Dear halijenn

I can see that the switches are sending to MARS when I do show log, also I can see that MARS receive logs from all switches when i do query.

But still there is no any host ip address or name (from DNS server) discovered by MARS it is only discover the networks.

Thank you

Not sure if I understand your question on "But still there is no any host ip address or name (from DNS server)  discovered by MARS it is only discover the networks.".

Do you mean you also add "DNS server" to your MARS, and the DNS server is also sending syslogs/snmp to MARS? and you are not seeing the logs from the DNS server? If that is a correct statement, what is the DNS server OS, and did you setup your DNS server to send logs to MARS as well?

No I didnt add any DNS server but as I know MARS should discover the host automatically instead of adding one by one.

by the way should MARS be on the management vlan??

MARS will not discover the host automatically. Only if there is an attack, based on the syslog and/or snmp that has been sent from all your network devices, MARS can advise where the attack is originated from and towards which host. It will not perform auto discovery of all hosts in your network.

MARS is an event corelator, so it will only corelate events that are being sent from syslog/snmp of network devices.

Whether MARS should be in management vlan or not, depends on your company security/network policy. It is not a requirement for MARS to be in management vlan, however, if your company policy dictates that all management traffic should be off the management vlan then it makes sense for MARS to be in the management vlan too.

The main problem is that in the attack graph it show that the source ip address 0.0.0.0 this mean didnt understand the hosts ip addresses.

my MARS ip address 10.1.11.29

snmp configuration:

snmp-server community neverbefool ro

snmp-server host 10.1.11.29 neverbefool

syslog configuration:

logging on

logging trap debugging

logging facility local6

logging source-interface Vlan1

logging 10.1.11.29

and I can see the logs received by MARS from the query page.

by the way only access,distribution and core switches connect to MARS

It really depends on the syslog messages itself. Because the attack graph is depending on the syslog messages sent by the switches/network devices, and if those syslog messages do not contain the ip address of the attacker, then it will not show up on MARS.

MARS will only show the attacker if it does receive the information of the attacker from the syslog messages sent.

Here is a bug (CSCpn02787) that explains the situation a little bit more:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCpn02787

Hope that helps.

so what you thing how I can solve this issue how I can make sure that syslog message contain the attacker ip address??

You would need to add all your network devices to MARS for MARS to be more accurate in providing you with the attack graph. Currently as advised earlier, you only add access, distribution and core switches to MARS. I assume if the attack is originated from outside, then you would need to add all devices in the path for the complete picture (that includes all network devices in the path to just before your ISP router). That would include routers, firewalls, IPS, etc which you have in your network that the attack path might take place. As advised earlier, MARS is an event correlator appliance, it can only correlate events which are being sent to it, and if the event which include the attacker ip address is not in the syslog, MARS will not show it.

I am using MARS to monitor my local network and only the users on my building there is no any routers I have switches, IDS and FWSM but still the IDS and the FWSM not active I will add them soon.

so right now I add the switches only.

and if the syslog configured correctly why it will not contain the attacker ip address??

Does the syslog messages from your switches contain the attacker ip address? If it doesn't, then MARS will also not show the attacker. Only if your swich syslog messages show the ip address, it will show under MARS.

so how I will know if my switches syslog messages sent to MARS contain the attacker ip address???

I don't think syslog messages from switches normally contains connections being built and teardown. I know that firewalls normally do have syslog messages generated for connection build and teardown, which would contain the necessary ip address. But switches syslog messages normaly does not include those information.

Thank you so much Mr halijenn for this nice answers