Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Incidents & Sessions

I have a question about the MARS device. I'm viewing quite a few sessions that are not included in an incident that I know of. Is there any way to find out if a session is included in an incident? Thank you

5 REPLIES
Cisco Employee

Re: Incidents & Sessions

Kerry;

  When viewing a session, if it is included in an incident, there should be an identifier of the format I:1179025693 in the "Event/Session/Incident" column.  This ID will be a link to the associated incident.

Scott

New Member

Re: Incidents & Sessions

Hi Scott,

Thanks for the reply. So if there is no incident ID already associated with a session, is there a way to do this? I have a server that keeps getting hammered by random ip's and I would like this to come up as an incident in MARS, if that is possible.

Thanks,
Kerry

Cisco Employee

Re: Incidents & Sessions

Kerry;

  There is no method to manually assign a session to an incident.  You should be able to create a custom inspection rule that matches on specifics of the behavior for which you want to generate an incident.  For example, you could have an inspection rule that matches when the specific server IP address is seen as the destination along with specific CS-MARS events and this match occurs a certain number of times in a specific time range.

  You can learn more about CS-MARS rules here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html

Scott

New Member

Re: Incidents & Sessions

Hi Scott,

I created a rule so the events and sessions would now be put into an incident, but nothing is showing up. When I view the rule, it is not showing up as active, like the rest of the rules that came with the system. How do I make it active?

Thanks,

Kerry

Cisco Employee

Re: Incidents & Sessions

Kerry;

  If the rule is listed as Inactive, you should only need to select the rule (check the box next "Rule Name:" and click the "Change Status" button).  You should be prompted as to whether you do wish to change the status of the selected rule.

  If you do not see the rule in the list at all, ensure you have selected "Inactive" in the "View:" drop-down box.

Scott

351
Views
0
Helpful
5
Replies