Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

MARS Question

Hi all,

I'm in the process of setting up a mars device and have a query about the way it interprets rules. Basically everything seems to be set up fine and incidents seem to also be working ok, for example I'm getting the usual "inactive reporting device" incidents.

However when I peform some example probes I don't get the response I'm expecting - when I try an IIS Unicode Directory Traversal Vulnerability it catches it fine - but a normal nmap port scan doesn't create an incident. (Although it's definitely there as I can drag it up with a query).

So, how do I get mars to pay more attention to a port scan? I can see the rule, and the rule is active but there must be something I'm missing here.

This device is crying out for a good book...

thanks,

Andrew.

5 REPLIES

Re: MARS Question

Hello Andrew,

are you using a system inspection, or a custom inspection rule ? Can you post the parameters of your rule ?

Also, make sure that you use the latest signature update ( Admin > System Maintenance > Upgrade page).

Regards,

GNT

Gold

Re: MARS Question

You'll find that the CSMARS rules are a good start, but not complete. There are more than a few IDS/IPS events that don't bubble up to incidents (i.e. don't trigger a rule match).

The default system rules are based on "event type group". For an IPS alarm to trigger a rule, the IPS alarm has to:

1) be mapped properly as a CSMARS event type.

2) the event type must be part of an "event type group" in an existing rule.

I don't believe it is possible to modify the default "event type"<=>"event type group" mappings in csmars. I also don't think it's possible to modify the event column of the default system rules.

So, if you want to trigger on this alarm...you have to create your own rule.

Re: MARS Question

thanks mhellman - I think I follow that ;-)

There are 3 system rules in the category of System: Reconnaissance (Scans: SCADA Modbus, Scans: Stealth and Scans: Targeted) and I mistakenly assumed that my nmap scans should have been picked up by the "Scans: Stealth" rule. However, looking more closely in the reports I found that my scans were being classified as "non-stealth" and hence didn't match any rule.

I created a new rule (called Scans: Non-Stealth) which collects any scans and this rule now gives me the behaviour I wanted (i.e. nmap scans creating incidents).

thanks,

Andrew.

New Member

Re: MARS Question

Andrew

First of all, make sure you have enough interesting devices reporting to CS-MARS.

IDS, FW, Netflow events from the network should be a good subset to work with.

Port scan can be detected and therefore reported by the IDS, FW. If the port scan traffic is traversing a Router enabled with Netflow and pointing to CS-MARS, you will get enough data from these devices to fire relavent Rules on CS-MARS.

Thanks

Pradeep

New Member

Re: MARS Question

Are there any ref books available on tuning procedures other than the documentation that came with the appliance? Also, are most users creating their own rules and not using the default system rules? Thanks,

165
Views
0
Helpful
5
Replies