I'm in the process of setting up a mars device and have a query about the way it interprets rules. Basically everything seems to be set up fine and incidents seem to also be working ok, for example I'm getting the usual "inactive reporting device" incidents.
However when I peform some example probes I don't get the response I'm expecting - when I try an IIS Unicode Directory Traversal Vulnerability it catches it fine - but a normal nmap port scan doesn't create an incident. (Although it's definitely there as I can drag it up with a query).
So, how do I get mars to pay more attention to a port scan? I can see the rule, and the rule is active but there must be something I'm missing here.
There are 3 system rules in the category of System: Reconnaissance (Scans: SCADA Modbus, Scans: Stealth and Scans: Targeted) and I mistakenly assumed that my nmap scans should have been picked up by the "Scans: Stealth" rule. However, looking more closely in the reports I found that my scans were being classified as "non-stealth" and hence didn't match any rule.
I created a new rule (called Scans: Non-Stealth) which collects any scans and this rule now gives me the behaviour I wanted (i.e. nmap scans creating incidents).
First of all, make sure you have enough interesting devices reporting to CS-MARS.
IDS, FW, Netflow events from the network should be a good subset to work with.
Port scan can be detected and therefore reported by the IDS, FW. If the port scan traffic is traversing a Router enabled with Netflow and pointing to CS-MARS, you will get enough data from these devices to fire relavent Rules on CS-MARS.
Are there any ref books available on tuning procedures other than the documentation that came with the appliance? Also, are most users creating their own rules and not using the default system rules? Thanks,
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...