CS-Mars Events/Incidents History

Similar Messages

• How to convert Cisco IPS signatures to a MARS events - no keyword search

  I am trying to run a scheduled report looking for the new Microsoft exploit under the IPS S411 release, SIGID 19339.0 and I am trying to form the query looking for the event this falls under without using a keyword search on the SIGID. Does anyone know how to correlate an IPS signature to a MARS event?
  Thanks,
  Mike

  With the help of On-box local event correlation technology you can correlate. On-box local event correlation technology not only enables detection, but actually blocks multi-event attacks and malware in real time, complementing security incident management software such as the Cisco Security Monitoring, Analysis, and Reporting System (Cisco Security MARS) that correlate events across multiple devices.
  Integrates with the Cisco Security Manager to correlate security events with the configured firewall rules and intrusion prevention system (IPS) signatures that can affect the security event

• CS-MARS Event ID

  HI,
  Is there a place for me to check/ follow up with the CS-MARS EVEN IT, so that I would be able to verify what is happening.

  I think, for example, to check Windows events you can go to Management -> Event Management, then change the drop down to
  Microsoft Windows X (choose your version). This will filter the events that parse the Windows events into. The Microsoft event number is actually given there, so you can take that number, and thus retrieve the CS-MARS event that it gets normalized to. Following link may help you
  http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a0080546c0a.html

• List of MARS events

  Hello,
  iam new to cisco mars a because we are about deploy this device i would like to know if is there list of events (events examples) generated by MARS
  Thanks
  M.

  I assume you're actually talking about incidents, which are the result of an inspection rules match. Below are links for the inspection rules.
  for 5.3.x:
  http://cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html
  for 4.3.x:
  http://cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/appmars.html

• CS MARS dashboard incidence and incidents graph summary not tally

  Hi All,
  Any idea about 1 day Incidents must tally with Incidents graph?
  Hope someone can help and Thanks in advanced.
  Thanks

  Drop rules allow false positive tuning on a MARS, and are defined only on the Local Controller Drop Rules page. They allow you to refine the inspected event stream by specifying events and streams to be ignored and whether those data should be stored in the database or discarded entirely. Drop rules are applied to events as they come in from a reporting device, after they have been parsed and before they have been sessionized. Events that match active drop rules are not used to construct incidents. Because the Global Controller does not receive events from reporting devices, rather it receives them from Local Controllers, you cannot define drop rules for the Global Controller.
  To display incidents that occur from the firing of rules in a specific rule group:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp533079

• MARS - events per second

  How can I tell how many events per second our MARS 100 is receiving?

  You can go into Admin->System Maintenance->View log files. Change the level to "info" and look for pnparser entries that look like this:
  Thread 4101:PN-2016:message rate: 1416.305176 msgs/sec, total: 11200000 msgs, total avg rate: 723.042933 msgs/sec
  Now, the last time I worked with Cisco TAC on a performance related issue...I was told these numbers weren't quite right(they were low), but they didn't tell me why. That was a long time ago though. We process over 90 million events/day on this MARS. That averages to over 1000 events/sec. At 7:30am on a weekday (even on a Friday morning before a holiday weekend), I would except numbers HIGHER than the average, not lower. So, I don't know what to think.

• SSM MODULES and Mars events and local?

  Is it possible to setup an AIP-SSM Module to log event alerts to Its local cache as well as the Mars Appliance. I say this because I ran some tests for alerts and never see them on the IPS module itself but i do see them on the Mars Appliance correctly! I dont know what setting would need to be changed to make sure that the event alerts are logged to the local IPS itself. Or is this even possible?
  does anyone know how to make it log locally and to the MARS Appliance?
  Thanks,

  Make sure Bypass mode is not enabled on IPs Module. Another workaround for this issue is to reload the Advanced Inspection and Prevention Security Services Module (AIP-SSM) IPS module with the hw-module module 1 reload command, and tune any noisy signatures in order to lighten the sensor load.

• IPhoto update to 9.4.1 and lost all albums and photo event history

  I madethe suggested updates on the 8th OCt. 2012 and then today, first opening after upgrade and much to my surprise all my photo albums and event/import history is gone. Please tell me this is recoverable.

  If you're are truely opening your main library after following leonieDF's suggestion do the following:  make a temporary, backup copy of your library if you don't already have one (Control-click on the library ande select Duplicate from the contextual menu) and  apply the two fixes below in order as needed:
  Fix #1
  Launch iPhoto with the Command+Option keys held down and rebuild the library.
  Since only one option can be run at a time start with Option #1, followed by #3 and then #4 as needed.
  Fix #2
  Using iPhoto Library Manager  to Rebuild Your iPhoto Library
  Download iPhoto Library Manager and launch.
  Click on the Add Library button, navigate to your Home/Pictures folder and select your iPhoto Library folder.
  Now that the library is listed in the left hand pane of iPLM, click on your library and go to the File ➙ Rebuild Library menu option
  In the next  window name the new library and select the location you want it to be placed.
  Click on the Create button.
  Note: This creates a new library based on the LIbraryData.xml file in the library and will recover Events, Albums, keywords, titles and comments but not books, calendars or slideshows. The original library will be left untouched for further attempts at fixing the problem or in case the rebuilt library is not satisfactory.
  OT

• CS-MARS, data archiving issue.

  Hello at all.
  I'm using CS-MARS-20.
  Reimaged, restored and upgraded to software version 6.1.8, I'm not able to start data archiving successfully.
  I have configured data archiving using a remote SFTP server, click Apply, Start and Activate: data archiving status is running, service is enabled and remote server is available.
  But MARS doesn't archive nothing!
  Using another SFTP remote client with the same account used from appliance, I can create folders, files and remove.
  Any ideas?
  Thanks.
  Regards.
  Andrea

  Now we are moving to a NFS solution.
  Data archiving status is running, archiving service is enabled and remote server is available but events, incidents and configuration are not exported.
  I can use CLI (pnexp command) to export configuration successfully.
  Any ideas?
  Why data archiving doesn't work?
  Thanks.
  Andrea

• Cisco MARS Syslog messages

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hi,
  I've recently noticed that ALL the syslog messages that are sent to our Cisco MARS device are then being sent to our syslog server. Besides the messages from our MARS device, the syslog server also gets the original syslog messages from our ASA and PIX firewalls (which, of course, also send to our MARS device). I would like to have MARS send syslog messages to the syslog server that pertain only to changes/events happening directly to the MARS device. Can anyone help me with this?
  Thanks in advance!

  Kerry;
    To have CS-MARS specific incidents forward to your syslog server, you will most likely want to add an action to generate a syslog for the CS-MARS-specific inspection rules.  These rules can be found by navigatng to:
  RULES>Inspection Rules
  from the Group: drop-down choose "System: CS-MARS Issues"
    You can then edit the Action: section for the specific rules (one at a time) to add a syslog action.  Specifics are outlined here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/alerts.html
  Scott

• Inactive CS-MARS reporting device (again)

  I created a drop rule, dest and src ip's are "ANY", and the hostnames as seen in MARS. I chose to "drop" as action...not "log to db only". The event is "Inactive CS-MARS reporting device, device is "ANY", severity is "ANY", time range is "ANY" I clicked apply, submit and activate.
  How come on my Summary | dashboard screen I still see these incidences. I was hoping this would stop. Is this expected behavior, or have I done something incorrectly?
  Thanks,
  Bob

  I've solved that problem including "ANY" and "0.0.0.0" in the source address. CS-MARS doesn't understand that ANY must include 0.0.0.0.
  Concerning to the dashboard you'll see the events for a time, and previous incidents will be saved in the incident list. Since you add "0.0.0.0" in source address, you won't see any inactive cs-mars event. The most important issue filtering that event is that it is a very high amount of events and all reports must be created using "!=Inactive CS-MARS reporting device".
  As I told you, from now you won't see that event any more.
  Good luck!!
  ps: Please, rate the post.

• EEM problem with "event timer absolute time"

  Hi
  I wanted to execute a EEM script at a certain time, 2015-05-04 03:00:00 GMT+2:00. So I used the "event timer absolute time" command.
  But the switch executed the script immediately. Is there something wrong with the script? Is there another way to execute a few commands at a certain time like this?
  Script:
  event manager applet CHANGE_TO_RAPID-PVST_v2
  event timer absolute time 1430701200
  action 1.0 cli command "enable"
  action 1.1 cli command "config t"
  action 2.0 cli command "spanning-tree mode rapid-pvst"
  action 2.1 cli command "end"
  action 3.0 syslog msg "Changed to Rapid-PVST by EEM script CHANGE_TO_RAPID-PVST_v2"
  Switch: WS-C3560X-24T-S
  IOS: 15.0(2)SE4
  EEM version 3.2
  #show event manager history events
  No. Job Id Proc Status Time of Event Event Type Name
  2 2 Actv success Thu Apr30 09:25:02 2015 timer absolute applet: CHANGE_TO_RAPID-PVST_v2
  I used this link to calcute the timer value. http://www.epochconverter.com/

  I honestly have never seen anyone use this timer.   You'd be better off using cron and removing the applet when it's done.
  That said, this does look like a bug.  Given the little use we've seen of this timer, it's likely a new one.  I recommend opening a TAC case so it can be tracked.

• Event: NULL TCP PACKET

  Hello all,
  we are incrementally receiving a lot of MARS events that comes from Cisco IDS, all those events are “ NULL TCP PACKET”, and the destination is always the same, a smtp ironport machine trough the 25 port, from diferent public IPs.
  Does anybody have a similar scenario? What can we do?
  Thanks

  Hi,
  The signature version 364 and the IPS version is 6.1 (1) E2.
  It is suppoused that is a single TCP packet with none of the SYN, ACK,FIN or RST flags.
  It comes from different public IP's that comes from different ISP's.
  Regards
  Izaskun

• MARS and windows log timestamps

  MARS 4.3.3 (2636) pulling logs off a windows 2003 server at 1 hour intervals. The MARS events seem to get timestamped in "clumps" at about 2-hour intervals e.g. 3000 events all timestamped within about a minute of 2:00, then nothing for a couple hours, then another 3 or 4000 events all timestamped within a minute or 2 of 4:00, etc. etc.
  the logs on the windows box are all spread out across these "dead intervals" as expected - so it appears MARS is pulling the log and screwing up all the timestamps on the individual events as it parses them.
  any help appreciated - thanks
  -randy

  reply from Cisco indicates that the log pull should be parsing the windows event timestamp info and applying to MARS events as they're generated.
  i replied that this isn't the observed behavior here.
  only other scenario (suggested) is that the MARS box is busy (from other work, windows pulls, etc.) and possibly has intermittent problems logging into this windows box at certain intervals, somehow screwing up the events on MARS. but I don't see any 'winpull" type errors in the backend log at all. Another suggestion is related to the time sync on the boxes - apparently if they're off then log data can get fubar'd. But none of this seems to apply here or correlate (pardon the pun) with what's going on. Still confused.
  Anyway, i'm going to try to migrate to push agent asap - meanwhile any other hints or suggestions appreciated - will see if TAC comes back with anything more

• How to use event parameters?

  Hi
  I've made simple eem applet for shutdown the port which trigered storm control event.
  It is look like that:
  event manager applet shut-storm
    event storm-control
    action 1.0 cli local python bootflash:shut-storm.py
  and the script is
  from cisco import CLI
  from cisco import cli
  import sys
  import datetime
  import time
  import re
  whitelist = [
  "Ethernet1/1",
  "Ethernet1/2"]
  shlog = CLI('sh logg last 100 | i ETHPORT-5-STORM_CONTROL_ABOVE_THRESHOLD | last 3',False).get_output()
  pat = re.compile(r'(\d{4} \w{3} \d{2} \d\d:\d\d:\d\d) \S+ \%ETHPORT-5-STORM_CONTROL_ABOVE_THRESHOLD: Traffic in port (Eth\S+|[Pp]o\S+)')
  now = datetime.datetime.now()
  delta = datetime.timedelta(seconds=180)
  for l in shlog:
    mobj = pat.match(l)
    if mobj:
      port       = mobj.group(2)
      logTimeStr = mobj.group(1)
      logTimeObj = time.strptime(logTimeStr, "%Y %b %d %H:%M:%S")
      logTime    = datetime.datetime(*logTimeObj[:6])
      if now-logTime < delta:
        if port not in whitelist:
          cli("conf t")
          cli("interface %s" % port)
          cli("shutdown")
  But the python script is a bit complecs because it shoud find triggered interfece in log.
  Is it possible to use event parameters? And how?
  I know that they are:
  sw1# sh event manager history events det
  Event ID Time of Event        Event Type                   Slot       Policies
  32       09/30/2013 15:40:51  storm_control                active(1)  shut-storm
      interface = "Ethernet1/16", cause = "storm-control"

  Thank you Joseph.
  It works.
  Now the applet looks like:
  event manager applet shut-storm2
    event storm-control
    action 1.0 cli local python bootflash:shut-storm2.py $interface
  And the script:
  from cisco import cli
  from syslog import syslog
  import sys
  whitelist = [
  "Ethernet1/1",
  "Ethernet1/2"]
  port = sys.argv[1]
  if port not in whitelist:
    cli("conf t")
    cli("interface %s" % port)
    cli("shutdown")
    syslog(2, "Interface %s was shutdown due to storm conditions" % port)