12-21-2008 04:22 PM
Hi all, I've been doing my first implementation for past week and I've come across a few questions that I haven't found the answers to (yet). While scouring the user guides and Google, I figured I might as well ask the forums to expedite my research.
1) I created a new security device, but canceled creation during the process. Now when I try to re-add the device with the same name, it complains that it already exists, however it's not in the device list. Where can I find it?
2) I added my Foundstone device to MARS and configured it to do topology updates. Is there any method for confirming MARS is pulling vulnerability information from Foundstone?
3) When I create a custom rule (keyword specific) to be notified on, a similar built-in rule fires, but mine does not. If I disable the built-in rule, mine will fire and alert me. Does MARS match only the first, or the best rule to fire on?
4) Is it possible to customize the main Dashboard, or only the "My Reports" section.
Thanks in advance for any replies,
TBC
12-22-2008 08:07 AM
Hi Carl,
I can help you some.
1. If a device needs to be deleted it must be done in two places:
1st from the Device List. Admin->Security+ Monitoring Devices
2nd from IP Management. Management->IP Management
4. On the Main Dashboard you can only configure the "My Reports" section. This is a frequently asked question and one Cisco has received many requests about. People usually want to get rid of the pseudo network diagrams at the top of the Dashboard because they can't be configured like CiscoWorks.
Hope this helps.
12-23-2008 05:01 AM
For NO. 2 (Foundstone) have a look at:
Regards
Farrukh
12-23-2008 07:05 AM
Thanks for the replies. I was able to add the device and schedule the topology updates, but short of watching the Foundstone database for incoming requests from MARS, I'm unable to verify that MARS is actually querying and using vulnerability information from Foundstone.
Thanks again
*Edit*
Progressing through this issue. I found that if I go to Management > IP Management > "Device_Name" > Edit > Vulnerability Assessment that I should be able to see the detected OS and services running on the machines. I do not see that information.
Upon review of the logs, I found the following:
pn va VulnerabilityDiscovererFActory PN-1100: Java message: Unsupported device type: Microsoft,Windows,Generic, use Dummy VulnerabilityDiscoverer
pn va foundstone FoundstoneVulnDiscoverer PN-1100: Java message: Exception caught in getting JDBC connection: Db server closed connection.
pn va ThirdPartyVulnDiscoverer PN-1100: Java message: Foundstone: Can not get JDBC connection.
So it appears to be a configuration issue or at least a database communication issue. I will continue to pursue it.
Thanks
12-23-2008 07:11 AM
Another question to tack on to this thread, I hope nobody minds:
5) Our MARS is collecting data from multiple sites on our MPLS cloud, however the topology within MARS is not aware of the connection between each of the sites. The cloud is not managed by us and therefore, we cannot add the necessary devices to mars to link the devices. Is it possible to create a "generic router" device and add manual routes to this device so that we can simulate the cloud routing and complete the topology and attack paths? We tried this with a generic linux machine with multiple interfaces, but MARS did not understand that this device could route traffic. Also, we've tried a few other devices, but MARS always wants to pull routing information via SNMP, which a fake device will not have.
I hope it's clear what I'm trying to accomplish. Please let me know if I can provide more information.
Thanks
12-24-2008 12:03 AM
This is not possible. If you need to see the MPLS endpoints as next-hops you need to run Layer 2 MPLS VPNs. In Layer 3 VPNs the provider is never really going to open SNMP etc. for you. Even if he does, the ISP usually hides the underlying MPLS network from you. If you do a traceroute to a remote location you will find that it shows only a few hops, even tough in reality the traffic traverses many more hops than what is seen in the Traceroute output.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide