Host Discovery In MARS

Answered Question
Apr 3rd, 2010
User Badges:

I have problem with my MARS. I can not see or find any host discovered by MARS when I go to the IP management page and search for host.


I have add all the switches in MARS and it is discovered and i configured SNMP and syslog on the switches.


can you please help me to solve this issue

Correct Answer by Jennifer Halim about 7 years 4 weeks ago

Are all the switches sending any syslog and/or snmp messages to MARS? If you go to the switch, and do "show log", on the logging traps, are you seeing any number of packets increase for traps?


You can use the Query/Report --> Query tab --> click on the Query type: "Event Types  ranked by Sessions, 0h:10m" --> Result format: choose "All Matching Event Raw Messages".


That should give you everything that is received by the MARS.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Sat, 04/03/2010 - 15:33
User Badges:
  • Cisco Employee,

Are all the switches sending any syslog and/or snmp messages to MARS? If you go to the switch, and do "show log", on the logging traps, are you seeing any number of packets increase for traps?


You can use the Query/Report --> Query tab --> click on the Query type: "Event Types  ranked by Sessions, 0h:10m" --> Result format: choose "All Matching Event Raw Messages".


That should give you everything that is received by the MARS.


Hope that helps.

Mohammed Attif ... Sun, 04/04/2010 - 01:56
User Badges:

Dear halijenn


I can see that the switches are sending to MARS when I do show log, also I can see that MARS receive logs from all switches when i do query.


But still there is no any host ip address or name (from DNS server) discovered by MARS it is only discover the networks.



Thank you

Jennifer Halim Sun, 04/04/2010 - 02:18
User Badges:
  • Cisco Employee,

Not sure if I understand your question on "But still there is no any host ip address or name (from DNS server)  discovered by MARS it is only discover the networks.".


Do you mean you also add "DNS server" to your MARS, and the DNS server is also sending syslogs/snmp to MARS? and you are not seeing the logs from the DNS server? If that is a correct statement, what is the DNS server OS, and did you setup your DNS server to send logs to MARS as well?

Mohammed Attif ... Sun, 04/04/2010 - 02:29
User Badges:

No I didnt add any DNS server but as I know MARS should discover the host automatically instead of adding one by one.



by the way should MARS be on the management vlan??

Jennifer Halim Sun, 04/04/2010 - 02:46
User Badges:
  • Cisco Employee,

MARS will not discover the host automatically. Only if there is an attack, based on the syslog and/or snmp that has been sent from all your network devices, MARS can advise where the attack is originated from and towards which host. It will not perform auto discovery of all hosts in your network.


MARS is an event corelator, so it will only corelate events that are being sent from syslog/snmp of network devices.


Whether MARS should be in management vlan or not, depends on your company security/network policy. It is not a requirement for MARS to be in management vlan, however, if your company policy dictates that all management traffic should be off the management vlan then it makes sense for MARS to be in the management vlan too.

Mohammed Attif ... Sun, 04/04/2010 - 03:03
User Badges:

The main problem is that in the attack graph it show that the source ip address 0.0.0.0 this mean didnt understand the hosts ip addresses.


my MARS ip address 10.1.11.29


snmp configuration:

snmp-server community neverbefool ro

snmp-server host 10.1.11.29 neverbefool


syslog configuration:

logging on


logging trap debugging

logging facility local6

logging source-interface Vlan1

logging 10.1.11.29


and I can see the logs received by MARS from the query page.


by the way only access,distribution and core switches connect to MARS

Jennifer Halim Sun, 04/04/2010 - 21:07
User Badges:
  • Cisco Employee,

It really depends on the syslog messages itself. Because the attack graph is depending on the syslog messages sent by the switches/network devices, and if those syslog messages do not contain the ip address of the attacker, then it will not show up on MARS.


MARS will only show the attacker if it does receive the information of the attacker from the syslog messages sent.


Here is a bug (CSCpn02787) that explains the situation a little bit more:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCpn02787


Hope that helps.

Mohammed Attif ... Sun, 04/04/2010 - 21:31
User Badges:

so what you thing how I can solve this issue how I can make sure that syslog message contain the attacker ip address??

Jennifer Halim Sun, 04/04/2010 - 21:40
User Badges:
  • Cisco Employee,

You would need to add all your network devices to MARS for MARS to be more accurate in providing you with the attack graph. Currently as advised earlier, you only add access, distribution and core switches to MARS. I assume if the attack is originated from outside, then you would need to add all devices in the path for the complete picture (that includes all network devices in the path to just before your ISP router). That would include routers, firewalls, IPS, etc which you have in your network that the attack path might take place. As advised earlier, MARS is an event correlator appliance, it can only correlate events which are being sent to it, and if the event which include the attacker ip address is not in the syslog, MARS will not show it.

Mohammed Attif ... Sun, 04/04/2010 - 21:50
User Badges:

I am using MARS to monitor my local network and only the users on my building there is no any routers I have switches, IDS and FWSM but still the IDS and the FWSM not active I will add them soon.


so right now I add the switches only.


and if the syslog configured correctly why it will not contain the attacker ip address??

Jennifer Halim Sun, 04/04/2010 - 21:53
User Badges:
  • Cisco Employee,

Does the syslog messages from your switches contain the attacker ip address? If it doesn't, then MARS will also not show the attacker. Only if your swich syslog messages show the ip address, it will show under MARS.

Mohammed Attif ... Sun, 04/04/2010 - 22:03
User Badges:

so how I will know if my switches syslog messages sent to MARS contain the attacker ip address???

Jennifer Halim Sun, 04/04/2010 - 22:07
User Badges:
  • Cisco Employee,

I don't think syslog messages from switches normally contains connections being built and teardown. I know that firewalls normally do have syslog messages generated for connection build and teardown, which would contain the necessary ip address. But switches syslog messages normaly does not include those information.

Actions

This Discussion

Related Content