10-23-2010 11:47 PM
If we have both CS MARS and CSA to monitor network devices, and we have all servers send logs to CSA only and then CSA send logs to CS MARS, is that going to affect the result of vulnerability scanning done by CS MARS on servers as in order for CS MARS to recognise that the incident is system determind false positive. therefore, will adding servers in CSA only not allow CS MARS to directly perform vulnerability scanning on servers or will it do it through CSA?
Thank you
Solved! Go to Solution.
10-27-2010 02:30 PM
Hello Nora
This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.
However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.
Regards
Farrukh
10-27-2010 02:30 PM
Hello Nora
This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.
However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.
Regards
Farrukh
10-27-2010 09:25 PM
Thank you Farrukh,
So to be in the safe side ill add all hoests to both CSA and CS MARS, but in this case what additions value will i get of ading CSA as a reporting device in CS MARS?
Thank you
Regards,
Nora
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide