Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - CS-MARS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on new features released in CS-MARS 4.3.1 and 5.3.1, including authentication services and Cisco IPS signature dynamic updates with Cisco expert Gary Halleen, CISSP-ISSAP. Gary is a security consulting systems engineer with Cisco. He is the author of "Security Monitoring with Cisco Security MARS", and was a technical editor of "Intrusion Prevention Fundamentals." His diligence was responsible for the first successful computer crimes conviction in the state of Oregon. Halleen is a regular speaker at security events and presents at Cisco Networkers conferences.

Remember to use the rating system to let Gary know if you have received an adequate response.

Gary might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 7, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

58 REPLIES
New Member

Re: ASK THE EXPERT - CS-MARS

When will MARS Support other browsing platforms aside form Internet Explorer?

When will we be able to filter on netflow events so that we can reduce the # of false positives that happen for certain types of traffic?

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

Both of these are currently being worked on, but not yet committed to a specific MARS release.

MARS only supports Internet Explorer because of a limitation of the SVG Viewer (by Adobe), which is used to create the maps within MARS. A future release will replace SVG with something that is supported by more browsers.

Gary

New Member

Re: ASK THE EXPERT - CS-MARS

A couple of issues with that, FWIW...

The biggest problem with Firefox (at least for us) isn't the SVG support, but table rendering problems. For example, when viewing an incident, cells that should be beside each other end up on subsequent lines, etc. Collapsing and then re-expanding the view sometimes helps, but it's still an irritation to say the least.

Firefox actually has native support for SVG, but it doesn't work with MARS.

You can bludgeon it into working with the (defunct) version 6 beta of Adobe's viewer, but that's likely to have its own issues.

New Member

Re: ASK THE EXPERT - CS-MARS

Is there resources, best practice documents, white papaer, for large scale MARS implementation? I have a customer looking to deploy MARS solutions for 20-30 sites. What is best? Centralize on 1-2 MARS? 1 MARS at each location then communicate back to central server for aggregation?

New Member

Re: ASK THE EXPERT - CS-MARS

hi,

attached you find a deployment guide for mars - hope it answers some of your questions

kind regards

New Member

Re: ASK THE EXPERT - CS-MARS

Hi

Its suggested in the doc on page 20 sec 3.2.1.1. to set the logging level to debug. I am having issues on MARS getting VPN events from a router, the events are logged only if the debug level is turned on...

Is this the only way, or is there any alternate method to get the VPN events on MARS. Debug level is not acceptable with the user.

Thanks.

Ramki

New Member

Re: ASK THE EXPERT - CS-MARS

we have some devices integrated into the MARS which are reporting via syslog. we would need to create a custom parser which fires whenever a syslog event with let's say severity "emergency" (independent from which device/device type it comes). i found in the documentation the notice, that the

header of a syslog is not examined from the parser. severity and facility of a syslog event are only in the header of syslog packet, there's the

problem we can't use this pre-classified information. as you imagine there are thousands of different emergency syslog events (from different devices),

so it's not a valid solution to configure a custom parser for each ;-)

why trashing this very useful information??? the only answer i can find for myself is that this is due to bad design. there no deeper sens of discarding

this apart from the implementation of the syslog parsing feature, right?

will it be possible in futher releases to work with syslog facilities/severities? if yes it would be very interesting to know in which release this

will be available.

kind regards

New Member

Re: ASK THE EXPERT - CS-MARS

When will we have the ability to have MARS not send us a report if it contains no records? I have several reports that I only care about if there is something in them, with the current software I still have to look at all of the reports.

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

I've rolled this feature request to the product team. It's a great idea!

Gary

Bronze

Re: ASK THE EXPERT - CS-MARS

I've seen multiple discussions (on both Cisco and non-Cisco forums) regarding the use of the 2nd management NIC on the MARS appliance, specifically as a way to overcome performance issues. What is Cisco's current Best Practice - should I be using the management NIC for using the MARS GUI (and deal with static routes or whatever is required to get this to work), or is it OK to use the primary interface for both syslog/netflow/snmp input and day-to-day GUI work?

I'm using a MARS 200 in a 'single source' network - no service provider or out-of-band requirements.

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

It is certainly okay to use the single interface for both logging and management access to MARS. This is how the majority of customers use it.

On very heavily-used MARS, I've seen some performance gains when using the second interface.

New Member

Re: ASK THE EXPERT - CS-MARS

Question, is it possible to include some of the firing event information in an emailed alert? As a one man shop, I have MARS sending me alerts constantly--some I can IGN others I cannot. I have created an alarm to tell me when I get red alerts, rather then editing each rule. I only get the name of my rule, I would like to include the name of the triggering event.

I have become desensitized to the alarms which makes me nervous and sort of defeats the purpose of MARS.

Question, is it possible to mass assign incidents to cases? I would like to be able to filter incidents and assign them as a block to a case for an individual.

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

The only way, currently, to include this information is to send an XML e-mail instead of a regular e-mail.

New Member

Re: ASK THE EXPERT - CS-MARS

Hi,

Is there a fix for this error (all snort sfportscan events 122:1 122:2 etc...):

parsing error: <33>snort[2261]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} 10.17.17.61 -> 10.17.10.1

Snort device is reporting to MARS and all other snort events are parsed correctly.

Thank you,

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

The best option is to open a TAC case. The reason for this is so the product team has documentation of the missing or incorrect event type in MARS.

New Member

Re: ASK THE EXPERT - CS-MARS

We have installed 4.3.1, but we cannot connect to IPS-4215 version 6 neither ASA/IPS.

When adding the units and testing the connectivity, "view error" says try telnet on port 443.

This works fine. If we change the TLS key, mars recognize it, so the communication in between is fine. The MARS box is configure to accept all TLS/SSH changes.

Tcpdump tell the flow seems fine too.

But never the less, MARS fails every time to test connection to the IPS-boxes.

Is there a known error or a suggestion to what we have missed.

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

This is a known bug of 4.3.1 software, and is scheduled to be fixed in 4.3.2. If you get this error message when testing connectivity to an IPS, whether a standalone appliance like the IPS-4215, or an AIM module in an ASA firewall, then go to a CLI on the MARS appliance. Try telneting to the sensor on port 443 (telnet 192.168.5.5 443). If you are able to connect to the sensor, then quit the CLI and simply submit your changes without testing connectivity. Don't forget to hit "Activate".

You should receive alerts from the IPS even though you were unable to test connectivity. If you don't receive alerts, verify that the time on MARS and the IPS are the same.

New Member

Re: ASK THE EXPERT - CS-MARS

Is there any change in the scheduled archival of pnos in version 4.3.1. (Earlier it used to be every night).

Thanks in advance,

Valsa

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

Valsa,

The archiving process hasn't changed. pnos is still backed up each night (at around 1:00am). Events and such are archived throughout the day.

The only difference with 4.3.1 is the addition of a command-line-only command called "pnexp". This is intended to be used as an exporter when upgrading from a 1st generation MARS appliance to a 2nd generation appliance (for instance, from a MARS-200 to a MARS-210). However, it also provides a way to perform an on-demand full backup of an appliance that can be restored with the pnrestore command.

New Member

Re: ASK THE EXPERT - CS-MARS

Thanks for your inputs; but the MARS-200 box is not archiving "pnos" the day after it was upgraded to 4.3.1. All other things like events, stats etc are being archived as expected. The pnos directory in addition to the os image contains a subdirectory "timeline" with two files of "zero" bytes. In fact the archive process has been stopped & stared from GUI also.

Is anybody facing similar problem? Any remedial steps?

thanks in advance

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

It sounds like you need to call TAC on this one.

Gary

New Member

Re: ASK THE EXPERT - CS-MARS

I and several of my customers would love to see:

1) manual backup/restore from the GUI

2) configurable backup schedule

3 SCP and/or FTP supported.

Any plans on that?

Thanks...

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

1) I agree with you. Right now it is only available from the CLI, and the command line syntax is somewhat complex.

2) Agreed

3) SCP is being actively discussed as an option to NFS.

New Member

Re: ASK THE EXPERT - CS-MARS

Hi Gary,

I'm having problems trying to use the customize parser for a snmp trap and I'm looking for a good way to troubleshoot this problem. Firs of all, the SNMP trap includes a string enclosed in double quotes and has spaces between the quotes ("word word word"). I'm not sure if I'm using the best regex to use for this string. I have two that work when I "test" the parser, but fails when implmented. The two regex I tried are "[0-9a-zA-Z\ ]{1,}" and the other is "[\S\s]{1,}"

As I said, they pass the parser test, but fail when I implment the template. Is there a good way to debug the template.

Thanks

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

Can you run a query for all matching events, raw messages, and send me a copy of one of the events that is not parsing properly? Also, send me the parser that is not working?

New Member

Re: ASK THE EXPERT - CS-MARS

-

New Member

Re: ASK THE EXPERT - CS-MARS

Hi Gary,

I really, truly need your assistance here. Our Company has 4 MARS boxes installed few years ago. The Core is a MARS 100, the fringe 3 are MARS 50. These expensive units are sitting idle on our Network as nobody seems to get the hang of it. I've attended the MARS course, watched TechWise show on MARS, read Greg Abelar's book but something is missing. I thrive on technical challenges but things are not coming together when it comes to MARS. At our weekly meetings, I need to come up with reports on what the MARS box is doing for the company and the pressure is on me. The book which is very similar to Online documentation does not help me interpret a Report. I opened a TAC ticket and the Lead said they are a break fix shop and don't provide such assistance, that I need to read YOUR book - that was out a few weeks ago, back then. This gives you an idea of how long I've been struggling with MARS. I've tried installing REGUlazy but even that would not install (something I saw on Techwise TV) I contacted Roy Ostrov in Israel and concluded it has something to do with Security on me work laptop. With the myriads of report options in MARS, and several variables to choose to generate a report, I know how to create a report but I have no clue what this report is saying. Gary, I understand you'd be dreadfully busy but I would sincerly appreciate if you or someone who knows the MARS box inside out, to do a Meeting Place session with me to see where the MARS mystery is hiding? I aspire to master everything there is to know about Intrusion Prevention Systems and would like to nail down MARS box management, left hands, eyes closed.

I truly need NetPro assistance here. Can you help me?

Thank you kindly.

Sheena

Cisco Employee

Re: ASK THE EXPERT - CS-MARS

Sheena,

Please get ahold of your account manager or SE and discuss the issues with them. If they don't have some local to do a MeetingPlace with you, they have access to my calendar and can set something up with me.

Gary

New Member

Re: ASK THE EXPERT - CS-MARS

Gary,

Thank you for your reply.

Do I HAVE to go thru my SE???? I'v tried that avenue and got nowhere. Can I open a TAC ticket?

Thank you again.

Sheena

419
Views
31
Helpful
58
Replies