10-02-2006 12:42 PM - edited 03-10-2019 03:15 AM
Our MARS appliance is running V4.2.1. We have about 40 or 50 IOS switches sending their entries to it. We see interface up and down transitions all the time as expected.
It seems that for many of the entries in MARS, the interesting data, such as the actual port number that went up or down, is nowhere to be found. Am I simply drilling wrong?
We have the same problem with Windows Active Directory security entries - we can see user account changes, but not who made them or which account was changed.
10-03-2006 05:02 AM
Seymour,
We see similar events on our MARS appliance too. We have nearly 300 switches logging to it now so you can imagine the up/down alerts that we have generated! You are correct that MARS does not provide complete information in the incident view. You are doing nothing incorrect. Keep in mind that the MARS appliance is aggregating a massive amount of security/system data and needs to normalize it to data fields that are most important when it comes to attack information. To view full messages keep in mind that you can view the "Raw Data" directly from the incident screen. In the case of interface up/down messages this would show you the exact port (it's found directly next to the "Reporting Device" name). Keep in mind that Cisco now has enchanced notifications using XML. This exported data contains the raw message that could be included as part of a notification like this:
####################
# Incident Details #
####################
Incident: 1428252525
Start: Oct 3, 2006 8:46:18 AM EDT
End: Oct 3, 2006 8:50:20 AM EDT
Severity: LOW
Rule: Cisco IOS AP wireless MAXRETRIES
Descript: This rule will detect and alert of a Warning on the wireless network for {DOT11-4-MAXRETRIES: Packet to client [mac] reached max retries, removeing the client} errors.
###################
# Session Details #
###################
Session ID: 1428578861
Device: AP12_Freezer.company.com
Event: Generic IOS syslog
Source: 0.0.0.0
Destination: 0.0.0.0
Raw Message: <188>6032: Oct 3 08:49:30: %DOT11-4-MAXRETRIES: Packet to client 00a0.f123.23f7 reached max retries, removing the client
Anything else I can help with let me know.
-Mike
10-03-2006 08:33 AM
Mike:
Thanks for the post.
I'm pretty new at this. How can I see raw data on the Incident screen? I don't see any sort of link or control that provides it.
It would seem to me that port numbers, user IDs, and such would be part of the most important aggregated data. Since it's not shown, it strikes me that maybe these entries are not at all useful to MARS, and should be marked as False Positive or something.
It also strikes me odd that I have to export XML data to get the info I want. I'd rather get it much more conveniently from my Kiwi syslog and process it in perl. What we were hoping MARS could do was to correlate events. It's just not happening for us at this point in the learning curve.
10-03-2006 08:51 AM
Mike:
I found the raw data icon. It was hidden in an uxpanded window for this event.
MARS could really benefit from a real Help file ... I could see a possible situation where a sites internet is under attack, and you can't even surf and download the latest doc. (grouse, grouse, grouse)
Now if I can figure out how to get it to tell me I have a switchport in yoyo mode (where a NIC has the port going up and down repeatedly in a one minute period) ...
=seymour=
10-04-2006 07:37 AM
Hello!
My name is Monica White Eagle and I am an intern at Enterprise Controls Consulting LP in the Dallas area. I am constantly looking to build my network and meet qualified business people that can offer me some networking advice.
My most challenging assignment is finding a MARS Security Contractor and to be honest, I'm having a tough time finding someone! I am reaching out to you in hopes that you know of someone who is interested in this position and if so, please feel free to contact me by email at meagle@ecclp.com at your earliest convenience.
Regardless, thank you for your time and any guidance you can offer me!
Best regards,
Monica White Eagle
Business Hiring Solutions-Intern
Enterprise Controls Consulting LP
Millennium Center
222 W. Las Colinas Blvd.
Ste 1650
Irving, TX 75039
972-444-2580 Main
512-632-9831 Mobile
"Change. It has the power to uplift, to heal, to stimulate, surprise, open new doors, bring fresh experience and create excitement in life. Certainly, it is worth the risk." -Leo Buscaglia
For an overview of who we are and national career opportunities go to: www.ecclp.com
"Improving Business Performance. Delivering Results."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide