cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1224
Views
0
Helpful
9
Replies

MARS: Hello I am working on tuning the MARS 25 Series

ericohermoso
Level 1
Level 1

When I delete the devices on the MARS,  In real time  it could be remove also in the Hotspot graph, but in the attack diagram it takes time say an hour before it will remove. Can somebody give me a tuning method on how to remove it in real time in the attack diagram please.

thanks and regards

9 Replies 9

Farrukh Haroon
VIP Alumni
VIP Alumni

The attack diagram is based on the 'historial' firing of incidents. Deleting those devices on the graph/topology won't immediately delete them on the attack diagram. I don't even see why that would be required? Please let me know your specific requirement.

Regards

Farrukh

thanks for the reply.

it happen that we need to know the real time attack on a certain device. Anyway i just configured my MARS device, added the devices such as routers and switches as well as firewalls. Also, I configured the NEFLOW. However, I have a question on mitigation it seems that my MARS does not recommend a command that could be used. Also,  I cannot push a command necessary to stop the attack. Could someone can give me some other configuration parameters.

thank

Please try to add all network devices in the transit path into MARS, e.g L2 switches.

MARS can only do mitigation on 'L2' devices (switches). For Layer 3, it can only 'suggest' configuration. But to be honest it does not always work.

Regards

Farrukh

thanks for the reply. I already added all the devices,say u have 4 devices 1 firewall and 3 ios devices with minimum 12.2 ios version but still i can't mitigate a device to stop an attack to a devices(routers). like for example i want to stop a certain host for accessing a router. Anyway, aside from adding devices what could be the next step to tune the MARS?

thanks and best regards

The most important thing is to filter out the false positives etc. from MARS. The prefered option is to do it at the reporting device itself (e.g. Event Action Filters in IPS), and as a last resort make 'Drop Rules' in MARS itself.

For the mitigation, did you add SNMP write access to these devices?

Regards

Farrukh

thanks for the reply. i used this command in my devices

snmp-server community ABCD rw

so which means i should be able to mitigate the device?

The RW string will take care of it from the device perspective (however as a security best practice I would recommend to add an ACL to that command to restrict SNMP traffic only from the MARS box).

From the MARS side:

> You have to configure this string in MARS

> Make sure all L2 switches are added in MARS

Is MARS showing it as a mitigation device in incidents?

Regards

Farrukh

hi thanks for the reply and advices, in my CS-MARS implementation i used telnet, ssh, and snmp access type but still there is no mitigation. i have read that you can mitigate a devices if you are using snmp access type, is it right?

thanks again

thanks,i am able to see the mitigation. Now I will just drill down and add all the remaining layer two devices,thanks, your advices are all very helpfull.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: