Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CS-MARS using snmp RW

I´d like to know how can I implement the feature of shutdown a port swtich using SNMP RW string, and also if exist another action that mars can take regarding an attack


Thank You

Everyone's tags (5)
3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: CS-MARS using snmp RW

Hi Andres,

    All of the information regarding the mitigation functionality of the MARS can be found in the user guide here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/invest.html#wp800609

Note that a prerequesite for performing mitigation is that you've configured the mitigation device with an SNMP RW string.  This is done on the device information page ( Admin -> System Setup -> Security and Monitor Devices, and Edit the particular switch device).  The field labeld "SNMP RO Community" on this page can actually be populated with the RW string for this purpose.

Best Regards,

JT

Re: CS-MARS using snmp RW

Incidentally, there is a cosmetic defect opened for the "SNMP RO Community" to change the label to indicate that the field is also used for the RW string.  Documented under ID CSCsd05614

-JT

Cisco Employee

Re: CS-MARS using snmp RW

That is correct - CS-MARS cannot automatically take mitigative action.  The incident needs to be manually reviewed, and then mitigation action can be taken from that specific incident as available (correct layer-2/layer-3 device access in the incident path).

Scott

6 REPLIES

Re: CS-MARS using snmp RW

Hi Andres,

    All of the information regarding the mitigation functionality of the MARS can be found in the user guide here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/invest.html#wp800609

Note that a prerequesite for performing mitigation is that you've configured the mitigation device with an SNMP RW string.  This is done on the device information page ( Admin -> System Setup -> Security and Monitor Devices, and Edit the particular switch device).  The field labeld "SNMP RO Community" on this page can actually be populated with the RW string for this purpose.

Best Regards,

JT

Re: CS-MARS using snmp RW

Incidentally, there is a cosmetic defect opened for the "SNMP RO Community" to change the label to indicate that the field is also used for the RW string.  Documented under ID CSCsd05614

-JT

New Member

Re: CS-MARS using snmp RW

Thank you Juteixei, has been very helpful.

New Member

Re: CS-MARS using snmp RW

Hi Juteixei,

I have a doubt, Regarding the mitigation feature on Mars, Is possible automate the shutdown command?
I asking this because the documentation says that only once ocurred the atack you can mitigate it.

Thank you!

Cisco Employee

Re: CS-MARS using snmp RW

That is correct - CS-MARS cannot automatically take mitigative action.  The incident needs to be manually reviewed, and then mitigation action can be taken from that specific incident as available (correct layer-2/layer-3 device access in the incident path).

Scott

New Member

Re: CS-MARS using snmp RW

I appreciate it.

Thank you Scott!

1213
Views
0
Helpful
6
Replies
CreatePlease to create content