11-14-2008 09:52 AM
I'm getting a lot of these when attempting to view websites that users have visited. Is there a reason for this? I've read in the MARS documentation that in order to get the full URL you have to subscribe to Websense or SmartFilter. Is this true? What about the CSC-SSM?
11-14-2008 11:50 PM
This has nothing to do with websense etc. MARS just tries to do a reverse lookup for that IP address. If a PTR entry exists for that IP address, MARS goes on and displays the hostname. If MARS fails to give you a hostname, just run a whois query to give you some idea about the location of the attacker (assuming its a public IP):
http://geektools.com/whois.php
Regards
Farrukh
11-15-2008 07:09 AM
While I have no issues with running a whois, asking non-technical management staff to do the same is ridiculous.
As it stands now, any reports that I can create for management staff are virtually useless because they cannot tell the full URL of websites that users are visiting. Most of them say hostname could not be found.
I'm just wondering if there's something I'm doing wrong in the setup of MARS?
11-15-2008 07:16 PM
If its resolving for 'some' and not for 'others' then it means MARS most probably setup correctly. You can't blame Cisco if some websites don't have reverse lookup entries (this is done by many websites like warez,torrentz,rapid share-type file storage servers) to increase their 'covert' operation.
You can double check this by putting that same IP address in nslookup. You can also do a 'ping -a
You can go for a full-blown URL filtering solution if this is a business need...after all does MARS ever claim to provide reports for URL filtering?
Regards
Farrukh
11-15-2008 08:25 PM
Isn't the CSC-SSM a full blown URL filtering solution? I'm wondering why it's not providing the URLs of websites.
11-15-2008 09:20 PM
The CSC should provide this information. CSC support was added in 6.x only (MARS), are you integrating CSC with MARS or you are running a report built-in CSC?
Regards
Farrukh
11-15-2008 09:29 PM
The CSC is integrated into my updated MARS and I'm getting reporting from MARS. The CSC is not reporting full URLs to it although it is reporting other things like spam & virii. Syslogs are set to debug.
11-15-2008 11:27 PM
Well it seems the MARS must be parsing the URLs (if any are sent), check the last figure on the link:
http://safari.oreilly.com/9781587052705/ch11lev1sec7
What is the raw message you are getting? Does it contain the URL?
Maybe the user's are entering IP addresses directly? (I do it a lot)
Regards
Farrukh
11-17-2008 09:35 AM
I found this quote on bootstrapping the ASA that seems to contradict what you're saying,
"Full URLs, such as www.cisco.com/foo.html, are included in HTTP session logs and FTP command data is logged only if web filtering (N2H2\SecureComputing or WebSense) is enabled on the reporting device. If web filtering is not enabled, then the HTTP session log does not include the hostname (although the destination host's IP and the Request-URI are included, such as 192.168.1.1:/foo.htm) and FTP command data is not logged at all. Caveats exist with HTTP session logging, such as if the HTTP session request is broken across packets, then the hostname data might not be included in the log data. "
While I'm not disputing the MARS ability to do a DNS lookup on IPs that it has, this seems to indicate that I can't get what I want out of the MARS unless I pay for Websense or SmartFilter.
11-17-2008 11:26 AM
I'm sorry but I don't understand which part of my post conflicts with that quote?
Regards
Farrukh
11-17-2008 11:27 AM
The part where you said it had nothing to do with Websense.
11-17-2008 09:51 PM
What I said has nothing to do with the quote you presented. That quote is from the MARS 4.2.x user guide:
http://www.ciscosystems.com/en/US/products/ps6241/products_user_guide_chapter09186a008074ec7d.html
And it is obvious that CSC support was added in MARS 6.x. So there is no chance that this quote pertains to the CSC-SSM module. It talks about the 'regular' integration b/w ASA and websense for url filtering like the following:
I hope its clear now.
Regards
Farrukh
11-18-2008 11:13 AM
Actually the quote is from the 6.x Device Configuration Guide:
CSC support was indeed added for the 6.x release of MARS, but the CSC-SSM is not doing full on URL filtering. It will report IP addresses of URLs that it's blocked, but not all URLs.
At any rate, you're coming off as agitated in your responses, so I'll look elsewhere for help...Thanks anyway!
11-18-2008 12:46 PM
Nah not agitated at all, sorry if you took it that way (or I appear that way).
The point was, if its in the 4.2.x guide, that paragraph can't be talking about the CSM module.
It will be there in the 6.x guide also because ASA url filtering still has to be parsed.
If you raw event messages from the CSM are not showing URLs (as you see them in MARS) then you need to focus on fixing the CSM part. If the raw message is showing the url but MARS is not, you need to play with some parsing yourself (Or notify this bug to Cisco).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide