Cisco Cisco Security Monitoring, Analysis and Response System 3.3 Guide D’Information
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 8
Q.
Can Cisco Security MARS receive events from devices not officially supported?
A.
Yes. This can be done in two ways:
●
Use the “custom parser” to create a specific parser to allow Cisco Security MARS to understand syslog for devices not officially supported.
●
All the events that Cisco Security MARS is unable to understand are stored in the database as “unknown.” You can run queries on
those events using the keywords option. In this case, “unknown” events are also searched and if the string matches the keyword,
these events will be reported in the result.
For information on defining a custom parser, visit:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008074f1e2.html
.
Q.
How do I export a list of all the added devices?
A.
To get the full list of security and monitoring devices, click Admin > Security and Monitoring Devices. Go to the bottom of the page
and select a range that displays all of the devices. Select all the text on the page (Ctrl+A), and copy (Ctrl+Insert) and paste
(Shift+Insert) that selection to a textfile editor for manual cleanup.
Q.
How does Cisco Security MARS collect logs and events?
A.
It can collect events by either pushing or pulling, depending on the specifics of the device itself.
Most of the devices are able to send events or syslog messages, while few of them, such as Cisco Secure Access Control Server (ACS)
or host servers, need to let the Cisco Security MARS obtain the log files directly from the server.
Q.
On which devices can Cisco Security MARS perform mitigation?
A.
Cisco Security MARS generates the mitigation command for Cisco, NetScreen, and CheckPoint devices. Layer 2 mitigation can be
done for any device that has SNMP MIB II support. However, only Cisco devices have been tested.
For Layer 3 devices, the Cisco Security MARS recommends a command and the device that should enforce that command. The user
must copy and paste the command in the command-line interface (CLI) of the recommended device.
Q.
Can specific hosts be flagged as more vulnerable than others (for example, if they do not have the latest patches installed)? If
so, how is this accomplished?
A.
No. Cisco Security MARS is not a vulnerability assessment tool. However, you can use Cisco Security MARS to access the
information collected by the supported vulnerability assessment tools to get information such as the OS, the service pack, patch level,
and other data.
Q.
What is the preferred method of discovering devices: Telnet, Secure Shell (SSH) Protocol, or SNMP?
A.
SNMP is the preferred method for discovering many devices quickly. However, Telnet or SSH must be used with routers with
Network Address Translation (NAT) or access control list (ACL) information.
Q.
How is network topology information used on Cisco Security MARS?
A.
Cisco Security MARS uses network topology in a variety of ways:
●
To identify various events and flows for the same session—Such events may be generated by network devices across NAT
boundaries and hence have different source or destination addresses and ports. Cisco Security MARS uses patent-pending
algorithms that use the knowledge of topology and device-configuration information to correlate these diverse events into one
session. This reduces the amount of event data and creates the full context of an attack.
●
To reduce false positives—By identifying events for the same session and by analyzing the topological path taken by an attack from
the source to the destination, Cisco Security MARS can identify whether an attack actually reached the intended destination or was
dropped by an intermediate device such as a firewall or an intrusion prevention system (IPS).