Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

lkc
New Member

CS-MARS 4.1 lots of events, netflow and session but no incidents ?

Hi all,

I've just installed a demo MARS box and have configured it to work with 3 firewalls, 1 IPS and a couple of routers.

I have more than 100.000 events and sessions but it does not generate a single incident. All rules are active.

Do anyone have a hint as to what might be wrong ? I've used nmap and nessus to generate traffic that should be captures by the IPS and denied by the firewalls but it made no difference

Any hints will be appreciated !

1 REPLY
Gold

Re: CS-MARS 4.1 lots of events, netflow and session but no incid

I've found that IPS events resulting from nmap port scans don't always bubble up to incidents in cs-mars. Oddly enough, the firewall denies usually do though.

Try this:

1) start an "all matching events" query in csmars with the "real time" option checked. Enter your source ip you will be scanning from in the "Source IP" query criteria. Click submit to get it running.

2) Do a TCP port 445 nmap SYN scan of an address space that you know will routed to the firewall and denied. No ping and make sure the destination is a /24 at least. (nmap -sS -P0 -p445 x.x.x.x/24)

3) You should see the events start popping up in your query in CSMARS. If you don't, that gives you somewhere to start troubleshooting.

4) If you see the events, and they are properly mapped, you should also see some incidents. If you don't, seems like your rules aren't working quite right.

You could also try tcp port 25. That should fire a different rule than port 445.

I *think* the rule that should fire for the port 445 scan is:

System Rule: Network Activity: Excessive Denies - Host Compromise Likely

The port 25 scan should fire the rule above and:

System Rule: Client Exploit - Mass Mailing Worm

105
Views
0
Helpful
1
Replies
CreatePlease login to create content