04-03-2010 08:31 AM
I have problem with my MARS. I can not see or find any host discovered by MARS when I go to the IP management page and search for host.
I have add all the switches in MARS and it is discovered and i configured SNMP and syslog on the switches.
can you please help me to solve this issue
Solved! Go to Solution.
04-03-2010 03:33 PM
Are all the switches sending any syslog and/or snmp messages to MARS? If you go to the switch, and do "show log", on the logging traps, are you seeing any number of packets increase for traps?
You can use the Query/Report --> Query tab --> click on the Query type: "Event Types ranked by Sessions, 0h:10m" --> Result format: choose "All Matching Event Raw Messages".
That should give you everything that is received by the MARS.
Hope that helps.
04-03-2010 03:33 PM
Are all the switches sending any syslog and/or snmp messages to MARS? If you go to the switch, and do "show log", on the logging traps, are you seeing any number of packets increase for traps?
You can use the Query/Report --> Query tab --> click on the Query type: "Event Types ranked by Sessions, 0h:10m" --> Result format: choose "All Matching Event Raw Messages".
That should give you everything that is received by the MARS.
Hope that helps.
04-04-2010 01:56 AM
Dear halijenn
I can see that the switches are sending to MARS when I do show log, also I can see that MARS receive logs from all switches when i do query.
But still there is no any host ip address or name (from DNS server) discovered by MARS it is only discover the networks.
Thank you
04-04-2010 02:18 AM
Not sure if I understand your question on "But still there is no any host ip address or name (from DNS server) discovered by MARS it is only discover the networks.".
Do you mean you also add "DNS server" to your MARS, and the DNS server is also sending syslogs/snmp to MARS? and you are not seeing the logs from the DNS server? If that is a correct statement, what is the DNS server OS, and did you setup your DNS server to send logs to MARS as well?
04-04-2010 02:29 AM
No I didnt add any DNS server but as I know MARS should discover the host automatically instead of adding one by one.
by the way should MARS be on the management vlan??
04-04-2010 02:46 AM
MARS will not discover the host automatically. Only if there is an attack, based on the syslog and/or snmp that has been sent from all your network devices, MARS can advise where the attack is originated from and towards which host. It will not perform auto discovery of all hosts in your network.
MARS is an event corelator, so it will only corelate events that are being sent from syslog/snmp of network devices.
Whether MARS should be in management vlan or not, depends on your company security/network policy. It is not a requirement for MARS to be in management vlan, however, if your company policy dictates that all management traffic should be off the management vlan then it makes sense for MARS to be in the management vlan too.
04-04-2010 03:03 AM
The main problem is that in the attack graph it show that the source ip address 0.0.0.0 this mean didnt understand the hosts ip addresses.
my MARS ip address 10.1.11.29
snmp configuration:
snmp-server community neverbefool ro
snmp-server host 10.1.11.29 neverbefool
syslog configuration:
logging on
logging trap debugging
logging facility local6
logging source-interface Vlan1
logging 10.1.11.29
and I can see the logs received by MARS from the query page.
by the way only access,distribution and core switches connect to MARS
04-04-2010 09:07 PM
It really depends on the syslog messages itself. Because the attack graph is depending on the syslog messages sent by the switches/network devices, and if those syslog messages do not contain the ip address of the attacker, then it will not show up on MARS.
MARS will only show the attacker if it does receive the information of the attacker from the syslog messages sent.
Here is a bug (CSCpn02787) that explains the situation a little bit more:
Hope that helps.
04-04-2010 09:31 PM
so what you thing how I can solve this issue how I can make sure that syslog message contain the attacker ip address??
04-04-2010 09:40 PM
You would need to add all your network devices to MARS for MARS to be more accurate in providing you with the attack graph. Currently as advised earlier, you only add access, distribution and core switches to MARS. I assume if the attack is originated from outside, then you would need to add all devices in the path for the complete picture (that includes all network devices in the path to just before your ISP router). That would include routers, firewalls, IPS, etc which you have in your network that the attack path might take place. As advised earlier, MARS is an event correlator appliance, it can only correlate events which are being sent to it, and if the event which include the attacker ip address is not in the syslog, MARS will not show it.
04-04-2010 09:50 PM
I am using MARS to monitor my local network and only the users on my building there is no any routers I have switches, IDS and FWSM but still the IDS and the FWSM not active I will add them soon.
so right now I add the switches only.
and if the syslog configured correctly why it will not contain the attacker ip address??
04-04-2010 09:53 PM
Does the syslog messages from your switches contain the attacker ip address? If it doesn't, then MARS will also not show the attacker. Only if your swich syslog messages show the ip address, it will show under MARS.
04-04-2010 10:03 PM
so how I will know if my switches syslog messages sent to MARS contain the attacker ip address???
04-04-2010 10:07 PM
I don't think syslog messages from switches normally contains connections being built and teardown. I know that firewalls normally do have syslog messages generated for connection build and teardown, which would contain the necessary ip address. But switches syslog messages normaly does not include those information.
04-04-2010 10:16 PM
Thank you so much Mr halijenn for this nice answers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide