we are trying to integrate ACS 4.1 and MARS 5.2. In MARS 5.2 we cannot insert ACS 4.x so we decide to insert our ACS 4.1 like ACS 3.x. But we are not sure if is working, we simulate a brute force attack against on of our router, we aspected MARS did something, but we only observed an increasing amount of events.
We checked in which way MARS was receiving messages from ACS 4.1. In realtime raw events we saw MARS received ACS 4.1 event like GENERIC EVENT. Is that correct ? Or we should see event type like AAA EVENT, or something like that?
If MARS receive in correct way events form ACS 4.1, this means there isn't any rules to handle this kind of event ?
Thank you really much in advance. Best regards Antonello Moneta.
CS-MARS will indicate an ACS event is a 'generic event' if there is not a parsing rule for the received event. If CS-MARS did not correctly parse the event you would see an event similar to 'unknown device event type'.
As a heads up; CS-MARS release 5.2 is quite old. Recent versions (6.0.7) support ACS 4.x natively without need for the pnlog agent, as well as contain substantial stability and performance improvements. You may want to consider upgrading to this release.
You should not need to create any custom parsers for ACS events. The development team for CS-MARS has included parsers for the messages which they feel are relevant to the operational aspects of the CS-MARS.
There is not a 'best practice' document for creating custom parsers, or making use of the information provided by the CS-MARS. The best place to start for information regarding CS-MARS is:
Upgrading the CS-MARS from a 5.2 release will be a time consuming process as you will need to install each upgrade in sequence. However, you should consider performing the upgrades as you will receive not only bug fixes, but new parsers and product version support.
I need to understand what could be a normal behave of MARS when it receives a auth-failure log from ACS. These kind of events could be find in in report "Acrivity: AAA Based Access Failure - All Event", right?
Can you please explain me better the difference between Generic Event and unknow device event type?
I hope I am not annoying you, thank you really much, I really appreciate your help. Antonello.
A "Generic Event" will be an event CS-MARS receives, parses, and determines is general in nature and cannot be better utilized for security reporting.
An "Unknown Device Event Type" will be an event CS-MARS receives but cannot successfully parse. These messages may be corrected in an upgrade to CS-MARS where development has added additional parsing rules to a specific device type.
To see the available event types parsed by CS-MARS in regard to ACS, you can navigate to:
In the drop-down above "Device Event ID" choose the appropriate entry for Cisco Secure ACS.
You will be presented with the CS-MARS event ID and description coupled with the specific device events that parse to the CS-MARS event. Again, there have been significant enhancements to ACS parsing in the more recent releases of CS-MARS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...