Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
5
Helpful
4
Replies

Your experience w/ MARS use/implementation

js88888888
Level 1
Level 1

‎08-26-2008 02:47 PM

Just wanted to see what other people have going on with their MARS set up.

What do you have set up for mitigation? How long did you have MARS setup "passively" before configuring rules to actively mitigate?

Has MARS saved the day in response to a threat?

Do you have 'everythign but the kitchen sink' monitored by MARS like database servers, web servers, etc or just network/firewall devices?

thanks, just trying to get some feedback from more experienced MARS users.

Labels:
0 Helpful
4 Replies 4

jeff_groesbeck
Level 1
Level 1

‎08-27-2008 06:49 AM

Hello.

I typically let MARS run 'passively' for at least 2 weeks, but preferably for about a month. I do this so that MARS can attempt to learn about network patterns, etc. Most of the implementations I have done are centered around the networking equipment, firewalls, IDS/IPS, VPN, etc... but I have done a few with Windows servers/desktops. I have had pretty good success with basic Windows server/desktop logging using Snare. I haven't had much success at all with database servers. Oracle database servers, for example, are only supported currently with one database instance per server. In every instance except one that I have run into, the Oracle servers have more than one database instance running on them. In that case, you can only get logs from the first instance you create on that server (in MARS). Currently there is no SQL database support in MARS at all. This is rather frustrating in my opinion. I'm not sure the real reasoning behind this, but it's not there. All of that being said, I have had several instances where MARS was able to detect malicious activity going on and let me know exactly where it was coming from and how. One instance was a desktop that was running RDP. A user was attempting to log into servers repeatedly with user accounts. MARS flagged this and alerted us it was going on. This happened within about 30 minutes of MARS being installed. The security team went to that workstation and they fired that guy that day. I have also had great success tracking down devices with viruses. I am a believer in MARS, but still think it has some shortcomings when it comes to applications and databases. Hopefully 6.0 will open this up for us with the parser import/export ability.

Thank you and good luck,

Jeff

js88888888
Level 1
Level 1
In response to jeff_groesbeck

‎08-28-2008 07:13 AM

Thanks for the feedback Jeff. Great info. Are you sending any Netflows to MARS?

0 Helpful

jeff_groesbeck
Level 1
Level 1
In response to js88888888

‎08-28-2008 07:36 AM

Hello.

Yes, I completely forgot to mention that. I do send netflow to MARS as it does help greatly with the correlation of events that MARS receives. It give MARS that 'snapshot' of the traffic at that moment. That way you are also seeing the traffic pattern through routers/switches that normally wouldn't log that traffic.

Jeff

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to jeff_groesbeck

‎08-29-2008 05:51 AM

If you have a FWSM etc. sending level 7 messages to the MARS, you can (sometimes) skip the netflow part.

We have not enabled Netflow on one of our customers and the MARS is able to generate alarms for all sorts of traffic anomalies. However we might not be able to know about any DOS attacks on our perimeter router tough!

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents