I have a MARS 20 setup, recieving logs from 3 routers. When I ping between the routers I can see in the MARS reports that the ICMP packets are traversing as supposed. But when I run a Port Sweep / SYN attack, the Mars box doesnt see it, and offcourse not creates a incedent.
Keep in mind that the MARS appliance functions by correlating information as received from reporting devices. Assuming you're using a basic IOS IP Cisco router, a port scan is not a logged event on a Cisco router. As mentioned above you need a device capable of detecting port scans and monitoring the router. The easiest solution is to run IOS IPS on your routers. This would add intrusion detection logic to your router and will report the events back to MARS. If I take the example of scanning our 3845s at HQ... the port scan is not reported by the 3845 in MARS, but rather our HQ IPS detects the scan and reports it. Rather, the 3845 is the destination of the attack and is reported as such in MARS. Hope this helped and ask if you have anymore questions.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...