MARS: Hello I am working on tuning the MARS 25 Series

Unanswered Question
Jan 29th, 2010

When I delete the devices on the MARS,  In real time  it could be remove also in the Hotspot graph, but in the attack diagram it takes time say an hour before it will remove. Can somebody give me a tuning method on how to remove it in real time in the attack diagram please.

thanks and regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 02/03/2010 - 02:07

The attack diagram is based on the 'historial' firing of incidents. Deleting those devices on the graph/topology won't immediately delete them on the attack diagram. I don't even see why that would be required? Please let me know your specific requirement.

Regards

Farrukh

ericohermoso Wed, 02/03/2010 - 03:15

thanks for the reply.

it happen that we need to know the real time attack on a certain device. Anyway i just configured my MARS device, added the devices such as routers and switches as well as firewalls. Also, I configured the NEFLOW. However, I have a question on mitigation it seems that my MARS does not recommend a command that could be used. Also,  I cannot push a command necessary to stop the attack. Could someone can give me some other configuration parameters.

thank

Farrukh Haroon Wed, 02/03/2010 - 03:32

Please try to add all network devices in the transit path into MARS, e.g L2 switches.

MARS can only do mitigation on 'L2' devices (switches). For Layer 3, it can only 'suggest' configuration. But to be honest it does not always work.

Regards

Farrukh

ericohermoso Wed, 02/03/2010 - 05:24

thanks for the reply. I already added all the devices,say u have 4 devices 1 firewall and 3 ios devices with minimum 12.2 ios version but still i can't mitigate a device to stop an attack to a devices(routers). like for example i want to stop a certain host for accessing a router. Anyway, aside from adding devices what could be the next step to tune the MARS?

thanks and best regards

Farrukh Haroon Fri, 02/05/2010 - 22:17

The most important thing is to filter out the false positives etc. from MARS. The prefered option is to do it at the reporting device itself (e.g. Event Action Filters in IPS), and as a last resort make 'Drop Rules' in MARS itself.

For the mitigation, did you add SNMP write access to these devices?

Regards

Farrukh

ericohermoso Sun, 02/07/2010 - 07:09

thanks for the reply. i used this command in my devices

snmp-server community ABCD rw

so which means i should be able to mitigate the device?

Farrukh Haroon Sun, 02/07/2010 - 08:02

The RW string will take care of it from the device perspective (however as a security best practice I would recommend to add an ACL to that command to restrict SNMP traffic only from the MARS box).

From the MARS side:

> You have to configure this string in MARS

> Make sure all L2 switches are added in MARS

Is MARS showing it as a mitigation device in incidents?

Regards

Farrukh

ericohermoso Mon, 02/08/2010 - 00:27

hi thanks for the reply and advices, in my CS-MARS implementation i used telnet, ssh, and snmp access type but still there is no mitigation. i have read that you can mitigate a devices if you are using snmp access type, is it right?

thanks again

ericohermoso Sat, 02/13/2010 - 22:23

thanks,i am able to see the mitigation. Now I will just drill down and add all the remaining layer two devices,thanks, your advices are all very helpfull.

Actions

This Discussion