Re: MARS - IOS interface up down, AD securuty entries

seymour.brown · ‎10-02-2006

Our MARS appliance is running V4.2.1. We have about 40 or 50 IOS switches sending their entries to it. We see interface up and down transitions all the time as expected.

It seems that for many of the entries in MARS, the interesting data, such as the actual port number that went up or down, is nowhere to be found. Am I simply drilling wrong?

We have the same problem with Windows Active Directory security entries - we can see user account changes, but not who made them or which account was changed.

wiluszm · ‎10-03-2006

Seymour,

We see similar events on our MARS appliance too. We have nearly 300 switches logging to it now so you can imagine the up/down alerts that we have generated! You are correct that MARS does not provide complete information in the incident view. You are doing nothing incorrect. Keep in mind that the MARS appliance is aggregating a massive amount of security/system data and needs to normalize it to data fields that are most important when it comes to attack information. To view full messages keep in mind that you can view the "Raw Data" directly from the incident screen. In the case of interface up/down messages this would show you the exact port (it's found directly next to the "Reporting Device" name). Keep in mind that Cisco now has enchanced notifications using XML. This exported data contains the raw message that could be included as part of a notification like this:

####################

# Incident Details #

####################

Incident: 1428252525

Start: Oct 3, 2006 8:46:18 AM EDT

End: Oct 3, 2006 8:50:20 AM EDT

Severity: LOW

Rule: Cisco IOS AP wireless MAXRETRIES

Descript: This rule will detect and alert of a Warning on the wireless network for {DOT11-4-MAXRETRIES: Packet to client [mac] reached max retries, removeing the client} errors.

###################

# Session Details #

###################

Session ID: 1428578861

Device: AP12_Freezer.company.com

Event: Generic IOS syslog

Source: 0.0.0.0

Destination: 0.0.0.0

Raw Message: <188>6032: Oct 3 08:49:30: %DOT11-4-MAXRETRIES: Packet to client 00a0.f123.23f7 reached max retries, removing the client

Anything else I can help with let me know.

-Mike

http://cs-mars.blogspot.com

seymour.brown · ‎10-03-2006

Mike:

Thanks for the post.

I'm pretty new at this. How can I see raw data on the Incident screen? I don't see any sort of link or control that provides it.

It would seem to me that port numbers, user IDs, and such would be part of the most important aggregated data. Since it's not shown, it strikes me that maybe these entries are not at all useful to MARS, and should be marked as False Positive or something.

It also strikes me odd that I have to export XML data to get the info I want. I'd rather get it much more conveniently from my Kiwi syslog and process it in perl. What we were hoping MARS could do was to correlate events. It's just not happening for us at this point in the learning curve.

seymour.brown · ‎10-03-2006

Mike:

I found the raw data icon. It was hidden in an uxpanded window for this event.

MARS could really benefit from a real Help file ... I could see a possible situation where a sites internet is under attack, and you can't even surf and download the latest doc. (grouse, grouse, grouse)

Now if I can figure out how to get it to tell me I have a switchport in yoyo mode (where a NIC has the port going up and down repeatedly in a one minute period) ...

=seymour=

henotic_we · ‎10-04-2006

Hello!

My name is Monica White Eagle and I am an intern at Enterprise Controls Consulting LP in the Dallas area. I am constantly looking to build my network and meet qualified business people that can offer me some networking advice.

My most challenging assignment is finding a MARS Security Contractor and to be honest, I'm having a tough time finding someone! I am reaching out to you in hopes that you know of someone who is interested in this position and if so, please feel free to contact me by email at meagle@ecclp.com at your earliest convenience.

Regardless, thank you for your time and any guidance you can offer me!

Best regards,

Monica White Eagle

Business Hiring Solutions-Intern

Enterprise Controls Consulting LP

Millennium Center

222 W. Las Colinas Blvd.

Ste 1650

Irving, TX 75039

972-444-2580 Main

512-632-9831 Mobile

meagle@ecclp.com

"Change. It has the power to uplift, to heal, to stimulate, surprise, open new doors, bring fresh experience and create excitement in life. Certainly, it is worth the risk." -Leo Buscaglia

For an overview of who we are and national career opportunities go to: www.ecclp.com

"Improving Business Performance. Delivering Results."