ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Unanswered Question
Jun 1st, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Jazib Frahim about the deployment and implementation techniques for Cisco Security Monitoring, Analysis Response System Appliances. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Jazib holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has presented at Networkers on multiple occasions. He recently authored a book "Cisco ASA, all-in-one firewall, IPS and VPN appliance".


Remember to use the rating system to let Jazib know if you have received an adequate response.


Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 15, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
Loading.
PAUL TRIVINO Fri, 06/01/2007 - 09:12
User Badges:
  • Bronze, 100 points or more

Thanx for having this. What is the protocol for posting to this event? A specific subject in the General List, which he will monitor, or replies to this thread?


TIA


Paul Trivino

pcomeaux Fri, 06/01/2007 - 14:52
User Badges:
  • Cisco Employee,


Please ask you questions in this thread.


This thread will be active and bumped to the top with every question.


thxs!

peter

p.mckay Thu, 06/14/2007 - 08:35
User Badges:

I want to change up the current config of my 4250 to use two ports for a IPS pass thru setup. Can you link the relevant documentation to your reply. I currently have 5 interfaces and will use 2 of the Fa interfaces to handle the traffic leaving 2 Fa interfaces an 1 Gb interface for monitoring.

jfrahim Thu, 06/14/2007 - 15:38
User Badges:
  • Cisco Employee,

Hi there,

Since this forum is on MARs, can you clarify what you are asking in terms of MARS?

-Jazib

p.mckay Fri, 06/15/2007 - 07:46
User Badges:

Yes sorry about that posted and then realized wrong form feel free to remove this post and the other. I did find the documentation.

PAUL TRIVINO Sat, 06/02/2007 - 09:13
User Badges:
  • Bronze, 100 points or more

MARS General FP Drop Rule vs. Listed Unconf. FPs


I'm reposting this from its originally-standalone post:


I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.


It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.


But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:


1. It will take a long time.

2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.


Any ideas?


Paul Trivino

jfrahim Tue, 06/05/2007 - 08:30
User Badges:
  • Cisco Employee,

Hi Paul,

Unfortunately, if you are using MARS and setting up drop rules, you are going to get those FPs. I think you should see if you could tune out those messages at the reporting device (IPS/IDS box) if at all possible. This way MARS will not even receive those events and you would not have to do manual FP confirmation.

Hope that helps

-Jazib

m.reay Sun, 06/10/2007 - 00:38
User Badges:

Jazib - what is the logic behind this.


If you create a drop rule for ANY device for a particular event - surely you are indicating you want to ignore this event.


Why should it then ask you to confirm fp rules for every single device reporting this event?


Also - I have seen multiple fp incidents from a single host. When these are tuned duplicate drop rules get created for the same device.


As you cannot delete rules - is this not a waste of disk space?


Also - it makes managing drop rules very untidy.

jfrahim Mon, 06/11/2007 - 06:11
User Badges:
  • Cisco Employee,

The eason why the drop rules cannot be deleted is because of incident forensics. For example, if an incident is fired today because events match a rule, and you delete this rule from the MARS appliance, then you will not be able to find out why this incident was generated without a corresponding rule.

Hope that helps

-Jazib

m.reay Mon, 06/11/2007 - 21:20
User Badges:

Jazib - I am aware of the reason rules cannot be deleted.


If you create a drop rule for ANY device for a particular event - surely you are indicating you want to ignore this event.


Why should it then ask you to confirm fp rules for every single device reporting this event?


Also - I have seen multiple fp incidents from a single host. When these are tuned duplicate drop rules get created for the same device.



m.reay Tue, 06/12/2007 - 22:12
User Badges:

Hi Jazib - any thoughts on this posting,


thanks


Mick.

jfrahim Wed, 06/13/2007 - 02:53
User Badges:
  • Cisco Employee,

Hi there,

I am actually checking with the development team to shed more light on this. I will keep you posted as soon as I hear something back from them


Thanks for your patience

-Jazib

hermanaccd Mon, 06/04/2007 - 07:57
User Badges:

Hi,


I was wondering when Cisco MARS would implement auto-mitigation. That would be a big feature. Will it be released in version 4.3? When is version 4.3 coming out?


Thanks,


Herman Choi

jfrahim Mon, 06/04/2007 - 09:54
User Badges:
  • Cisco Employee,

Herman,

I cant discuss MARS roadmap on this thread. You may want to discuss it with your local Cisco account team. However, many network administrators do not want to have auto-mitigation type functionality as they want to ensure that things are not being dynamically filtered in their infrastucture.

Hope that helps

-Jazib

DrEAmlessoD Tue, 06/05/2007 - 05:53
User Badges:

Is there any means through which one can configure a rule action to send a plain text email describing an event, as opposed to an XML formatted one? Thanks in advance!

jfrahim Tue, 06/05/2007 - 06:22
User Badges:
  • Cisco Employee,

Hi there,

If you are looking for a description of an incident, then you have to use XML notification. The plain email notification send you a brief summary of the incident, but this may not be what you are looking for.

regards,

Jazib

Wilson Samuel Tue, 06/05/2007 - 07:33
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Mobile User, July 2015

Hi Jazib,


I thank you and Cisco Systems for this thread.


I have been a newbie to MARS, having separated my ways from CSA 4.0 / IDS 42XX /PIX 6.3 over VMS.


Now when I see IPS 42XX sensors, I find or understand that, MARS is acutally a paradigm shift in the implementation for IDS / IPS (or in other words, Threat Mitigation).


So, my question would be as following:-


1. Is there any document that describes the overall implementation scenarios (like SRNDs) for MARS


2. How can we actually use the XML notificiation emails?


3. Can we use MARS to get information from Routers and Switches also ? Please provide the URL for Config Guide.


Looking forward from yourside,


Kind Regards,

Wilson Samuel

PAUL TRIVINO Tue, 06/05/2007 - 07:47
User Badges:
  • Bronze, 100 points or more

Wilson, I can give you the URL of the CS-MARS Support stuff: http://www.cisco.com/en/US/customer/products/ps6241/tsd_products_support_series_home.html


The User Guide provides procedures to provision routers, switches, ACS, servers, firewalls, the whole schmere. There are *some* white papers there too. Apparently the SRND list page has moved or I'd check that and give it to you.


Paul

Wilson Samuel Tue, 06/05/2007 - 07:55
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Mobile User, July 2015

Hi Paul,


Thanks for the info, however I'm still bit puzzled, please help on this point:-


1. If Router/Switch are configured for MARS, what is that they are going to report (presuming that none of them have IDSM on it)



Regards,

Wilson Samuel

PAUL TRIVINO Tue, 06/05/2007 - 08:06
User Badges:
  • Bronze, 100 points or more

All KINDS of stuff: I can't even begin to list them, PLUS MARS will then understand network topology AND switches can be used to mitigate certain threats. If you have a list of your devices, make a MARS seed file, run it in, let them be discovered, and you're away.


Paul

jfrahim Tue, 06/05/2007 - 08:27
User Badges:
  • Cisco Employee,

Hi Wilson,


1. Is there any document that describes the overall implementation scenarios (like SRNDs) for MARS

Jazib>> There are any published docuements on MARS SRND. However, Cisco advanced services has a MARS design and implementation services that you can get assistance from on this.


2. How can we actually use the XML notificiation emails?

Jazib>> Please consult this URL:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_2/uglc/appalert.htm


3. Can we use MARS to get information from Routers and Switches also ? Please provide the URL for Config Guide.

Jazib>> Here it is:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_2/uglc/cfgrtrsw.htm


Hope that helps

-Jazib

PAUL TRIVINO Tue, 06/05/2007 - 08:30
User Badges:
  • Bronze, 100 points or more

Jazib, have you been able to look at my post from Jun 2 10:13AM? TIA


Paul

Wilson Samuel Tue, 06/05/2007 - 08:36
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Mobile User, July 2015

Thanks Jazib,


However one more query:-


1. The configuration of Routers/Switches are required in order to gather the topology information and basic Mitigation techniques like shutdown a port or put an ACL or send a TCP Reset command.


Will it be able to gather the information regarding an Attach / Intrusion from Routers / Switches also?


Regards,

Wilson Samuel


jfrahim Tue, 06/05/2007 - 08:49
User Badges:
  • Cisco Employee,

Wilson,

The current mitigation technique are to shut down the switch port using SNMP RW string and to provide ACL recommendations for layer 3 devices. I am not following you on your question, are you asking me if the MARS appliance can gather information from a router, switch and an intrusion detection box?

-Jazib

Wilson Samuel Tue, 06/05/2007 - 09:09
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Mobile User, July 2015

Jazib,


Thanks for the information regarding the Threat Mitigation using MARS (The current mitigation technique are to shut down the switch port using SNMP RW string and to provide ACL recommendations for layer 3 devices)


However it seems I didnt put my questions correctly or clearly


Let me put this way:-


1. MARS can gather the topological details provided we configure the Routers / Swtiches in MARS Appliance


Having said that, can it also gather the information regarding any intrusion from the Routers and Switches also, like that it gets from any IPS / IDS device or Module?


I hope its clearer this time,


Kind Regards,

Wilson Samuel

wiluszm Tue, 06/05/2007 - 16:00
User Badges:
  • Bronze, 100 points or more

Wilson,


I believe you're wondering whether MARS will detect intrusions or anomalies directed at your router or switch, rather than a device that requires traversing their path. The answer is yes. Typically an intrusion attempt is made using ssh/telnet/http/https/snmp to gain access to the router/switch. By following best practice, all of these management protocols should be filtered using an ACL (access control list). An intrusion would thus cause the ACL to fire a deny, which in turn is logged (in a Cisco world... by doing something like "deny tcp any any eq 22 log). MARS can parse ACLs and after parsing you can now generate events. I have a great example of this on my blog. Out-of-the box MARS does not detect this, but the required parsing is present. Hope this helps!


-Mike

http://cs-mars.blogspot.com

jfrahim Tue, 06/05/2007 - 22:54
User Badges:
  • Cisco Employee,

Thanks Wilson for your great explanation. Just to add what you mentioned earlier, MARS relies on the events generated by the reporting devices. So if a device (in your case a router generates an event through ACL log or any other method) then MARS should receive that and based on the configured rules, should take appropriate actions

Hope that helps

-Jazib

helponline Sun, 06/10/2007 - 22:06
User Badges:

Hi,

i want to disable the logs created by csmars which are not useful & i want to check the other device logs which is mapped on csmars and how to filter the logs


Thanks


jfrahim Mon, 06/11/2007 - 06:09
User Badges:
  • Cisco Employee,

Hi there,

I am not sure I am following you. Do you want to disable self-generated incident on MARS. If so, you can disable (inactive) the rules associted with whatever incidents you are looking at

Hope that helps

-Jazib

nikhil_sule Tue, 06/05/2007 - 22:05
User Badges:

Hi,

I am searching for a Switch/Router which is CAR compatible Radius client for a 'Cisco Access Registrar' prepaid billing solution.

jfrahim Tue, 06/05/2007 - 22:50
User Badges:
  • Cisco Employee,

Hi Nikhil,

This is an NPC event for Cisco MARS appliances. I am sure you can get your answer on a different forum

Thanks

-Jazib

sebastan_bach Tue, 06/05/2007 - 23:20
User Badges:

hi jazib can u pls tell me the functionality of the mars in an enterprise. is it a centralised logging system.


can u pls tell more abt the same.


regards


sebastan



jfrahim Tue, 06/05/2007 - 23:24
User Badges:
  • Cisco Employee,

Sebastan,

MARS is a central logging system which provides correlation to identify positives incidents and day zero anomolies. Additionally, it provides reporting and mitigation functionality. If you want to learn more about it, please consult:

http://www.cisco.com/en/US/products/ps6241/index.html

Hope that helps

-Jazib

pplsi Tue, 06/12/2007 - 06:20
User Badges:

Hi Jazib,


Could you clarify this please. We bought MARS as well. One of the things we were told is that we could use it for our syslog solution. This is false.


We have had to purchase LogLogic as our syslog solution. I am trying to forward the syslog to MARS and it can't understand the syslog messages. I have tried udp and raw tcp. The udp I can see as real time events as unknown. MARS will not process them.


Also, do I still need the devices listed in MARS if I have their logs sent to LogLogic?

mhellman Tue, 06/12/2007 - 06:33
User Badges:
  • Blue, 1500 points or more

Cisco only supports forwarding from syslog-ng and kiwi. See the section "Relaying Syslog Messages from 3rd-party sylog servers" in the user guide. I'm not familiar with LogLogic, but if you can modify the output to match either of these...it should work. You must still define the reporting devices in MARS.


I've never done it, but you can also configure MARS to forward to LogLogic by creating an inspection rule. Seems like that wouldn't be very efficient to me, but might be worth a try.

pplsi Tue, 06/12/2007 - 09:14
User Badges:

Thank you for your reply. I'll look on the pdf for "Relaying Syslog Messages from 3rd-party sylog servers".


I've tried both udp and send in raw tcp. If I look in real time events on MARS I can see them in udp as unknown. If I send them as tcp I can see a few in real time events but not many. However, neither show up under my summary.


Thanks again.

pplsi Tue, 06/12/2007 - 10:06
User Badges:

This worked! Thanks mhellman! I set it up as like it stated for syslogng/kiwi in "Relaying Syslog Messages from 3rd-party sylog servers". I then setup two of my firewalls again as reporting devices and it is working for them. Now I just have to reset up all my devices and make sure it all works. Thanks again.

jfrahim Tue, 06/12/2007 - 19:59
User Badges:
  • Cisco Employee,

Thanks mhellman for great explanation on this

regards,

Jazib

Wilson Samuel Thu, 06/07/2007 - 04:59
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Mobile User, July 2015

Hi Praenjit,


If you are working for a Cisco Partner, get yourself a Partner credentials on your CCO A/c and then ask your manager about PEC.


I'm sure you would find a good amt of materials over there.


Please rate if it helps.


Kind Regards,

Wilson SAmuel

jfrahim Thu, 06/07/2007 - 06:01
User Badges:
  • Cisco Employee,

Prasenjit,

this is not the correct forum to inquire about that. It is designed for CS-MARS

Thanks

-Jazib

robertsmichael Thu, 06/07/2007 - 12:23
User Badges:

Is there a way that I can configure a query/report for specific SNMP traps to alert me whenever a BGP session is dropped on a defined group of managed network devices?

jfrahim Fri, 06/08/2007 - 07:13
User Badges:
  • Cisco Employee,

you can configure a custom query or even a report based on the keyword. So when you define a query, specify the bgp specific events and run that query.

hope that helps

-Jazib

jfrahim Fri, 06/08/2007 - 07:15
User Badges:
  • Cisco Employee,

Hi there,

We fully support ePolicy version 3.5. If you are running a newer version of McAfee, then there might be some interoperabilities as those versions are not officially supported yet

Hope that helps

-Jazib

mhellman Fri, 06/08/2007 - 07:09
User Badges:
  • Blue, 1500 points or more

My understanding is that when incidents are added to cases, the events/sessions/incidents are saved "permanently" in the database.


I also understand that, from an archiving/pnrestore perspective, this case data is considered part of the OS and configuration (i.e. you can't restore the configuration without also restoring the case data).


Obviously, there is a finite amount of space in the database. Eventually, this space will fill up. I'm concerned that when we reach that point we'll have no option other than to completely rebuild a new box, manually adding all the devices, etc. What other options might we have?

jfrahim Fri, 06/08/2007 - 21:08
User Badges:
  • Cisco Employee,

Hi there,

It is true that the case specific data is considered a part of system configuraiton data. So if you end up restoring data on MARS, then you not only restore its configuration but also information about cases. However, data specific to cases doesnt utilize a lot of space. I dont imagine how this data can fill up all your disk space.

-Jazib

mhellman Mon, 06/11/2007 - 05:14
User Badges:
  • Blue, 1500 points or more

IMHO, it's very short-sighted to think that space will never fill up. Cisco needs to start thinking about how long-time customers will deal with this.


That aside, is there any way I can tell from the CLI or from looking at the archived data how large this data is getting?

jfrahim Mon, 06/11/2007 - 06:05
User Badges:
  • Cisco Employee,

You can use the "diskusage" command to check the disk space

-Jazib

Actions

This Discussion