Re: CS-MARS Operational Questions

alexander.jason · ‎04-27-2006

Hello I have a few questions on the CS-MARS. We just purchased a model 100 and are in the process of setting it up. Currently we have netflows from our borders flowing to it along with some data from snort sensors. In the future we will be sending data from our core routers and a number of juniper firewall and IDP devices.

My questions are

1. The default rules seem to be working and I understand how to build rules from event groups but what I'm missing is how to add new events. For example I have a number of custom snort rules for my environment. How to I add those to Mars.

2. We have a number of people that will be watching over the mars system. We currently see events coming out but don't see any way to either sign off or mark an incident as read. Currently were not doing mitigation from the mars as we learn what it can do. How do we mark incidents as viewed.

3. Drop rules. We've been playing around with false positives. We marked a couple of things as false to see the process. Now we would like to removed those. But what I'm noticing is that there is no way to delete something once it's been created. This applies to cases, drop rules, and a few other things.

Thanks

Jason Alexander

cyee · ‎05-02-2006

Your Q1 - We had some "custom" rules (not on snort) and found the best way to deal with them is to make the query for "raw data" and use the tools to parse on the stuff we wanted. Somewhat limited, but it does work.

Q2 - I have no answer.

Q3 - I would like to hear from you if you make progress on this. We have been careful in making rules because they cannot be deleted.

I created a test rule and modify it (sometimes drastically) to suit what I'm testing. This way, I only have one "immortal stray" that I have to deal with.

As far as cases, I have to set the "all statuses" (filter) to "assigned" each time. It would be nice if Mars would remember login settings.

alexander.jason · ‎05-04-2006

Thanks for the response. I've done the queries and found that the data is infact getting onto the Mars box and when I take the lines I want and run it through the parser it test's ok. So I don't know what's wrong. So I put in a TAC case.

Thanks

Jason

mhellman · ‎05-24-2006

Q1) You can't modify the event column in the default rules, nor can you modify the default event groups. So you're pretty much sol from that angle. the only way I know would be to create a rule that triggers on keywords in the custom Snort alarm. You might also be able to create a custom parser template for the alarm, but that shouldn't be necessary.

Q2) This is a problem. We decided to deal with this be creating a "reviewer" and an "investigator" role. The reviewer is actually responsible for making sure incidents get the proper priority and nothing gets missed --or worked on twice;-). IOW, we have to do it manually.

Q3) I've talked to them about this as well. Pretty basic design requirement...don't allow users to easily do things that can't be easily undone. You can mark drop rules as inactive though..which solves your problem right? It's more of an annoyance than anything else.

a.kiprawih · ‎05-23-2006

Hi Jason,

I just met the CS-MARS developer (lady who develop/design this box) today in Cisco Security Summit in Kuala Lumpur.

Answer to your Question 3 is the feature you're looking at will be available in the next v4.2.1 release, which is scheduled in 2 months time.

Like you, I am also facing the same issue. Look forward to try the v4.2.1.

Rgds,

AK