Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
2
Replies

CS MARS and CSA

Go to solution
nora.taleb
Level 1
Level 1

‎10-23-2010 11:47 PM

If we have both CS MARS and CSA to monitor network devices, and we have all servers send logs to CSA only and then CSA send logs to CS MARS, is that going to affect the result of vulnerability scanning done by CS MARS on servers as in order for CS MARS to recognise that the incident is system determind false positive. therefore, will adding servers in CSA only not allow CS MARS to directly perform vulnerability scanning on servers or will it do it through CSA?

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-27-2010 02:30 PM

Hello Nora

This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.

However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.


Regards

Farrukh

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-27-2010 02:30 PM

Hello Nora

This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.

However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.


Regards

Farrukh

0 Helpful

Go to solution
nora.taleb
Level 1
Level 1
In response to Farrukh Haroon

‎10-27-2010 09:25 PM

Thank you Farrukh,

So to be in the safe side ill add all hoests to both CSA and CS MARS, but in this case what additions value will i get of ading CSA as a reporting device in CS MARS?

Thank you

Regards,

Nora

0 Helpful
Customers Also Viewed These Support Documents