I have a question about the MARS device. I'm viewing quite a few sessions that are not included in an incident that I know of. Is there any way to find out if a session is included in an incident? Thank you
When viewing a session, if it is included in an incident, there should be an identifier of the format I:1179025693 in the "Event/Session/Incident" column. This ID will be a link to the associated incident.
Thanks for the reply. So if there is no incident ID already associated with a session, is there a way to do this? I have a server that keeps getting hammered by random ip's and I would like this to come up as an incident in MARS, if that is possible.
There is no method to manually assign a session to an incident. You should be able to create a custom inspection rule that matches on specifics of the behavior for which you want to generate an incident. For example, you could have an inspection rule that matches when the specific server IP address is seen as the destination along with specific CS-MARS events and this match occurs a certain number of times in a specific time range.
I created a rule so the events and sessions would now be put into an incident, but nothing is showing up. When I view the rule, it is not showing up as active, like the rest of the rules that came with the system. How do I make it active?
If the rule is listed as Inactive, you should only need to select the rule (check the box next "Rule Name:" and click the "Change Status" button). You should be prompted as to whether you do wish to change the status of the selected rule.
If you do not see the rule in the list at all, ensure you have selected "Inactive" in the "View:" drop-down box.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...