Solved: Re: MARS Custom Rule creation

jim · ‎01-15-2007

I want to be able to create a rule on:

[Info/UncommonTraffic/Chat,]

[Info/UncommonTraffic/Chat/FileTransfer,]

[Info/UncommonTraffic/Chat/Proxy]

...but be able to use the "KEYWORD" field to trap on words like SSN / DOB and other keywords to trigger an email action. Im guessing this is not how KEYWORD was intended to be used but it sure looked like it when I set it up. But as you guessed its not working.

Can anyone tell me what im doing wrong or how I can accomplish this to trap for PHI in our organization.

I included a screenshot that might help explain what page im looking at.

http://razors-edge.org/dropbox/screenshot.jpg

Thanks in advance.

wiluszm · ‎01-15-2007

Jim,

Good question! You made the correct assumption that you are using the "keyword" option incorrectly. A MARS appliance is designed to parse and aggregate messages from reporting devices. In the example of of "Info/UncommonTraffic/Chat," the typical reporting devices are firewalls and IDS/IPS solutions. These simply report on the presence of "chat" traffic, not report the actual text-based conversation. Unforunately the MARS appliance is not really designed to operate in the fashion you're thinking. Is it possible? Yes... you'd have to have some application that had the ability to decode chat conversations forward the messages to MARS. In all honesty that's a lot of work to make the MARS appliance do something it's not designed to do. I hope this helps and don't forget to check my blog below for examples on how to use "keyword" in a custom rule!

-Mike

http://cs-mars.blogspot.com

View solution in original post

wiluszm · ‎01-15-2007

Jim,

Good question! You made the correct assumption that you are using the "keyword" option incorrectly. A MARS appliance is designed to parse and aggregate messages from reporting devices. In the example of of "Info/UncommonTraffic/Chat," the typical reporting devices are firewalls and IDS/IPS solutions. These simply report on the presence of "chat" traffic, not report the actual text-based conversation. Unforunately the MARS appliance is not really designed to operate in the fashion you're thinking. Is it possible? Yes... you'd have to have some application that had the ability to decode chat conversations forward the messages to MARS. In all honesty that's a lot of work to make the MARS appliance do something it's not designed to do. I hope this helps and don't forget to check my blog below for examples on how to use "keyword" in a custom rule!

-Mike

http://cs-mars.blogspot.com

jim · ‎01-16-2007

Thanks Mike! And I will check your blog

jim · ‎01-16-2007

So what field does the keyword filter off of? I thought it was the RAW data?

Is there any way to filter the raw data on MARS?

mhellman · ‎01-16-2007

the "raw data" refers to the data received in a message from a reporting device. If the data you're looking for wasn't provided by the reporting device, then CSMARS can't search for it. For certain data received from reporting devices (like IPS sensor contextual and packet data), CSMARS still can't do a keyword search through.

You might be able to use an IPS sensor to detect PHI leakage and fire and alarm, which can then be used by CSMARS to alert or whatever. The intelligent work will be done by the sensor though. CSMARS will just have a single inspection rule that looks for the custom signature id as a keyword.

jim · ‎01-16-2007

We use Cisco IPS sensors. I'll have to dig more into setting up traps on those devices.

Thanks for the followup

jim · ‎01-16-2007

Do you have any examples of a custom trap on a Cisco IPS 5.0 sensor for Instant messanger? Im trying to trap on words like patient, SSN, DOB... etc.

mhellman · ‎01-16-2007

that's one of those things that's been on my todo for ages. I've never got around to it though. I've not done much IM packet analysis, but I imagine each IM client would require it's own signature for each data type. False positives are likely to be a big problem in a busy network. I've used stand-alone solutions that use Bayesian techniques for this and even they produced lots of false positives.