Hello I have a few questions on the CS-MARS. We just purchased a model 100 and are in the process of setting it up. Currently we have netflows from our borders flowing to it along with some data from snort sensors. In the future we will be sending data from our core routers and a number of juniper firewall and IDP devices.
My questions are
1. The default rules seem to be working and I understand how to build rules from event groups but what I'm missing is how to add new events. For example I have a number of custom snort rules for my environment. How to I add those to Mars.
2. We have a number of people that will be watching over the mars system. We currently see events coming out but don't see any way to either sign off or mark an incident as read. Currently were not doing mitigation from the mars as we learn what it can do. How do we mark incidents as viewed.
3. Drop rules. We've been playing around with false positives. We marked a couple of things as false to see the process. Now we would like to removed those. But what I'm noticing is that there is no way to delete something once it's been created. This applies to cases, drop rules, and a few other things.
Your Q1 - We had some "custom" rules (not on snort) and found the best way to deal with them is to make the query for "raw data" and use the tools to parse on the stuff we wanted. Somewhat limited, but it does work.
Q2 - I have no answer.
Q3 - I would like to hear from you if you make progress on this. We have been careful in making rules because they cannot be deleted.
I created a test rule and modify it (sometimes drastically) to suit what I'm testing. This way, I only have one "immortal stray" that I have to deal with.
As far as cases, I have to set the "all statuses" (filter) to "assigned" each time. It would be nice if Mars would remember login settings.
Thanks for the response. I've done the queries and found that the data is infact getting onto the Mars box and when I take the lines I want and run it through the parser it test's ok. So I don't know what's wrong. So I put in a TAC case.
Q1) You can't modify the event column in the default rules, nor can you modify the default event groups. So you're pretty much sol from that angle. the only way I know would be to create a rule that triggers on keywords in the custom Snort alarm. You might also be able to create a custom parser template for the alarm, but that shouldn't be necessary.
Q2) This is a problem. We decided to deal with this be creating a "reviewer" and an "investigator" role. The reviewer is actually responsible for making sure incidents get the proper priority and nothing gets missed --or worked on twice;-). IOW, we have to do it manually.
Q3) I've talked to them about this as well. Pretty basic design requirement...don't allow users to easily do things that can't be easily undone. You can mark drop rules as inactive though..which solves your problem right? It's more of an annoyance than anything else.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :