MARS capabilities

Unanswered Question
Feb 18th, 2009
User Badges:


I recently have started to study the MARS capabilities, and there are a few things which I don't understand.

1. What information should contain the Dynamic info in the device information window?

I have set on equipments the snmp rw communities, syslogs, netflow, ssh/telnet access for MARS(ASA 8.x, IOS routers 12.4, IOS switches 12.2).

For stations I have configured dot1x and MARS is receiving logs from the ACS.

But Dynamic Info contains no information at all for none of this equipments. I have some session information in case of desktops reported by CSA but it's unclear what are the meanings of them as no such connection exists at the moment for that station.


79.85.XX.XX N/A N/A N/A dell (Cisco,CSA,5.x) Feb 17, 2009 8:02:27 PM EET Present Feb 17, 2009 8:02:27 PM EET

2. Where should appear the current NAT translations ? I tried to do a query for this but no data was returned.

3. How accurate can be the hotpsot graph or the path information of an attack generated by MARS ?

I have the following scenario:

pc - l2 sw - l3 sw - ASA

On the Network diagram everything appears to be connected to a cloud . Is this the normal behavior?

As I observed sometimes L2 devices are missing from the path information.

Sorry for the long post:) but I spent a whole day to find an answer for this questions without any success.

Mars Version: 6.0.2 (3102)



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 02/18/2009 - 23:42
User Badges:
  • Red, 2250 points or more

1) The dynamic information is usually for end-hosts only, this is reported by CSA.

2) MARS is translation aware, as in it parses events keeping into consideration the NAT translations rules(retrieved from the device configuration files), but it is not really an IP Address Management Tool (like the ones manufactured by BlueCat etc.)

3) The L2 devices sometimes dont appear no matter what you do, this depends on the software version of the switch and limitations in MARS. But as a first step you have to add all the L2 switches in MARS to facilitate this (and even mitigation if you would like). Then once you add them, run topology discovery again. Again remember the topology discovery/view of MARS is limited, and is meant mostly for overview/documentation purposes. Its not a full blown network plotting/graphical fault management tool




This Discussion