Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
5
Replies

MARS Question

andrew.burns
Level 7
Level 7

‎04-11-2006 06:59 AM - edited ‎03-10-2019 01:58 AM

Hi all,

I'm in the process of setting up a mars device and have a query about the way it interprets rules. Basically everything seems to be set up fine and incidents seem to also be working ok, for example I'm getting the usual "inactive reporting device" incidents.

However when I peform some example probes I don't get the response I'm expecting - when I try an IIS Unicode Directory Traversal Vulnerability it catches it fine - but a normal nmap port scan doesn't create an incident. (Although it's definitely there as I can drag it up with a query).

So, how do I get mars to pay more attention to a port scan? I can see the rule, and the rule is active but there must be something I'm missing here.

This device is crying out for a good book...

thanks,

Andrew.

Labels:
0 Helpful
5 Replies 5

globalnettech
Level 5
Level 5

‎04-15-2006 11:31 PM

Hello Andrew,

are you using a system inspection, or a custom inspection rule ? Can you post the parameters of your rule ?

Also, make sure that you use the latest signature update ( Admin > System Maintenance > Upgrade page).

Regards,

GNT

0 Helpful

mhellman
Level 7
Level 7

‎04-18-2006 08:27 AM

You'll find that the CSMARS rules are a good start, but not complete. There are more than a few IDS/IPS events that don't bubble up to incidents (i.e. don't trigger a rule match).

The default system rules are based on "event type group". For an IPS alarm to trigger a rule, the IPS alarm has to:

1) be mapped properly as a CSMARS event type.

2) the event type must be part of an "event type group" in an existing rule.

I don't believe it is possible to modify the default "event type"<=>"event type group" mappings in csmars. I also don't think it's possible to modify the event column of the default system rules.

So, if you want to trigger on this alarm...you have to create your own rule.

0 Helpful

andrew.burns
Level 7
Level 7
In response to mhellman

‎05-15-2006 04:22 AM

thanks mhellman - I think I follow that ;-)

There are 3 system rules in the category of System: Reconnaissance (Scans: SCADA Modbus, Scans: Stealth and Scans: Targeted) and I mistakenly assumed that my nmap scans should have been picked up by the "Scans: Stealth" rule. However, looking more closely in the reports I found that my scans were being classified as "non-stealth" and hence didn't match any rule.

I created a new rule (called Scans: Non-Stealth) which collects any scans and this rule now gives me the behaviour I wanted (i.e. nmap scans creating incidents).

thanks,

Andrew.

0 Helpful

pradeeku
Level 1
Level 1

‎04-19-2006 06:00 PM

Andrew

First of all, make sure you have enough interesting devices reporting to CS-MARS.

IDS, FW, Netflow events from the network should be a good subset to work with.

Port scan can be detected and therefore reported by the IDS, FW. If the port scan traffic is traversing a Router enabled with Netflow and pointing to CS-MARS, you will get enough data from these devices to fire relavent Rules on CS-MARS.

Thanks

Pradeep

0 Helpful

shanehenning
Level 1
Level 1
In response to pradeeku

‎04-27-2006 05:17 AM

Are there any ref books available on tuning procedures other than the documentation that came with the appliance? Also, are most users creating their own rules and not using the default system rules? Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card