I'm getting a lot of these when attempting to view websites that users have visited. Is there a reason for this? I've read in the MARS documentation that in order to get the full URL you have to subscribe to Websense or SmartFilter. Is this true? What about the CSC-SSM?
This has nothing to do with websense etc. MARS just tries to do a reverse lookup for that IP address. If a PTR entry exists for that IP address, MARS goes on and displays the hostname. If MARS fails to give you a hostname, just run a whois query to give you some idea about the location of the attacker (assuming its a public IP):
While I have no issues with running a whois, asking non-technical management staff to do the same is ridiculous.
As it stands now, any reports that I can create for management staff are virtually useless because they cannot tell the full URL of websites that users are visiting. Most of them say hostname could not be found.
I'm just wondering if there's something I'm doing wrong in the setup of MARS?
If its resolving for 'some' and not for 'others' then it means MARS most probably setup correctly. You can't blame Cisco if some websites don't have reverse lookup entries (this is done by many websites like warez,torrentz,rapid share-type file storage servers) to increase their 'covert' operation.
You can double check this by putting that same IP address in nslookup. You can also do a 'ping -a
You can go for a full-blown URL filtering solution if this is a business need...after all does MARS ever claim to provide reports for URL filtering?
The CSC should provide this information. CSC support was added in 6.x only (MARS), are you integrating CSC with MARS or you are running a report built-in CSC?
The CSC is integrated into my updated MARS and I'm getting reporting from MARS. The CSC is not reporting full URLs to it although it is reporting other things like spam & virii. Syslogs are set to debug.
Well it seems the MARS must be parsing the URLs (if any are sent), check the last figure on the link:
What is the raw message you are getting? Does it contain the URL?
Maybe the user's are entering IP addresses directly? (I do it a lot)
I found this quote on bootstrapping the ASA that seems to contradict what you're saying,
"Full URLs, such as www.cisco.com/foo.html, are included in HTTP session logs and FTP command data is logged only if web filtering (N2H2\SecureComputing or WebSense) is enabled on the reporting device. If web filtering is not enabled, then the HTTP session log does not include the hostname (although the destination host's IP and the Request-URI are included, such as 192.168.1.1:/foo.htm) and FTP command data is not logged at all. Caveats exist with HTTP session logging, such as if the HTTP session request is broken across packets, then the hostname data might not be included in the log data. "
While I'm not disputing the MARS ability to do a DNS lookup on IPs that it has, this seems to indicate that I can't get what I want out of the MARS unless I pay for Websense or SmartFilter.
What I said has nothing to do with the quote you presented. That quote is from the MARS 4.2.x user guide:
And it is obvious that CSC support was added in MARS 6.x. So there is no chance that this quote pertains to the CSC-SSM module. It talks about the 'regular' integration b/w ASA and websense for url filtering like the following:
I hope its clear now.
Actually the quote is from the 6.x Device Configuration Guide:
CSC support was indeed added for the 6.x release of MARS, but the CSC-SSM is not doing full on URL filtering. It will report IP addresses of URLs that it's blocked, but not all URLs.
At any rate, you're coming off as agitated in your responses, so I'll look elsewhere for help...Thanks anyway!
Nah not agitated at all, sorry if you took it that way (or I appear that way).
The point was, if its in the 4.2.x guide, that paragraph can't be talking about the CSM module.
It will be there in the 6.x guide also because ASA url filtering still has to be parsed.
If you raw event messages from the CSM are not showing URLs (as you see them in MARS) then you need to focus on fixing the CSM part. If the raw message is showing the url but MARS is not, you need to play with some parsing yourself (Or notify this bug to Cisco).