMI to discover configuration settings. TCP port 18210. Used to retrieve the certificate from the Certificate Authority on the SmartCenter, MDS, MLM, CMA, or CLM. TCP port 18184. Used to pull security event logs from the log servers, such as the MLM or CLM. However, you...

Create Query Criteria with Report Groups

To create queries from report groups, follow these steps Step 2 Select a report group in the Load Report as On-Demand Query with Filter dropdown filter, as shown in Figure 21-17. Only the reports that comprise the report group can now display in the Select Report dropdown list, as shown in Figure 21-18. Figure 21-17 Selecting A Report Group to Make a Query Figure 21-17 Selecting A Report Group to Make a Query Figure 21-18 Selecting a Report Within the Report Group to Make a Query Figure 21-18...

Creating a Report

You can create a report through the Query page, or you can create a report from scratch on the Reports page. These instructions detail creating a report from the Reports page, but are applicable to editing reports and to creating reports from the Query page. Step 1 On the Reports page, click the Add button. Step 2 In the Report Name and Report Description fields, enter a report name and description. Click the Next button. Step 3 Select the schedule parameters for the report. Step 4 Select a...

Data Enabling Features

Adding a the reporting devices and mitigation devices is the primary method of providing MARS with the data required to study the activities on your network. However, other features, both within the web interface and as part of configuring the devices, can provide MARS with additional data, which is used to refine the views it provides and to assist in the improving the overall effectiveness of the system. We think of these features as data enabling features. This section contains the following...

Date Time Format Specfication

The date time field parsing is supported using the Unix strptime () standard C library function. The strptime() function is the converse function to strftime() and converts the character string pointed to by s to values which are stored in the tm structure pointed to by tm, using the format specified by format. Here format is a character string that consists of field descriptors and text characters, reminiscent of scanf(3). Each field descriptor consists of a character followed by another...

Define AAA Clients

To support the 802.1x features of NAC, you must also define the Cisco switches as AAA clients within Cisco Secure ACS. When defining a AAA client, verify the following settings RADIUS (IETF) is selected in the Using Authentication box, as other RADIUS implementations may not support 802.1x correctly. The Log Update Watchdog Packets from this AAA Client box is selected. Figure 14-1 displays the correct settings for such a client. Figure 14-1 Configure a AAA Client to Support 802.1x Figure 14-1...

Define an Opsec Application that Represents MARS

To integrate a third-party OPSEC application with Check Point components, you must define the application and associate it with the host on which the application is running. In addition to identifying this OPSEC application to the Check Point system, this procedure results in the generation of the client SIC DN for the MARS Appliance. Both the client SIC DN and the server SIC DN, obtained in Obtain the Server Entity SIC Name, page 4-27, are required to enable secure communications between the...

Define Rules and Reports for Cisco ICS Events

From Cisco ICS, MARS receives syslog messages that allow it to identify outbreaks, successful OPACL and OPSig deployments, and failed attempts to deploy. MARS stays abreast of when the OPACLs and OPSigs fire on Cisco IPS devices. MARS also monitors the Cisco ICS server for system issues, such as database failures. These events assist MARS in providing an accurate, holistic assessment of your network. OPACL and OPSig matching events provide five-tuple correlation, which MARS uses to perform...

Define Vulnerability Assessment Information

For each host that you define in MARS, you can specify information about that host that assists MARS in assessing whether that host is vulnerable to the attacks that MARS detects. For example, you can identify the operating system running on the host, even providing the latest or nearest patch level. When an attack is detected that is targeted toward a specific operating system, then MARS can quickly determine whether the host is running the operating system that is targeted. For hosts that are...

Determine Devices to Monitor and Restrictions

To configure Check Point devices, you must identify the central management server and managed components, bootstrap them, and add and configure them in the MARS web interface. The Check Point product line and release, as well as the number of devices managed, determines which tasks you must perform to configure MARS to monitor your Check Point devices. Representing a Check Point device in MARS involve two steps 1. Define a primary management station. This primary management station represents...

Devices that Require Custom Seed Files

Some reporting devices represent the management consoles for the actual host- or node-based reporting devices. These consoles often represent centralized log servers for the devices they manage. However, for MARS to correctly correlate the logs for these centralized log servers, you must identify those hostor node-based reporting device. In some cases, MARS is able to dynamically learn of the hosts or nodes by parsing the logs. In other cases, you must use a seed file generated by management...

Display Devices in Topology

You can specify how to display a reporting device in the HotSpot Graph. By clicking the icon in the Device Display column, you can specify whether to display the device as an individual node on the graph or collapse it within a cloud. By having a device hidden in a cloud, you can cut down on the number of devices displayed in the graph, thus making it easier to read at a higher level. A cloud identifies a collection of networks for which you do not want to define the complete physical topology....

Display Dynamic Device Information

To display current, session, and all historical information for an IP address on an 802.1X connection, follow these steps Click on the Incident ID to display the session summaries as shown in Figure 19-8. Click on the Source IP Port or Destination IP link of a session. When examining an attacking host, the Source IP address is more relevant. The current connection information pop-up window appears to display any static connection information. Click Dynamic Info to display current connection...

Display Incidents Related to a Rule Group

To display incidents that occur from the firing of rules in a specific rule group, follow these steps Step 1 Navigate to the Incidents page. Step 2 Select the rule group in the dropdown filter above the Matched Rules column, as shown in Figure 21-16. The Incidents page will display only those incidents that occurred from rules firing in the selected rule group. Figure 21-16 Rule Group on Incidents Page Figure 21-16 Rule Group on Incidents Page

Duplicate a Rule

Duplicating a rule creates a new rule that is a copy of an existing system or user inspection rule. You can edit all of the fields of a duplicate rule, but only the Source IP, Destination IP, and Device fields of a system inspection rule. The original rule is left unchanged after duplication. You cannot delete a rule after it is created by Duplicate or Add. To duplicate a rule, follow these steps Select the checkbox of the rule to duplicate. The name of duplicated rule is the name of the...

Edit a Drop Rule

Click Edit on the field that you want to change. Follow the rule's wizard and complete any other changes to the rule. Click Submit. When the rule or rules are complete, click Activate. 1. Check the boxes next to the items in the Sources Selected field to select them, and click the Toggle Equal button to change them between equal and not equal. Enter a name and description for the rule, and click Next. Select your sources. The following numbers correspond to the...

Edit and Change the Current Case

To edit the Current Case complete the following procedure Step 1 Display the Case Bar and click More. The Case Bar Expands to expose the editing options, as shown in Figure 18-7. See the section Hide and Display the Case Bar for procedures to display the case bar. New J Local Administrator (pnadmin) Step 2 Change the severity, status, owner, or summary of the case as required. Step 3 Add an annotation in the text box as required. Step 4 Click Submit To replace the Current Case case with...

Edit Host Information

Step 1 Select Management > IP Management. Step 2 Check the box next to the host that you want to edit. Step 3 If you are editing interface or IP mask information, make your changes here and click Submit. Step 4 If you need to edit the host's properties, click Properties. Step 5 Make changes to the operating system as necessary, and click Next. Step 6 To make changes to service or application, remove the old service by select its radio button, and click Delete. Step 7 Click Add Service, and...

Enable Cisco IOS Routers and Switches to Send Net Flow to MARS

For more information on NetFlow and configuring the settings in Cisco IOS, refer to Before you configure NetFlow from MARS, you must first configure it on the router or switch. To enable NetFlow on a Cisco IOS router or switch and to push those events to the MARS Appliance, follow these steps Step 1 Log in to the Cisco IOS router or switch with administrator's privileges. Step 2 Enter the following commands Note Commands in this mode are written to the running configuration file as soon as you...

Enable Communications Between Devices Running CatOS and MARS

Before you add a Cisco switch running CatOS to MARS, make sure that you have enabled SNMP, Telnet, SSH, or FTP access to the swtich. First, you must configure the MARS Appliance as an IP address that is permited to access the switch. For information on permitting IP addresses and specifying the access type, see the following URL 819 Next, you must ensure that your switch is configured to enable the correct access method. The following sections provide guidance on configuring each supported...