topic MARS Question in Network Security

MARS Question

andrew.burns — Sun, 10 Mar 2019 09:58:23 GMT

Hi all,

I'm in the process of setting up a mars device and have a query about the way it interprets rules. Basically everything seems to be set up fine and incidents seem to also be working ok, for example I'm getting the usual "inactive reporting device" incidents.

However when I peform some example probes I don't get the response I'm expecting - when I try an IIS Unicode Directory Traversal Vulnerability it catches it fine - but a normal nmap port scan doesn't create an incident. (Although it's definitely there as I can drag it up with a query).

So, how do I get mars to pay more attention to a port scan? I can see the rule, and the rule is active but there must be something I'm missing here.

This device is crying out for a good book...

thanks,

Andrew.

Re: MARS Question

globalnettech — Sun, 16 Apr 2006 06:31:36 GMT

Hello Andrew,

are you using a system inspection, or a custom inspection rule ? Can you post the parameters of your rule ?

Also, make sure that you use the latest signature update ( Admin > System Maintenance > Upgrade page).

Regards,

GNT

Re: MARS Question

mhellman — Tue, 18 Apr 2006 15:27:15 GMT

You'll find that the CSMARS rules are a good start, but not complete. There are more than a few IDS/IPS events that don't bubble up to incidents (i.e. don't trigger a rule match).

The default system rules are based on "event type group". For an IPS alarm to trigger a rule, the IPS alarm has to:

1) be mapped properly as a CSMARS event type.

2) the event type must be part of an "event type group" in an existing rule.

I don't believe it is possible to modify the default "event type"<=>"event type group" mappings in csmars. I also don't think it's possible to modify the event column of the default system rules.

So, if you want to trigger on this alarm...you have to create your own rule.

Re: MARS Question

pradeeku — Thu, 20 Apr 2006 01:00:39 GMT

Andrew

First of all, make sure you have enough interesting devices reporting to CS-MARS.

IDS, FW, Netflow events from the network should be a good subset to work with.

Port scan can be detected and therefore reported by the IDS, FW. If the port scan traffic is traversing a Router enabled with Netflow and pointing to CS-MARS, you will get enough data from these devices to fire relavent Rules on CS-MARS.

Thanks

Pradeep

Re: MARS Question

shanehenning — Thu, 27 Apr 2006 12:17:58 GMT

Are there any ref books available on tuning procedures other than the documentation that came with the appliance? Also, are most users creating their own rules and not using the default system rules? Thanks,

Re: MARS Question

andrew.burns — Mon, 15 May 2006 11:22:01 GMT

thanks mhellman - I think I follow that 😉

There are 3 system rules in the category of System: Reconnaissance (Scans: SCADA Modbus, Scans: Stealth and Scans: Targeted) and I mistakenly assumed that my nmap scans should have been picked up by the "Scans: Stealth" rule. However, looking more closely in the reports I found that my scans were being classified as "non-stealth" and hence didn't match any rule.

I created a new rule (called Scans: Non-Stealth) which collects any scans and this rule now gives me the behaviour I wanted (i.e. nmap scans creating incidents).

thanks,

Andrew.