When I delete the devices on the MARS, In real time it could be remove also in the Hotspot graph, but in the attack diagram it takes time say an hour before it will remove. Can somebody give me a tuning method on how to remove it in real time in the attack diagram please.
thanks and regards
The attack diagram is based on the 'historial' firing of incidents. Deleting those devices on the graph/topology won't immediately delete them on the attack diagram. I don't even see why that would be required? Please let me know your specific requirement.
thanks for the reply.
it happen that we need to know the real time attack on a certain device. Anyway i just configured my MARS device, added the devices such as routers and switches as well as firewalls. Also, I configured the NEFLOW. However, I have a question on mitigation it seems that my MARS does not recommend a command that could be used. Also, I cannot push a command necessary to stop the attack. Could someone can give me some other configuration parameters.
Please try to add all network devices in the transit path into MARS, e.g L2 switches.
MARS can only do mitigation on 'L2' devices (switches). For Layer 3, it can only 'suggest' configuration. But to be honest it does not always work.
thanks for the reply. I already added all the devices,say u have 4 devices 1 firewall and 3 ios devices with minimum 12.2 ios version but still i can't mitigate a device to stop an attack to a devices(routers). like for example i want to stop a certain host for accessing a router. Anyway, aside from adding devices what could be the next step to tune the MARS?
thanks and best regards
The most important thing is to filter out the false positives etc. from MARS. The prefered option is to do it at the reporting device itself (e.g. Event Action Filters in IPS), and as a last resort make 'Drop Rules' in MARS itself.
For the mitigation, did you add SNMP write access to these devices?
thanks for the reply. i used this command in my devices
snmp-server community ABCD rw
so which means i should be able to mitigate the device?
The RW string will take care of it from the device perspective (however as a security best practice I would recommend to add an ACL to that command to restrict SNMP traffic only from the MARS box).
From the MARS side:
> You have to configure this string in MARS
> Make sure all L2 switches are added in MARS
Is MARS showing it as a mitigation device in incidents?
hi thanks for the reply and advices, in my CS-MARS implementation i used telnet, ssh, and snmp access type but still there is no mitigation. i have read that you can mitigate a devices if you are using snmp access type, is it right?
thanks,i am able to see the mitigation. Now I will just drill down and add all the remaining layer two devices,thanks, your advices are all very helpfull.