Your experience w/ MARS use/implementation

Unanswered Question
Aug 26th, 2008
User Badges:

Just wanted to see what other people have going on with their MARS set up.

What do you have set up for mitigation? How long did you have MARS setup "passively" before configuring rules to actively mitigate?

Has MARS saved the day in response to a threat?

Do you have 'everythign but the kitchen sink' monitored by MARS like database servers, web servers, etc or just network/firewall devices?

thanks, just trying to get some feedback from more experienced MARS users.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jeff_groesbeck Wed, 08/27/2008 - 06:49
User Badges:


I typically let MARS run 'passively' for at least 2 weeks, but preferably for about a month. I do this so that MARS can attempt to learn about network patterns, etc. Most of the implementations I have done are centered around the networking equipment, firewalls, IDS/IPS, VPN, etc... but I have done a few with Windows servers/desktops. I have had pretty good success with basic Windows server/desktop logging using Snare. I haven't had much success at all with database servers. Oracle database servers, for example, are only supported currently with one database instance per server. In every instance except one that I have run into, the Oracle servers have more than one database instance running on them. In that case, you can only get logs from the first instance you create on that server (in MARS). Currently there is no SQL database support in MARS at all. This is rather frustrating in my opinion. I'm not sure the real reasoning behind this, but it's not there. All of that being said, I have had several instances where MARS was able to detect malicious activity going on and let me know exactly where it was coming from and how. One instance was a desktop that was running RDP. A user was attempting to log into servers repeatedly with user accounts. MARS flagged this and alerted us it was going on. This happened within about 30 minutes of MARS being installed. The security team went to that workstation and they fired that guy that day. I have also had great success tracking down devices with viruses. I am a believer in MARS, but still think it has some shortcomings when it comes to applications and databases. Hopefully 6.0 will open this up for us with the parser import/export ability.

Thank you and good luck,


js88888888 Thu, 08/28/2008 - 07:13
User Badges:

Thanks for the feedback Jeff. Great info. Are you sending any Netflows to MARS?

jeff_groesbeck Thu, 08/28/2008 - 07:36
User Badges:


Yes, I completely forgot to mention that. I do send netflow to MARS as it does help greatly with the correlation of events that MARS receives. It give MARS that 'snapshot' of the traffic at that moment. That way you are also seeing the traffic pattern through routers/switches that normally wouldn't log that traffic.


Farrukh Haroon Fri, 08/29/2008 - 05:51
User Badges:
  • Red, 2250 points or more

If you have a FWSM etc. sending level 7 messages to the MARS, you can (sometimes) skip the netflow part.

We have not enabled Netflow on one of our customers and the MARS is able to generate alarms for all sorts of traffic anomalies. However we might not be able to know about any DOS attacks on our perimeter router tough!




This Discussion