ASK THE EXPERT - CS-MARS

Unanswered Question
Nov 26th, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on new features released in CS-MARS 4.3.1 and 5.3.1, including authentication services and Cisco IPS signature dynamic updates with Cisco expert Gary Halleen, CISSP-ISSAP. Gary is a security consulting systems engineer with Cisco. He is the author of "Security Monitoring with Cisco Security MARS", and was a technical editor of "Intrusion Prevention Fundamentals." His diligence was responsible for the first successful computer crimes conviction in the state of Oregon. Halleen is a regular speaker at security events and presents at Cisco Networkers conferences.


Remember to use the rating system to let Gary know if you have received an adequate response.


Gary might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 7, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (7 ratings)
Loading.
jjenkins284 Mon, 11/26/2007 - 11:59
User Badges:

When will MARS Support other browsing platforms aside form Internet Explorer?


When will we be able to filter on netflow events so that we can reduce the # of false positives that happen for certain types of traffic?

ghalleen Wed, 11/28/2007 - 20:18
User Badges:
  • Cisco Employee,

Both of these are currently being worked on, but not yet committed to a specific MARS release.


MARS only supports Internet Explorer because of a limitation of the SVG Viewer (by Adobe), which is used to create the maps within MARS. A future release will replace SVG with something that is supported by more browsers.


Gary


southeringtonp Thu, 11/29/2007 - 11:18
User Badges:

A couple of issues with that, FWIW...


The biggest problem with Firefox (at least for us) isn't the SVG support, but table rendering problems. For example, when viewing an incident, cells that should be beside each other end up on subsequent lines, etc. Collapsing and then re-expanding the view sometimes helps, but it's still an irritation to say the least.


Firefox actually has native support for SVG, but it doesn't work with MARS.


You can bludgeon it into working with the (defunct) version 6 beta of Adobe's viewer, but that's likely to have its own issues.



jeanphi Mon, 11/26/2007 - 12:38
User Badges:

Is there resources, best practice documents, white papaer, for large scale MARS implementation? I have a customer looking to deploy MARS solutions for 20-30 sites. What is best? Centralize on 1-2 MARS? 1 MARS at each location then communicate back to central server for aggregation?

bramakrishnan-pts Mon, 12/03/2007 - 23:44
User Badges:

Hi


Its suggested in the doc on page 20 sec 3.2.1.1. to set the logging level to debug. I am having issues on MARS getting VPN events from a router, the events are logged only if the debug level is turned on...


Is this the only way, or is there any alternate method to get the VPN events on MARS. Debug level is not acceptable with the user.


Thanks.

Ramki

mogli Wed, 11/28/2007 - 03:40
User Badges:

we have some devices integrated into the MARS which are reporting via syslog. we would need to create a custom parser which fires whenever a syslog event with let's say severity "emergency" (independent from which device/device type it comes). i found in the documentation the notice, that the

header of a syslog is not examined from the parser. severity and facility of a syslog event are only in the header of syslog packet, there's the

problem we can't use this pre-classified information. as you imagine there are thousands of different emergency syslog events (from different devices),

so it's not a valid solution to configure a custom parser for each ;-)

why trashing this very useful information??? the only answer i can find for myself is that this is due to bad design. there no deeper sens of discarding

this apart from the implementation of the syslog parsing feature, right?

will it be possible in futher releases to work with syslog facilities/severities? if yes it would be very interesting to know in which release this

will be available.


kind regards

jjenkins284 Thu, 11/29/2007 - 08:33
User Badges:

When will we have the ability to have MARS not send us a report if it contains no records? I have several reports that I only care about if there is something in them, with the current software I still have to look at all of the reports.

ghalleen Thu, 11/29/2007 - 10:51
User Badges:
  • Cisco Employee,

I've rolled this feature request to the product team. It's a great idea!


Gary


clausonna Thu, 11/29/2007 - 12:28
User Badges:
  • Bronze, 100 points or more

I've seen multiple discussions (on both Cisco and non-Cisco forums) regarding the use of the 2nd management NIC on the MARS appliance, specifically as a way to overcome performance issues. What is Cisco's current Best Practice - should I be using the management NIC for using the MARS GUI (and deal with static routes or whatever is required to get this to work), or is it OK to use the primary interface for both syslog/netflow/snmp input and day-to-day GUI work?


I'm using a MARS 200 in a 'single source' network - no service provider or out-of-band requirements.

ghalleen Thu, 11/29/2007 - 23:59
User Badges:
  • Cisco Employee,

It is certainly okay to use the single interface for both logging and management access to MARS. This is how the majority of customers use it.


On very heavily-used MARS, I've seen some performance gains when using the second interface.

drummond.s Thu, 11/29/2007 - 12:42
User Badges:

Question, is it possible to include some of the firing event information in an emailed alert? As a one man shop, I have MARS sending me alerts constantly--some I can IGN others I cannot. I have created an alarm to tell me when I get red alerts, rather then editing each rule. I only get the name of my rule, I would like to include the name of the triggering event.

I have become desensitized to the alarms which makes me nervous and sort of defeats the purpose of MARS.

Question, is it possible to mass assign incidents to cases? I would like to be able to filter incidents and assign them as a block to a case for an individual.


ghalleen Fri, 11/30/2007 - 00:00
User Badges:
  • Cisco Employee,

The only way, currently, to include this information is to send an XML e-mail instead of a regular e-mail.

ghalleen Wed, 12/05/2007 - 07:17
User Badges:
  • Cisco Employee,

The best option is to open a TAC case. The reason for this is so the product team has documentation of the missing or incorrect event type in MARS.

tkiel Fri, 11/30/2007 - 01:54
User Badges:

We have installed 4.3.1, but we cannot connect to IPS-4215 version 6 neither ASA/IPS.

When adding the units and testing the connectivity, "view error" says try telnet on port 443.

This works fine. If we change the TLS key, mars recognize it, so the communication in between is fine. The MARS box is configure to accept all TLS/SSH changes.

Tcpdump tell the flow seems fine too.

But never the less, MARS fails every time to test connection to the IPS-boxes.


Is there a known error or a suggestion to what we have missed.

ghalleen Fri, 11/30/2007 - 08:37
User Badges:
  • Cisco Employee,

This is a known bug of 4.3.1 software, and is scheduled to be fixed in 4.3.2. If you get this error message when testing connectivity to an IPS, whether a standalone appliance like the IPS-4215, or an AIM module in an ASA firewall, then go to a CLI on the MARS appliance. Try telneting to the sensor on port 443 (telnet 192.168.5.5 443). If you are able to connect to the sensor, then quit the CLI and simply submit your changes without testing connectivity. Don't forget to hit "Activate".


You should receive alerts from the IPS even though you were unable to test connectivity. If you don't receive alerts, verify that the time on MARS and the IPS are the same.

valsa Fri, 11/30/2007 - 02:57
User Badges:

Is there any change in the scheduled archival of pnos in version 4.3.1. (Earlier it used to be every night).


Thanks in advance,


Valsa

ghalleen Fri, 11/30/2007 - 09:12
User Badges:
  • Cisco Employee,

Valsa,


The archiving process hasn't changed. pnos is still backed up each night (at around 1:00am). Events and such are archived throughout the day.


The only difference with 4.3.1 is the addition of a command-line-only command called "pnexp". This is intended to be used as an exporter when upgrading from a 1st generation MARS appliance to a 2nd generation appliance (for instance, from a MARS-200 to a MARS-210). However, it also provides a way to perform an on-demand full backup of an appliance that can be restored with the pnrestore command.

valsa Sun, 12/02/2007 - 23:09
User Badges:

Thanks for your inputs; but the MARS-200 box is not archiving "pnos" the day after it was upgraded to 4.3.1. All other things like events, stats etc are being archived as expected. The pnos directory in addition to the os image contains a subdirectory "timeline" with two files of "zero" bytes. In fact the archive process has been stopped & stared from GUI also.


Is anybody facing similar problem? Any remedial steps?


thanks in advance

ghalleen Mon, 12/03/2007 - 19:47
User Badges:
  • Cisco Employee,

It sounds like you need to call TAC on this one.


Gary


jfvaillancourt Wed, 12/05/2007 - 21:10
User Badges:

I and several of my customers would love to see:


1) manual backup/restore from the GUI


2) configurable backup schedule


3 SCP and/or FTP supported.


Any plans on that?


Thanks...

ghalleen Thu, 12/06/2007 - 10:31
User Badges:
  • Cisco Employee,

1) I agree with you. Right now it is only available from the CLI, and the command line syntax is somewhat complex.


2) Agreed


3) SCP is being actively discussed as an option to NFS.

s.buskus Fri, 11/30/2007 - 07:13
User Badges:

Hi Gary,

I'm having problems trying to use the customize parser for a snmp trap and I'm looking for a good way to troubleshoot this problem. Firs of all, the SNMP trap includes a string enclosed in double quotes and has spaces between the quotes ("word word word"). I'm not sure if I'm using the best regex to use for this string. I have two that work when I "test" the parser, but fails when implmented. The two regex I tried are "[0-9a-zA-Z\ ]{1,}" and the other is "[\S\s]{1,}"


As I said, they pass the parser test, but fail when I implment the template. Is there a good way to debug the template.


Thanks


ghalleen Sat, 12/01/2007 - 00:05
User Badges:
  • Cisco Employee,

Can you run a query for all matching events, raw messages, and send me a copy of one of the events that is not parsing properly? Also, send me the parser that is not working?

joseph-sheena Fri, 11/30/2007 - 08:50
User Badges:

Hi Gary,


I really, truly need your assistance here. Our Company has 4 MARS boxes installed few years ago. The Core is a MARS 100, the fringe 3 are MARS 50. These expensive units are sitting idle on our Network as nobody seems to get the hang of it. I've attended the MARS course, watched TechWise show on MARS, read Greg Abelar's book but something is missing. I thrive on technical challenges but things are not coming together when it comes to MARS. At our weekly meetings, I need to come up with reports on what the MARS box is doing for the company and the pressure is on me. The book which is very similar to Online documentation does not help me interpret a Report. I opened a TAC ticket and the Lead said they are a break fix shop and don't provide such assistance, that I need to read YOUR book - that was out a few weeks ago, back then. This gives you an idea of how long I've been struggling with MARS. I've tried installing REGUlazy but even that would not install (something I saw on Techwise TV) I contacted Roy Ostrov in Israel and concluded it has something to do with Security on me work laptop. With the myriads of report options in MARS, and several variables to choose to generate a report, I know how to create a report but I have no clue what this report is saying. Gary, I understand you'd be dreadfully busy but I would sincerly appreciate if you or someone who knows the MARS box inside out, to do a Meeting Place session with me to see where the MARS mystery is hiding? I aspire to master everything there is to know about Intrusion Prevention Systems and would like to nail down MARS box management, left hands, eyes closed.

I truly need NetPro assistance here. Can you help me?


Thank you kindly.

Sheena

ghalleen Fri, 11/30/2007 - 09:14
User Badges:
  • Cisco Employee,

Sheena,


Please get ahold of your account manager or SE and discuss the issues with them. If they don't have some local to do a MeetingPlace with you, they have access to my calendar and can set something up with me.


Gary


joseph-sheena Fri, 11/30/2007 - 09:42
User Badges:

Gary,


Thank you for your reply.

Do I HAVE to go thru my SE???? I'v tried that avenue and got nowhere. Can I open a TAC ticket?


Thank you again.

Sheena

joseph-sheena Tue, 12/04/2007 - 16:33
User Badges:

Hi Gary,

I did get hold of our Account Manager. Please expect to see an e-mail from Tim Kvek based out of Irvine, CA.


Thank you

Sheena

Hi Sheena,


There are so many things MARS will do that it seems daunting to come up with ideas. That is why I have had a number of meetings with people to see what it is that they need. We have a fair size network so there are a number of opportunities that have arisen. One thing to note. If it was not for our security SE we probably would never had bought MARS. It was he that gave us the vision of what MARS could do for us. So here goes and feel free to e-mail me if you want and I will provide contact info if you would like to talk further. Our experience will be different but some things I will write may spark some interest. We capture both NetFlow and Syslog so we can get pretty granular when it comes to reporting.


I gave a meeting to introduce the team to MARS and ask what they would like to see from it. Some things that came out are reporting rougue access points, checking to see if users are having problems with VPN (we check to see if a user fails 4 times entering a RSA token ID), SMTP mailers to our DMZ, people changing their computer name, other unauthorized traffic to sensitive networks. There are a bunch more. Basically if you can capture a syslog message you can create a report and then a rule. I always create a report to see how it looks and then when it is where I want it I will create the rule. This notmally works best. Keep you ears open for people complaining about something they wans and then see if you could build a report. If something happens and you want to know the next time it happens create a rule. If someone is getting denies on a firewall go to MARS and pull specific logs. MARS obviously can be tricky, but if you let your end users and managers help you by providing specifics about what they are looking for it will probably be a little easier.


-Rich



pllewellyn Wed, 12/05/2007 - 06:32
User Badges:

What's the simplest means for capturing MARS Netflow data for long-term (i.e., monthly) reporting? I understand that by default MARS doesn't retain Netflow data beyond a few days at most. I'm working with a customer with a requirement for monthly traffic flow reports to show source/destination, protocol to port level, and bandwidth consumed.

ccbootcamp Fri, 11/30/2007 - 15:24
User Badges:
  • Gold, 750 points or more

What's the average install hours needed to setup and tune a single MARS 20?

ghalleen Sat, 12/01/2007 - 00:11
User Badges:
  • Cisco Employee,

There's not a good, hard, figure for this. It could be as short as an hour, or as long as several days, depending on how many devices you're adding, and how complex the network is.


My estimate for initially setting it up (after racking it) would be 30-45 minutes to reimage the appliance with the latest and greatest code and bootstrap it with password, ip address, mask, DNS, and such.


If you were only adding a Cisco firewall, IPS, and 4-5 routers or switches, it could take an additional 15 minutes to an hour for each if the devices aren't already configured to log to the MARS' IP address. If they are, then maybe 10 minutes each.


These numbers are a total swag. If the MARS administrator is not the same person that manages the other devices, and there is change control to consider, then it could take several days to configure it.


I hope this non-answer helps!

ccbootcamp Sat, 12/01/2007 - 08:36
User Badges:
  • Gold, 750 points or more

Let's say we're adding and tuning for 50 devices. Admin is the same person managing all devices. Just a rough guess?

ghalleen Mon, 12/03/2007 - 21:57
User Badges:
  • Cisco Employee,

You're from ccbootcamp. Is this a question you're thinking of adding to your curriculum?

more_jazZz_2 Sat, 12/01/2007 - 07:00
User Badges:

Gary hello.


My first question: MARS system is not only one solution for task Security Threat Mitigation. On market we have similarly solution for monitor and response security event. For example Eventia Suite from Checkpoint. Could you tell me what advantages have MARS as compared to other solutions.


Second question: Please, explain my what priority Cisco used for create default rules in MARS.


Thank you.

valsa Mon, 12/03/2007 - 01:58
User Badges:

1 How events generated by a User Defined Signature (UDS) in IntruShield IPS can be integrated into MARS?


2. Mars 4.3.1 supports Intrushield signature released June, 2007. Is there a way to integrate events generated by signatures added by IntruShield after that? Or should we wait for next version or MARS?



Currently, at a client wanting to leverage a ROI on their Microsoft MOM solution as an alternative to installing snare agent on all the Domain Controllers. Can Cisco MARS integrate with Microsoft MOM? Since everything is now being streamlined to MOM the idea was to integrate interfacing between snare agent (on MOM server)and/or snare server to push all logs to MARS (LC or GC) to leverage off of allocated storage for PCI compliant data archiving.

ghalleen Wed, 12/05/2007 - 07:22
User Badges:
  • Cisco Employee,

There's currently no integration with MOM.

Hi - i've recently deployed MARS, and so far so good. I have a few questions, if you'd help me please:


1) When will MARS support Symantec AV 11 / Juniper SSL VPN & Checkpoint R65?


2) I'd like to start puting net-flow to the MARS device. All my floors have stacked 3750E's as their gateways (maybe 50 people per floor, around 10 floors) then EIGRP down to my 6509 cores. I have a 110 device, will this be able to handle netflow with this sort of user traffic?


Thanks James.

mogli Tue, 12/04/2007 - 02:31
User Badges:

hi,


as far as is know, netflow is not supported on cat3750E.


regards

You cannot export NetFlow from your 3750's, but you can from your 6500's. Depending on your topo I would probably enable netflow on your links out to the floors. That will probably be enough. If you want you can also enable netflow export from your vlan interfaces, but that may be overkill. The best plan is always to ramp up. Enable it on an uplink or two. See how things are going and then add more. Based on 500 people I do not see how it will overtax any MARS especially the 110. If you have any deeper questions feel free to contact me.


-Rich

ghalleen Wed, 12/05/2007 - 07:25
User Badges:
  • Cisco Employee,

New device support is added regularly. I'm not sure what the exact timeline is for each type of device.


Your 3750E switches do not support netflow, but your 6509 does. The MARS-110 should have no problem with netflow in this network.

srementer Mon, 12/03/2007 - 12:50
User Badges:

Is there anyway to tune the lag time between when signatures fire on our IPS and IDS devices and when these events show up on the MARS system? There seems to be a delay of 5 to 10 minutes.

ghalleen Wed, 12/05/2007 - 07:37
User Badges:
  • Cisco Employee,

Most of the rules within MARS wait for several minutes for all rule conditions to be met before firing.


If you run a query for all matching events, and select only the IDS/IPS device as the reporting device, you can see them much quicker.


Potentially, you can edit the rules and shorten the time period, but this may cause you to start missing some incidents that take longer to complete.

mogli Tue, 12/04/2007 - 02:42
User Badges:

hi gary,


- is it planned to make the mars "Multi-Administrator capable" (like for e.g. different contextes on a FWSM or ASA)? we have the demand to let different "Operators" from different Locations onto the MARS - but they should see only the devices from their locations, not the whole network.


- will there be a native support for Cisco access-points in further releases?


regards

ghalleen Thu, 12/06/2007 - 10:38
User Badges:
  • Cisco Employee,

Virtualization within MARS is something that the product team is hoping to accomplish, but it is not currently roadmapped for a specific release.


Yes, Cisco access points will be supported through integration with the wireless controllers. This support comes in the 5.3.2 release, which we'll see on CCO in just a few days.


Be warned, though, that this wireless support will not be available in the 4.3.2 release that runs on the Generation 1 appliances. Only the Generation 2 appliances.


Support for wireless controllers on Generation 1 appliances won't be available until 6.0 comes out this spring.


Gary


brianbono Tue, 12/04/2007 - 04:35
User Badges:

I cant access my CSMARS either from the GUI or via SSH but i can ping it.


This error below was displayed on the console:


"ext 3 - fs error device ide 0

(3,5) (3,3) (3,6) instart transaction journal has aborted

ext e _get_ide_inode_loc"


what do i need to do to bring this box up and running?

ghalleen Wed, 12/05/2007 - 07:39
User Badges:
  • Cisco Employee,

It appears that the appliance was turned off without powering it down, corrupting the hard drive. Either this or the hard drive is failing. You need to contact TAC for resolution on this.

Actions

This Discussion