A Single Byte

Outside a character class, the escape sequence C matches any one byte, both in and out of UTF-8 mode. Unlike a dot, it can match a newline. The feature is provided in Perl in order to match individual bytes in UTF-8 mode. Because it breaks up UTF-8 characters into individual bytes, what remains in the string may be a malformed UTF-8 string. For this reason, the C escape sequence is best avoided. PCRE does not allow C to appear in lookbehind assertions (described below), because in UTF-8 mode...

About This Manual

This manual describes the features and functionality of the Local Controller. The layout of this manual is as follows Chapter 1, STM Task Flow Overview, recommends a taskflow for planning and implementing your security threat mitigation system. It ties back to your corporate security policies and presents a structure deployment and configuration strategy based on two phases provisioning and monitoring. Part 1 Provisioning Phase. This part details provisioning your network devices to communicate...

Access IP

MARS uses the access IP address to either connect to the device for network-based administrative sessions or connect to a remote server on which a file containing the device's configuration is stored. The expected value is determined by the access type you select. Most devices also require that you explicitly identify the IP addresses of hosts allowed to administer them. The MARS Appliance must be listed among such hosts as part of the device preparation. The protocol that MARS uses to connect...

Add a Check Point Certificate Server

When defining a Check Point module that uses secured communications, you must identify the certificate sever that authenticates the SICs provided by the client and the server. Typically, a SmartCenter server or the CMA has its own certificate server, however, your configuration may use a central server. If that is the case, you must define the certificate server as part of a defining a base or child enforcement module. Note This procedure assumes you have been refer to it, and that you are in...

Add a Cisco Security Manager Server to MARS

The Security Manager server is represented in MARS by defining a host with a software application residing on that host. Once you have identified the reporting devices to a Local Controller, you can add the Security Manager server that manages the policies for those reporting devices. Each Local Controller can query one Security Manager server only you cannot define more than one Security Manager server per Local Controller. You can define the same Security Manager server on multiple Local...

Add a Community String for a Network

To add a community string for a network IP, follow these steps Step 1 To open the Community Strings and Networks page, click Admin > Community Strings and Networks. Step 2 Click the Network IP radio button. Step 3 Enter the Community String, Network IP address, and Mask. Step 4 Click Add. Step 5 Repeat Step 2 through Step 4 for all the community strings that you want to add. Step 6 Click Submit to commit these additions.

Add a Community String for an IP Range

To add a community string for an IP range, follow these steps Step 1 To open the Community Strings and Networks page, click Admin > Community Strings and Networks. Step 2 Click the IP Range radio button. Step 3 Enter the Community String and its IP Range. Step 5 Repeat Step 2 through Step 4 for all the community strings that you want to add. Step 6 Click Submit to commit these additions. You can add multiple community strings for the same network by adding similar entries. Add Valid Networks...

Add a Host

Within MARS, a host is manually or automatically defined as the result of one of the following options A reporting device or mitigation device defined under the Admin > Security and Monitoring Devices tab. A host managed by a reporting device defined under the Admin > Security and Monitoring Devices tab, such as a host running Cisco Security Agent and discovered by MARS when processing the logs provided by the CSA Management Console. An asset that you want to identify for the purpose of...

Add a Network IP Range or Variable

Step 1 Select Management > IP Management. Figure 23-2 Add a Network, IP Range, or Variable Figure 23-2 Add a Network, IP Range, or Variable Step 3 In the Type list select network, IP range, or variable. Step 4 For each type enter the appropriate information. Network name, network IP, network mask Variable variable name Step 5 Click Submit.

Add a New User

Defining a new user involves specifying the user name, password, role, contact information, and notification information. To add a new user, follow these steps Step 1 From the Management > User Management tab, click Add. The User Configuration page appears, as shown in Figure 23-4. Is885551212 1 ( Cell phone or pager number e.g 4082345678 ) Step 2 From the Role field, select a Role for the user. Admin has full use of Local Controller. Notification Only for a non-user of the Local Controller...

Add a Service Provider Cell phonePager

When configuring a notification by pager, add a service provider (cell phone or pager company) by completing the following procedure Step 1 From the Service Provider field, select New Provider. Additional fields appear, as shown in Figure 23-5. The pull-down menu is populated as you add new service providers. Figure 23-5 Select a New Provider and Provide Contact Details Figure 23-5 Select a New Provider and Provide Contact Details Step 2 In the Provider Name field, enter the name of the service...

Add a User to a Custom User Group

To include a user in a custom User Group, complete the following steps _ Note The user is automatically added to the User Group that corresponds to their role. Admin, Operator, Notification, and Security Analyst are system groups and cannot be edited. Step 1 Navigate to the Management > User Management tab. Step 2 Select the User Group to edit from the Select Group dropdown list. The members of the group are displayed. Step 3 Click Edit Group. The User Group dialog box appears. Step 4 Check...

Add an Inspection Rule

Rules that you add are called User Inspection Rules. Navigate to the Inspection Rules page. Click Add. Enter a name and description for the rule, then click Next. Select Source IP address . The following numbers correspond to the numbers shown in Figure 21-6. 1 Check the boxes next to the items in the Sources Selected field to select them, and click the Toggle Equal button to change them between equal and not equal. Click the Select All button to select all items in the Sources Selected field....

Add an ISS Real Secure Device as a HIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 8 Click the HIDS radio button. Figure 6-10 Configure ISS Real Secure HIDS Figure 6-10 Configure ISS Real Secure HIDS Step 10 For multiple interfaces, click on General Tab, and add...

Add an ISS Real Secure Device as a NIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 7 Click Add. Step 8 Click the NIDS radio button, if it is not already selected. Figure 6-9 Configure ISS Real Secure NIDS Figure 6-9 Configure ISS Real Secure NIDS Step 9 For attack...

Add and Configure a Cisco Firewall Device in MARS

The process of adding a PIX security appliance, Cisco ASA, or FWSM to MARS involves many of the same steps, regardless of the version of software that is running. The process is exactly the same for PIX software versions 6.0, 6.1, 6.2, and 6.3. However, Cisco ASA, PIX 7.0, and FWSM provide the ability to define multiple security contexts, or virtual firewalls. Adding a Cisco ASA, PIX 7.0, and FWSM to MARS has two distinct steps. First, you must define the settings for the admin context. Then,...

Add and Configure a Cisco IDS 31 Device in MARS

To add and configure a Cisco IDS device in MARS, follow these steps Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Cisco IDS 3.1 from the Device Type list. Step 3 Enter the hostname of the sensor in the Device Name field. The Device Name value must be identical to the configured sensor name. Step 4 Enter the administrative IP address in the Access IP field. Step 5 Enter the administrative IP address in the Reporting IP field. The Reporting IP address...

Add and Configure a Cisco Switch in MARS

MARS monitors Cisco switches running either CatOS or Cisco IOS 12.2. To add the configuration information that MARS uses to monitor a Cisco switch running Cisco IOS 12.2 or later, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. If the switch is running any version of CatOS, select Cisco Switch-CatOS ANY from the Device Type list. If the switch is running Cisco IOS 12.2 or later, select Cisco Switch-IOS 12.2 from the Device Type list. Step 3...

Add and Configure a Csa Mc Device in MARS

Before you can identify the agents, you must add the CSA MC to MARS. All CSA agents forward notifications to the CSA MC, and the CSA MC forwards SNMP notifications to MARS. Once you define the CSA MC and activate the device. MARS can discover the agents that are managed by that CSA MC. However, you can also chose to manually add the agents. To add a CSA MC to MARS, follow these steps Click Admin > Security and Monitor Devices > Add. From the Device Type list, select Add SW security apps on...

Add and Configure a Found Scan Device in MARS

To add a FoundScan device in MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select Add SW Security apps on a new host or Add SW security apps on existing host from the Device Type list. Step 3 Enter the device name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 Click the Reporting Application tab Step 6 From the Select Application list, select Foundstone FoundScan 3.0 Step 7 Click Add. Database Name The name for this database....

Add and Configure a Generic Router in MARS

To add and configure a generic router device in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Generic Router version unknown from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and...

Add and Configure an Entercept Console and its Agents in MARS

Adding an Entercept device has two distinct steps. First, you add configuration information for the for the Entercept Console host. Second, you add the agents managed by that console. Add and Configure an Entercept Console and its Agents in MARS, page 7-3 Add Entercept Agents Manually, page 7-4 Add Entercept Agents Using a Seed File, page 7-4 Add the Entercept Console Host to MARS Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW...

Add and Configure an Extreme Ware Switch in MARS

To add and configure an ExtremeWare switch in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Extreme ExtremeWare 6.x from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls,...

Add and Configure an Intru Shield Manager and its Sensors in MARS

Adding an IntruVert device has two distinct steps. First, you add configuration information for the for the IntruShield Manager host. Second, you add the sensors managed by that host. Add the IntruShield Manager Host to MARS, page 6-26 Add IntruShield Sensors Manually, page 6-26 Add IntruShield Sensors Using a Seed File, page 6-27 Add the IntruShield Manager Host to MARS To define the host and represent the management console for IntruShield, follow these steps Step 1 Click Admin > System...

Add and Configure Check Point Devices in MARS

After you identify and bootstrap the Check Point reporting devices and install the policies that enable the required traffic flows, you must represent those devices in MARS, which uses this information to communicate with the devices. When adding a Check Point device, you add two types of devices Primary management station. The primary management station represents the SmartCenter server or CMA that manages other Check Point components. In the web interface, the bases module is defined as a...

Add and Configure ePolicy Orchestrator Server in MARS

Before MARS can begin processing SNMP traps from ePolicy Orchestrator, you must define the ePolicy Orchestrator server as software running on a host. When ePolicy Orchestrator is defined as a reporting device, MARS can process any inspection rules that you have defined using ePolicy Orchestrator event types. After you add the ePolicy Orchestrator server to MARS, the appliance can discover the agents that are managed by the ePolicy Ochestrator server as events are generated by those agents. You...

Add and Configure Net Cache in MARS

To add the NetCache device in MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Network Appliance NetCache Generic. Chapter 13 Configuring Web Proxy Devices_ Network Appliance NetCache Generic H Step 3 Enter the device name and its reporting IP address. Step 4 From the Web log format list, select the web log format that matches the value you selected in Step 5 of Configure NetCache to Send Syslog to MARS, page 13-1....

Add and Configure the Cisco ACS Device in MARS

To add the host and Cisco Secure ACS software application to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host. You can also select Add SW Security apps on an existing host if you have already defined the host within MARS, perhaps as part of the Management > IP Management settings or if you are running another application on the host, such as Microsoft Internet Information Services....

Add and Configure the eEye REM Device in MARS

To add the eEye REM device in MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select Add SW Security apps on a new host or Add SW security apps on existing host from the Device Type list. Step 3 Enter the device name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 Click the Reporting Applications tab. Step 6 From the Select Application list, select eEye REM 1.0. Step 7 Click Add. Step 8 Enter the following information Database Name...

Add Available Modules

When you perform a discovery operation on a base module, MARS lists the discovered modules. From this list, you can select the modules to monitor using MARS. To add available modules, follow these steps If modules are installed in the switch, a list of the modules appears. Step 2 Select a module from the Select list. Step 3 Click Add. Step 4 Repeat for other modules. Step 5 After you add the desired modules, verify the configuration information of each. For example, verify that the SNMP RO...

Add Cisco IOS 122 Modules Manually

To add a module manually, follow these steps Step 1 Click Add Module. Step 2 Select Cisco IOS 12.2 from the Device Type list. _Chapter 3 Configuring Router and Switch Devices Step 3 Enter the name of the module in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For modules that support the discovery operation, such as router and firewall modules, MARS renames this field's value...

Add Devices Monitored by Syslog Relay Server

While you do not have to configure each reporting device to forward syslog messages to the MARS Appliance, you must define the device to MARS so that when it parses the syslog messages forwarded by the relay server, then it is able to match the true reporting IP address to that of a known reporting device type. By knowing the reporting device type, MARS can correctly parse the events. The process for adding these reporting devices is the same as if there were no syslog relay server except that...

Add Discovered Contexts

When you select Discover on a Cisco ASA, PIX 7.0 or FWSM, MARS discovers the contexts that are defined for that firewall device. However, you must still manually add discovered contents. _ Note You cannot discover a module install in a Cisco ASA you must manually define IPS modules. However, the discovered contexts do appear under the Module area on the main page. (PIX 7.0 and FWSM) Click Add Available Context. (Cisco ASA) Click Add Available Module. Step 2 Select a security context from the...

Add Modify and Delete a Report Group

To add a report group follow these steps Step 1 Navigate to the Report page, as shown in Figure 21-13. The Add Group dialog box appears, as shown in Figure 21-14. The Add Group dialog box appears, as shown in Figure 21-14. Figure 21-14 Add Report Group Dialog Box Figure 21-14 Add Report Group Dialog Box Step 3 Enter the new report group name in the Name field. Step 4 Click the checkboxes of the reports to be added to the new report group. Step 3 Enter the new report group name in the Name...

Add Modify and Delete a Rule Group

To add a rule group follow these steps Step 1 Navigate to the Inspection Rules page, as shown in Figure 21-10. Figure 21-10 Inspection Rules Page The Add Group dialog box appears, as shown in Figure 21-11. The Add Group dialog box appears, as shown in Figure 21-11. Step 3 Enter the new group name in the Name field. Step 4 Click the checkboxes of the rules to be added to the new rule group. Tip The dropdown list above the list of rules can limit the display of rules to active system rules,...

Add Multiple Reporting and Mitigation Devices Using a Seed File

The seed file is a comma-delimited file with the file extension .csv (comma-separated value). Most spreadsheet programs let you import and export files as CSV files. The following is a sample seed file as exported from a popular spreadsheet program 10.1.1.1, ,,,PIX,TELNET,,,cisco,,, ,,,,,,,, With the CSV file, you can enter the values, passwords, and information for each device that you want the MARS Appliance to monitor in its appropriate row and column. While the seed file is useful for...

Add Reporting and Mitigation Devices Individually

In general, you have two choices for adding devices that you want to monitor into your MARS. You can create a seed file or you can add each device manually. Seed file support is limited to a few device types, see Column E, page 2-23 for the devices supported. When manually configuring devices, select the devices that are most interesting to you. Once added, you can come back and edit them as necessary. Manual configuration is also useful when you add or change a single security device on your...

Add Security Contexts Manually

You can manually define security contexts in PIX 7.0, Cisco ASA, or FWSM. (PIX 7.0 and FWSM) Click Add Context. (Cisco ASA) Click Add Module. Device Type Cisco PIX 7.0 v Device Type Cisco PIX 7.0 v Step 2 In the Device Type list, do one of the following For Cisco ASA, select Cisco ASA 7.0. For PIX 7.0, select Cisco PIX 7.0. For FWSM, select Cisco FWSM x.y, where x.y is the version number of the software running on the module. Step 3 Enter the name of the firewall device in the Device Name...

Add Syslog Relay Server to MARS

In addition to representing each of the potential reporting devices, you must define the syslog relay server so that MARS knows for which messages it should attempt to discover the true reporting device. To add a syslog relay server, you must add it as a security software application running on a host. To add a syslog relay server, follow these steps Select Admin > System Setup > Security and Monitor Devices > Add. Select Add SW Security apps on a new host from the Device Type list, and...

Add the Cisco 7500 Router with Telnet as the Access Type

Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-17 Configure Cisco IOS 12.2 Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-17 Configure Cisco IOS 12.2 From the Device Type drop-down list, select Cisco Switch-IOS 12.2. Enter the Device Name of the switch. Enter the Access IP address (optional) and Reporting IP address of the switch. The Reporting IP address is usually the same as the Access IP address, but if you are creating an FTP device it must...

Add the Cisco Catalyst 5000 with SNMP as the Access Type

Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-15 Configure Cisco Switch CatOS Device Discovery-Cisco Switch-CatOS ANY Figure 19-15 Configure Cisco Switch CatOS Device Discovery-Cisco Switch-CatOS ANY Step 2 From the Device Type drop-down list, select Cisco Switch-CatOS ANY. Step 2 From the Device Type drop-down list, select Cisco Switch-CatOS ANY. Step 3 Enter the Device Name of the switch. Step 4 Enter the Access IP address and Reporting IP address (the IP address of...

Add the Cisco Catalyst 6500 with SNMP as Access Type Layer 2 only

Step 1 Click Admin > Security and Monitor Devices > Add. Figure 19-16 Configure Cisco Switch CatOS Device Discovery-Cisco Switch-CatOS ANY 1. Enter the reporting IP (the IP address where events originated from) to ensure that the system processes the events Device Type Cisco Switch-CatOS ANY v Device Type Cisco Switch-CatOS ANY v Test Connectivity Cancel Submit on Test Connectivity Cancel Submit on From the Device Type drop-down list, select Cisco Switch-CatOS ANY. Enter the Device Name of...

Add the Cisco ICS Device to MARS

Before MARS can being processing the syslog messages as Cisco ICS messages, you must define the Cisco ICS management server as an software application running on a host. After Cisco ICS is defined as a reporting device, MARS can process any inspection rules that you have defined using Cisco ICS event types. To add a Cisco ICS server to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new...

Add the MARS Appliance as a Host in Check Point

Representing the MARS Appliance in Check Point enables the following supporting tasks Generate a client SIC DN for the MARS Appliance. Define policies to allow SIC and syslog traffic between the Check Point components and the MARS Appliance. Direct log traffic to the MARS Appliance. To define the MARS Appliance as a host, follow these steps Step 1 Log in to the correct Check Point user interface using an account with administrative privileges. If you are using SmartCenter, use the...

Add the Net Screen Device to MARS

Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select the appropriate version of NetScreen ScreenOS from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls, MARS renames this field's value to match the...

Add the Oracle Database Server to MARS

To represent the Oracle database server in the web interface, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 From the Select Application list, select Oracle Database Server Generic. Step 6 Click Add. Enter the User Name, Password and Oracle Service Name...

Add the Snort Device to MARS

To add the Snort device to MARS, follow these steps Step 1 Click Admin > System Setup > Security and Monitor Devices > Add Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply Step 5 Click Reporting Applications tab Step 6 From the Select Application list, select Snort Snort 2.0 Step 8 For attack path calculation and mitigation, specify the...

Add the VPN 3000 Concentrator to MARS

To add the VPN 3000 Concentrator to MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select either Cisco VPN Concentrator 4.0.1 or Cisco VPN Concentrator 4.7 from the Device Type list. Enter the name of the VPN Concentrator in the Device Name field. Enter the IP address used to administer the VPN Concentrator in the Access IP field. Enter the IP address from which the syslog messages are sent to MARS in the Reporting IP field. Select SNMP from the...

Adding Modules to a Cisco Switch

In MARS, you can represent, discover, and monitor modules that are installed in Cisco switches. These modules perform special purpose security functions for the switch, such as firewall or intrusion detection and prevention. MARS recognizes the following switch modules and versions Cisco FWSM 1.1, 2.2, and 2.3 To add a module, you must first add the base module, which is the Cisco switch. After the base module is defined in the web interface, you can discover the modules that are installed in...

Adding Reporting and Mitigation Devices

Three methods exist for adding reporting devices and mitigation devices to MARS Manually add the devices one at a time. Add multiple devices using a seed file. Discover devices automatically using SNMP RO community strings. From the Security and Monitor Devices page, you can add or edit the reporting devices and mitigation devices that MARS monitors. To access this page, click Admin > System Setup > Security and Monitor Devices. You can search for, add, edit, delete, change display status,...

Adding Reporting and Mitigation Devices Using Automatic Topology Discovery

On the Admin page, under the Topology Discovery Information section, three links exist, allowing you to define the settings required to discover reporting and mitigation devices automatically. These links are Community String and Networks. Allows you to define SNMP RO community strings on a per network or IP range basis. Networks and SNMP RO stings can overlap. At least one SNMP string must be defined before discovery is attempted. Valid Networks. Identifies the set of networks and IP ranges...

Adding User Defined Log Parser Templates

MARS allows the user to enter any SYSLOG or SNMP device into the network topology, configure it to report data to the MARS and query the data using free-form query. User needs to specify the incoming data format so that MARS can parse and retrieve session information from arbitrary logs. In order to add a user defined log parser template, the following steps have to be taken Step 1 Add a custom Device or Application type Step 2 Add a log parser template Step 3 Add device with the above custom...

Appendix bRegular Expression Reference B1

PCRE Regular Expression Details B-1 Backslash B-2 Non-printing Characters B-3 Generic Character Types B-4 Unicode Character Properties B-5 Simple Assertions B-6 Circumflex and Dollar B-7 Full Stop (Period, Dot) B-8 Matching a Single Byte B-8 Square Brackets and Character Classes B-8 Posix Character Classes B-9 Vertical Bar B-10 Internal Option Setting B-10 Subpatterns B-11 Named Subpatterns B-12 Repetition B-12 Atomic Grouping and Possessive Quantifiers B-14 Back References B-15 Assertions B-16...

Applianceside Tuning Guidelines

Tuning on the MARS Appliance focuses on not inspecting traffic that is received from the reporting devices. Two primary techniques exist for appliance-side tuning Drop rules. This technique involves dropping all events that match specific criteria received from a reporting device. This technique is the fastest and the least refined. As part of defining a drop rule, you can also specify whether to retain the event log in or simply discard it. The advantage of drop rules is that they events are...

Application Log Messages for the PN Log Agent

The PN Log Agent service writes events to the Application Log of Event Viewer on the Cisco Secure ACS server. The agent, identified in the log messages as PNLogAgentService, writes status messages, such as successful service start and stop. It also writes error messages for incomplete configuration and error conditions, such as when the service is out of memory. Table 14-1 categories the types of messages that can occur and explains their affects on the PNLog Agent service. Table 14-1 Possible...

Back References

Outside a character class, a backslash followed by a digit greater than 0 (and possibly further digits) is a back reference to a capturing subpattern earlier (that is, to its left) in the pattern, provided there have been that many previous capturing left parentheses. However, if the decimal number following the backslash is less than 10, it is always taken as a back reference, and causes an error only if there are not that many capturing left parentheses in the entire pattern. In other words,...

Back to Being the Admin

You must now express the plan in terms of information that is reported to you. This attack plan contains an attack with a follow up of some kind. You might write your plan like attacker to target, buffer overflow attacker to target, root login (compromised host) At this point, the black hat has compromised the host. What happens next is up to the attacker. This makes the next few steps especially hard to predict. They want to be able to manipulate the world, they want to make change. Your newly...

Basic Navigation

The Local Controller uses a tab-based, hyperlinked user interface. When you mouse over an alphanumeric string or an icon that is a clickable hyper-link, the mouse cursor changes to a pointing finger cursor Figure 17-2 shows some of the clickable objects on the Dashboard page. 1 10300958.0 Inactive Try it-Dub0S.03.0S 09 01 Z3 1 10300958.0 Inactive Try it-Dub0S.03.0S 09 01 Z3 Link to the item's detail page or popup corresponding query field is populated with Pulldown lists filter what is...

Bootstrap the Check Point Devices

Bootstrapping the Check Point devices involves preparing those devices to send data to the MARS Appliance, as well as enabling the MARS Appliance to discover the Check Point configuration settings. In addition to preparing the Check Point devices, you must gather the information required to represent the Check Point devices in the MARS web interface. You bootstrap the central Check Point management server, whether it be a CMA or a SmartCenter server by defining the MARS Appliance as a target...

Bootstrap the Sensor

Preparing a sensor to be monitored by MARS involves two steps Enable the Access Protocol on the Sensor, page 6-6 Enable the Correct Signatures and Actions, page 6-6 Enable the Access Protocol on the Sensor The configuration of the sensor depends on the version of the software that is running on the sensor. The following topics identify the requirements of each version Cisco IDS 4.x Software, page 6-6 Cisco IPS 5.x Software, page 6-6 For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over...

Bootstrap the VPN 3000 Concentrator

To configure a Cisco VPN 3000 Concentrator to generate and publish events to the MARS Appliance, you must verify that the correct events are generated in the correct format, and you must direct the Cisco VPN 3000 Concentrator to publish syslog events to the MARS Appliance. To configure Cisco VPN 3000 Concentrator to send syslog events to MARS, follow these steps Step 1 Open your browser and log in to the Cisco VPN 3000 Concentrator Series Manager. Step 2 From the tree on the left, select...

Change Rule Status Active and Inactive

The CS-MARS correlation engine continuously tests only active rule criteria against incoming events to identify incidents. Inactive rules do not consume resources used for realtime operations. Note A rule cannot be deleted, it can be made active or inactive. To change the status of a rule, follow these steps Step 1 Navigate to the Rules > Inspection Rules page. Step 2 Select the checkbox of the rule (or rules) to change. The selected rules are made inactive if active, and active if inactive...

Chapter 10Configuring Generic Solaris Linux and Windows Application Hosts 101

Adding Generic Devices 10-1 Sun Solaris and Linux Hosts 10-2 Configure the Solaris or Linux Host to Generate Events 10-2 Configure Syslogd to Publish to the MARS Appliance 10-2 Configure MARS to Receive the Solaris or Linux Host Logs 10-3 Push Method Configure Generic Microsoft Windows Hosts 10-5 Install the SNARE Agent on the Microsoft Windows Host 10-5 Enable SNARE on the Microsoft Windows Host 10-6 Pull Method Configure the Microsoft Windows Host 10-6 Enable Windows Pulling Using a Domain...

Chapter 16Policy Table Lookup on Cisco Security Manager 161

Overview of Cisco Security Manager Policy Table Lookup 16-1 More About Cisco Security Manager Device Lookup 16-3 More About Cisco Security Manager Policy Table Lookup 16-4 Prerequisites for Policy Table Lookup 16-4 Restrictions for Policy Table Lookup 16-5 Checklist for Security Manager-to-MARS Integration 16-6 Bootstrapping Cisco Security Manager Server to Communicate with MARS 16-12 Add a Cisco Security Manager Server to MARS 16-13 Procedure for Invoking Cisco Security Manager Policy Table...

Chapter 19Incident Investigation and Mitigation 191

Incidents Overview 19-1 The Incidents Page 19-2 Time ranges for Incidents 19-4 Incident Details Page 19-4 To Search for a Session ID or Incident ID 19-4 Incident Details Table 19-5 False Positive Confirmation 19-6 The False Positive Page 19-8 To Tune a False Positive 19-9 To Tune an Unconfirmed False Positive to False Positive 19-9 To Tune an Unconfirmed False Positive to True Positive 19-9 To Activate False Positive Drop Rules 19-10 Mitigation 19-10 Prerequisites for Mitigation with 802.1X...

Chapter 23Management Tab Overview 231

To activate a set of management additions or changes 23-1 Event Management 23-1 Search for an Event Description or CVE Names 23-1 To view a list of all currently supported CVEs 23-2 Event Groups 23-2 To filter by event groups or severity 23-2 Edit a Group of Events 23-2 Add a Group 23-2 IP Management 23-3 Search for an Address, Network, Variable, or Host 23-3 Filter by Groups 23-3 Edit a Group 23-3 Add a Group 23-4 Add a Network, IP Range, or Variable 23-4 Add a Host 23-4 Edit Host Information...

Chapter 24System Maintenance 241

Setting Runtime Logging Levels 24-1 Viewing the Appliance's Log Files 24-2 View the Back-end Log 24-2 Viewing the Audit Trail 24-3 View an Audit Trail 24-3 Retrieving Raw Messages 24-3 Retrieve Raw Messages From Archive Server 24-3 Retrieve Raw Messages From the Database of a Local Controller 24-5 Hard Drives 24-7 Status Lights 24-7 Partition Checking 24-7 Hotswapping Hard Drives 24-7 Remove a Hard Drive 24-7 Replace a Hard Drive 24-7 Replacing the Lithium Cell CMOS Battery 24-8 Replace the...

Chapter 4Configuring Firewall Devices

Cisco Firewall Devices (PIX, ASA, and FWSM) 4-1 Bootstrap the Cisco Firewall Device 4-2 Enable Telnet Access on a Cisco Firewall Device 4-4 Enable SSH Access on a Cisco Firewall Device 4-4 Send Syslog Files From Cisco Firewall Device to MARS 4-4 Add and Configure a Cisco Firewall Device in MARS 4-5 Add Security Contexts Manually 4-8 Add Discovered Contexts 4-10 Edit Discovered Security Contexts 4-11 NetScreen ScreenOS Devices 4-11 Bootstrap the NetScreen Device 4-12 Add the NetScreen Device to...

Chapter 6Configuring Networkbased IDS and IPS Devices

Configure Sensors Running IDS 3.1 6-1 Add and Configure a Cisco IDS 3.1 Device in MARS 6-4 Cisco IDS 4.0 and IPS 5.x Sensors 6-5 Bootstrap the Sensor 6-5 Enable the Access Protocol on the Sensor 6-6 Enable the Correct Signatures and Actions 6-6 Add and Configure a Cisco IDS or IPS Device in MARS 6-6 Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File 6-8 View Detailed Event Data for Cisco IPS Devices 6-9 Cisco IPS Modules 6-9 Enable SDEE on the Cisco IOS Device...

Chapter 8Configuring Antivirus Devices

Symantec AntiVirus Configuration 8-1 Configure the AV Server to Publish Events to MARS Appliance 8-1 Export the AntiVirus Agent List 8-7 Add the Device to MARS 8-7 Add Agent Manually 8-7 Add Agents from a CSV File 8-8 McAfee ePolicy Orchestrator Devices 8-8 Configure ePolicy Orchestrator to Generate Required Data 8-8 Add and Configure ePolicy Orchestrator Server in MARS 8-12 Cisco Incident Control Server 8-13 Configure Cisco ICS to Send Syslogs to MARS 8-14 Add the Cisco ICS Device to MARS 8-15...

Check Point Devices

The Check Point security product family can be distributed and tiered. As such, you must understand the deployment method, components, and release versions of this product family, their relationships, and how MARS interacts with them. You must also understand the many acronyms and abbreviations associated with this product family. Table 4-1 lists the abbreviations and acronyms used in the topics that follow. Table 4-1 Check Point Abbreviations and Acronyms Table 4-1 Check Point Abbreviations...

Checklist for Monitoring Phase

After you complete the provisioning phase, you must configure MARS to help you realize your broader security goals and requirements. During the monitoring phase, your primary goal is to effectively realize your monitoring, mitigation, and remediation policies. This phase involves defining the strategies, rules, reports, and other settings required to achieve this goal. You must prepare MARS to closely adhere to your corporate security policy before you begin monitoring traffic flows, as you...

Checklist for Provisioning Phase

Inventory and review possible reporting devices, mitigation devices, and supporting devices. Reporting devices provide logs about user and network activities and device status and configuration. Mitigation devices can be used to respond to detected attacks. They also act as reporting devices. Supporting devices provide network services to reporting devices, mitigation devices, or a MARS Appliance. Identifying which devices on your network to monitor depends on multiple factors, including their...

Checklist for Security ManagertoMARS Integration

Security Manager-to-MARS integration deals with identifying the required and optional points of integration, configuring the applications and devices, and ensuring proper authorization among the two management platforms. This checklist assumes a greenfield install of both Security Manager and MARS. The following checklist describes the tasks required to understand the decision-making process and the basic flow required to integrate MARS with a Security Manager server and the reporting and...

Circumflex and Dollar

Outside a character class, in the default matching mode, the circumflex character is an assertion that is true only if the current matching point is at the start of the subject string. If the startoffset argument of pcre_exec() is non-zero, circumflex can never match if the PCRE_MULTILINE option is unset. Inside a character class, circumflex has an entirely different meaning (see Square Brackets and Character Classes, page B-8 and Posix Character Classes, page B-9). Circumflex need not be the...

Cisco Firewall Devices Pix Asa and FWSM

MARS support for Cisco firewall devices includes the following PIX Security Appliance, including PIX software releases 6.0, 6.1, 6.2, 6.3 and 7.0. Cisco Adaptive Security Appliance (ASA) 7.0 Cisco Firewall Services Modules (FWSM), versions 1.1, 2.2, and 2.3. Because these PIX software is mostly backward compatible, the commands required to bootstrap PIX security appliance remain consistent across the releases. In addition, Cisco ASA and FWSM have much in common with PIX command set. The...

Cisco IDS 40 and IPS 5x Sensors

Adding a Cisco IDS or IPS network sensor to MARS involves two parts 1. Bootstrap the Sensor, page 6-5 2. Add and Configure a Cisco IDS or IPS Device in MARS, page 6-6 The following topic supports Cisco IDS and IPS devices View Detailed Event Data for Cisco IPS Devices, page 6-9 Note If you've imported your sensor definitions using the seed file format, as specified in Load Devices From the Seed File, page 2-24, you must define the networks monitored by the sensor.

Cisco Incident Control Server

The Cisco Incident Control Server (Cisco ICS) enables extended protection across Cisco IOS routers, switches, and IPS devices. In coordination with Trend Micro's incident control solutions, Cisco ICS prevents the spread of day-zero outbreaks in three ways First, Cisco ICS issues temporary ACLs to those Cisco mitigation devices that can block such traffic, typically using a protocol and port pair block. This temporary block is referred to as an Outbreak Prevention ACL (OPACL). Second, as soon as...

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...

Cisco Security Agent 4x Device

To enable Cisco Security Agent (CSA) as a reporting device in MARS, you must identify the CSA Management Console (CSA MC) as the reporting device. The CSA MC receives alerts from the CSA agents that it monitors, and it forwards those alerts to MARS as SNMP notifications. When MARS receives the SNMP notification, the source IP address in the notification is that of the CSA agent that originally triggered the event, rather than the CSA MC that forwarded it. Therefore, MARS requires host...

Cisco Switch Devices

You can manage Cisco switches that run either CatOS or Cisco IOS Software Release 12.2 or later. The configuration of the switch varies between these two operating system, as does the addition of the device in MARS. Adding a Cisco switch involves three steps 1. Configure the switch to enable MARS to discover the its settings. 2. Configure the switch to generate the data required by MARS. 3. Add and configure the switch in MARS. To prepare a Cisco switch running Cisco IOS Software Release 12.2...

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL Use the Cisco Product Identification (CPI) tool to locate...

Conditional Subpatterns

It is possible to cause the matching process to obey a subpattern conditionally or to choose between two alternative subpatterns, depending on the result of an assertion, or whether a previous capturing subpattern matched or not. The two possible forms of conditional subpattern are ( (condition)yes-pattern) If the condition is satisfied, the yes-pattern is used otherwise the no-pattern (if present) is used. If there are more than two alternatives in the subpattern, a compile-time error occurs....

Configure a Rule to Send an Alert Action

To send alert notifications to individual users or groups of users, configure the Action parameters of a rule to create an alert action. This procedure configures alerts for pre-existing rules. When you create a rule, the Action parameters are configured after the count number parameter. Drop rules do not have Action parameters and cannot trigger alerts. To modify or create an alert for an existing rule, follow these steps Step 1 Click the RULES tab to navigate to the Inspection Rules page....

Configure Cisco ICS to Send Syslogs to MARS

Cisco ICS publishes syslog messages to MARS. To configure Cisco ICS, you simply define a syslog server with the IP address of the MARS Appliance. You do not need to enable any special logs, and you cannot tune the messages that are sent to MARS. The Cisco ICS events for which syslog messages are geneerated have been selected to provide the most benefit to your Security Threat Mitigation (STM) system. To prepare Cisco ICS to publish events to MARS, follow these steps Step 1 Log in to the Cisco...

Configure Cisco Secure ACS to Generate Logs

To configure Cisco Secure ACS to generate the audit logs required by MARS, follow these steps Step 1 Log in to the Cisco Secure ACS server or Solution Engine. Step 2 Select System Configuration > Logging. Step 3 Verify that CVS Failed Attempts, CVS Passed Authentications and CVS RADIUS Accounting Logging are enabled. Step 4 Click CSV Failed Attempts, and verify that the following attributes appear in the Logged Attributes list Step 6 Click CVS Passed Authentications, and verify that the...

Configure CSA Management Center to Generate Required Data

To bootstrap CSA, you must configure the CSA MC to forward SNMP notifications to the MARS Appliance. In addition, you can export the list of CSA agents in a format that MARS can import. However, this export operation is not necessary, as MARS discovers the agents as they generate notifications. This section contains the following topics Configure CSA MC to Forward SNMP Notifications to MARS, page 7-6 Export CSA Agent Information to File, page 7-6 _Chapter 7 Configuring Host-Based IDS and IPS...

Configure eEye REM to Generate Required Data

To configure eEye REM to provide the correct data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where eEye REM 1.0 is installed. M ICA WINNT> y > B w5g cmrf_Kiae Microsoft Uindoirs 2B0B IUei*sion 5.00,21951 < C> Copyright 1985-2BB9 Micros ft Corp. C-NDocunents and Settin fi fldrain i trat& r> srvnetcn arwnetcnJ is not recognized as an internal or external uperable yroyrun ur batch file. C SDucun ntx mid Sett in g s fi dm in istr tur i...

Configure ePolicy Orchestrator to Generate Required Data

To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console. Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List. Step 3 In the Log On to Server dialog box, enter the username and password required to access the ePolicy Orchestrator server, and click OK. Step 4 In the tree, select McAfee...

Configure Extreme Ware to Generate the Required Data

To bootstrap an ExtremeWare switch, you must configure two features. First, you must configure the switch to send syslog messages to the MARS Appliance. Next, you must configure the SNMP RO community for MARS to access available L2 information. To prepare the ExtremeWare device to generate the data required by MARS, follow these steps Step 1 For syslog configuration, add this command configure syslog add < MARS's IP address> local7 debug enable syslog Step 2 For SNMP configuration add these...

Configure Found Scan to Generate Required Data

To configure FoundScan to provide data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where FoundScan is installed. Microsoft Uindotrs 2000 Wars ion 8,00,2195 < C> Copyright 1985-2099 Nicros ft Corp. C SDbCufients and SettirysNfldnln i tratar> rvnetcn 'srunetcn' Is not racupized as an internal or external camand C'SDncumnts mid Sell inysXAdmin strdtur vrneLcn C'SDocunents und Sett in 5fs fi drain is trat or cd Step 2 In the SQL Server Network Utility...

Configure Interval for Pulling Oracle Event Logs

To specify the interval at which MARS should pull the event logs from all Oracle database servers on your network, follow these steps Step 1 Click Admin > System Parameters > Oracle Event Log Pulling Time Interval. Oracle Event Log Pulling Time Interval Oracle Event Log Pulling Time Interval Step 2 Enter the new time interval in seconds. The default value is 300 (five minutes). Step 3 Click Submit.

Configure Intru Shield Version 15 to Send SNMP traps to MARS

Step 1 Log in to the IntruShield Manager version 1.5. Step 2 Click Configure. Step 3 In the Resource Tree, click My Company. Step 5 In the Add SNMP Server field, enter a. Target Server IP Address Enter MARS's IP address as it appears to IntruShield. b. Target Server Port Number Enter MARS's port number 162. d. Check the Forward Alerts box. e. Select the For this and child admin domains radio button. f. Select the severity from the list. Cisco recommends selecting High and Medium severity. g....

Configure Intru Shield Version 18 to Send SNMP Traps to MARS

Step 1 Log in to the IntruShield Manager version 1.8. Step 3 In the Resource Tree, click My Company. Step 4 Click the Alert Notification tab. Step 5 Click the SNMP Forwarder sub-tab. Figure 6-12 IntruShield SNMP Forwarder Configuration Figure 6-12 IntruShield SNMP Forwarder Configuration Figure 6-13 IntruShield Target SNMP Server Figure 6-13 IntruShield Target SNMP Server Step 7 On the SNMP Forwarder page, enter a. Enable SNMP Forwarder Select the Yes radio button. b. Target Server (IP Address)...

Configure ISS Real Secure to Send SNMP Traps to MARS

To configure an ISS RealSecure sensor, follow these steps Step 1 Log into the sensor. Step 2 Locate the common.policy files in these directories Program Files ISS issSensors server_sensor_1 Program opt ISS issSensors server_sensor_1 Step 3 Open the common.policy files in a text editor. Step 4 Change the line that reads Manager S < MARS's IP address> If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination...

Configure Kiwi Syslog Server to Forward Events to MARS

We recommend the following settings in the configuration options of the Kiwi Syslog Daemon to ensure good integration of Kiwi with MARS Expand the File > Setup > Rules > Actions tree. Right on Actions and click Add an Action. Enter a name for the action, such as Forward to pncop. For the following fields, enter the following values Destination IP address or hostname Enter the IP address of the MARS Appliance. Send with RFC 3164 header information Selected if the syslog server receives...

Configure MARS to Receive the Solaris or Linux Host Logs

To add a generic device to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Add SW security apps on existing host Step 2 From the Device Type list, select Add SW Security apps on a new host. Figure 10-2 Adding a Generic Device to receive logs Figure 10-2 Adding a Generic Device to receive logs Step 3 Enter the Device Name, and its Reporting IP address. Step 4 Select Operating System as Generic. Step 5 Select Logging Info and select Receive, then click...

Configure Net Cache to Send Syslog to MARS

Synchronize clocks of the NetCache device and the MARS to make sure times match between them. Note MARS supports only HTTP proxy logs and MMS streaming media proxy logs. To configure NetCache to send syslog to MARS, follow these steps Step 1 In Internet Explorer, enter the URL and log in to the NetCache device. Step 2 Click the Setup tab. Step 3 In the left side of the window, select HTTP, then Logging. Step 4 In the right side of the window, under Web Access Log Enable, select the Enable the...

Configure Qualys Guard to Scan the Network

MARS uses the QualysGuard XML API and password-based authentication over SSL (TCP port 443) to retrieve scan reports from the QualysGuard API Server. As such, you do not need to configure the QualysGuard server to accept connections from MARS. The only required configuration is that you have an active account and Qualys subscription that is configured correctly to scan your network. By default, MARS assumes that you want to retrieve the most recent scan report saved on the QualysGuard server....

Configure Sensors Running IDS

Step 1 Log in to the Cisco IDS device. Step 2 Change to directory that has all the configurations files that need to be edited Step 3 You need to edit 4 files (organizations, hosts, routes and destinations) that are in this directory. In the organizations file add a line indicating your organization name or grouping where 1 is the item number followed by the organization name protego . If there is already item in this file, simply increase the item number (has to be unique). Figure 6-1 Add MARS...