Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CS MARS and CSA

If we have both CS MARS and CSA to monitor network devices, and we have all servers send logs to CSA only and then CSA send logs to CS MARS, is that going to affect the result of vulnerability scanning done by CS MARS on servers as in order for CS MARS to recognise that the incident is system determind false positive. therefore, will adding servers in CSA only not allow CS MARS to directly perform vulnerability scanning on servers or will it do it through CSA?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions

Re: CS MARS and CSA

Hello Nora

This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.

However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.


Regards

Farrukh

2 REPLIES

Re: CS MARS and CSA

Hello Nora

This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.

However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.


Regards

Farrukh

New Member

Re: CS MARS and CSA

Thank you Farrukh,

So to be in the safe side ill add all hoests to both CSA and CS MARS, but in this case what additions value will i get of ading CSA as a reporting device in CS MARS?

Thank you

Regards,

Nora

354
Views
0
Helpful
2
Replies
CreatePlease to create content