1. I'm quite confused in adding a Symantec AV 10.x alerts to CS-MARS. I selected the Symantec server as the computer who send SNMP trap, but the trap didn't arrive at MARS. Can someone help me to discover what's wrong with it ?
2. I also want to add a Linux e-mail server syslog messages to CS-MARS. Have someone tried it, and what kind of alerts /events that appear in MARS ?
I attached a Ethereal file that shows about the failed communication messages between the Symantec server and MARS. Hopefully it may help.
Concerning to SNMP Traps, Have you configured SNARE in the servers? Anyway, you'll have to be sure SNMP is up and working to get that information from the CS-MARS device. To check that, try to SNMP query the server from another platform or tool (from a laptop,p.e.)
Also, you'll have to add the AV server in the CS-MARS, configure the SNMP community and if you want to get information from Windows Server, you'll have to select what method you will use, pull or push.
Check out this and just tell me if I can help you. We've added over 10 Windows domain controllers and there's no problem with them.
1) It sounds like you've configured Symantec to send the traps. Did you also configure the device in CSMARS? Even if you didn't, Symantec will still send SNMP traps to CSMARS if it's configured correctly (they'll show up as unknown events). Use tcpdump on csmars to see if the SNMP traps are getting to CSMARS. Something like:
[pnadmin]$ tcpdump -ieth0 udp and port 162
You'll need to be able to force messages from Symantec.
2) The same kind of [or similar] events you get from any host. failed logins, etc.
3) There are no udp SNMP traps in that trace. the trace appears to show a failed attempt by CSMARS to collect the Windows event logs from 192.168.0.39. Look at the security event log on that server to determine the cause. Unless you've specifically configured for least privilege, full administrator access is typically required to remotely pull windows event logs.
I believe the ICMP port unreachables are the result of normal Symantec discovery (do a search on Symantec and udp port 328293).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...