cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2252
Views
0
Helpful
6
Replies

CS-MARS using snmp RW

aescudero
Level 1
Level 1

I´d like to know how can I implement the feature of shutdown a port swtich using SNMP RW string, and also if exist another action that mars can take regarding an attack


Thank You

3 Accepted Solutions

Accepted Solutions

Justin Teixeira
Level 1
Level 1

Hi Andres,

    All of the information regarding the mitigation functionality of the MARS can be found in the user guide here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/invest.html#wp800609

Note that a prerequesite for performing mitigation is that you've configured the mitigation device with an SNMP RW string.  This is done on the device information page ( Admin -> System Setup -> Security and Monitor Devices, and Edit the particular switch device).  The field labeld "SNMP RO Community" on this page can actually be populated with the RW string for this purpose.

Best Regards,

JT

View solution in original post

Incidentally, there is a cosmetic defect opened for the "SNMP RO Community" to change the label to indicate that the field is also used for the RW string.  Documented under ID CSCsd05614

-JT

View solution in original post

That is correct - CS-MARS cannot automatically take mitigative action.  The incident needs to be manually reviewed, and then mitigation action can be taken from that specific incident as available (correct layer-2/layer-3 device access in the incident path).

Scott

View solution in original post

6 Replies 6

Justin Teixeira
Level 1
Level 1

Hi Andres,

    All of the information regarding the mitigation functionality of the MARS can be found in the user guide here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/invest.html#wp800609

Note that a prerequesite for performing mitigation is that you've configured the mitigation device with an SNMP RW string.  This is done on the device information page ( Admin -> System Setup -> Security and Monitor Devices, and Edit the particular switch device).  The field labeld "SNMP RO Community" on this page can actually be populated with the RW string for this purpose.

Best Regards,

JT

Incidentally, there is a cosmetic defect opened for the "SNMP RO Community" to change the label to indicate that the field is also used for the RW string.  Documented under ID CSCsd05614

-JT

Thank you Juteixei, has been very helpful.

Hi Juteixei,

I have a doubt, Regarding the mitigation feature on Mars, Is possible automate the shutdown command?
I asking this because the documentation says that only once ocurred the atack you can mitigate it.

Thank you!

That is correct - CS-MARS cannot automatically take mitigative action.  The incident needs to be manually reviewed, and then mitigation action can be taken from that specific incident as available (correct layer-2/layer-3 device access in the incident path).

Scott

I appreciate it.

Thank you Scott!