MARS and Qualys vulnerability scanning integration

Similar Messages

• Configuring NetFlow and Dynamic Vulnerability Scanning

  Hi All,
  Configuring of NetFlow and Vulnerability Scanning are done.Where and how to check the netflow and Vulnerabilty scanning?
  Thanks.

  After enabling network scanning, you can view individual scan reports from Device Management > Clean Access > Network Scanner > Reports. The report shown here is the full administrator report (Figure 13-13). The report shown to end users contains only the vulnerability results for the enabled plugins. (Users can access their version of the scan report by clicking the Scan Report link in their Logout page.)
  for more information follow up on this link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/418/cam/m_netsca.html#wp1050604

• MARS 6.1 and vulnerability scans

  Hey guys,
  I'm looking at getting the MARS 55 k9 6.1 and was wondering about the vulnerability scan tools in MARS.
  1. Are there any?
  2. What are they?
  3. What are the scheduling options?
  If MARS 6.1 doesn't have anything native can it work with something else?
  Thanks,
  Brent

  The following three security suites are supported in MARS:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/compatibility/local_controller/dtlc60x.html#wp75289
  MARS has a built-in Nessus scanner, but its only meant for internal use (reducing false alarms by having more meaningful information about the attacker/victim like OS/services etc.) You cannot invoke this scanner yourself.
  Regards
  Farrukh

• List of Rules vs Severity and Vulnerability Scanning

  G'day Gurus,
  Environment: CS-MARS 6.0.6 (3368)
  I can find the list of rules defined in CS-MARS:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/appMars.html
  Can I generate a report where I can see the list of rules and severity define to each rules when it trigerred?
  Also how can I run a vulnerability scan on a host from CS-MARS?
  Cheers,
  Ahmed.

  Hi Aetius,
  Yeah, they're the two methods I'm familiar with in the portal to do something like what you're saying automatically: either do it in the sync from source to MV or apply a workflow in the Portal.
  The general idea with the workflow method would be to have a set called something like "Users With Address" and scope it to only users with the address attribute. Have a transition-in MPR that looks at that set and fires off a workflow when a user enters
  that set. There are a lot of options when it comes to how to implement the workflow. You can write your own custom workflow/s. There are some good tutorials by Ross Currie around that http://www.fimspecialist.com/fim-portal/custom-workflow-examples/ and
  there are some that have already been built by Soren Grandfeldt http://fimactivitylibrary.codeplex.com/.
  So if you leave the workflows for a sec, all the associated data about what will be populated if the address is x can be loaded into the portal by creating a custom object type and then adding them all in one by one. You can probably script the part of actually
  adding the data. Or even the custom object type creation if you want. So then you have a central place where that information is all together.
  With the workflow when it's triggered, using the workflows that are floating around the internet you should be able to read the attribute off the user and then lookup the value in the list of custom objects and then update the other attributes of the user,
  City, Post Code, Country using the lookup value. You kind of chain the custom workflows together and pass data from one to other.
  You do need to be careful when you do this sort of thing though. The FIM event queue can get pretty clogged up if you have a huge amount of users in the set and it's trying to process all of these users at once. When you're testing probably better to apply
  the MPR to a manual set and add users one or a few at a time and see how it handles it.

• MARS 4.2 and CSAgent 5.1 Integration

  Two questions regarding CSA 5.1 and MARS 4.2.2:
  1. Anybody have any experiences with the integration of MARS and CSA MC? In particular, what types of CSA events did you find were most useful to have trigger
  an alert to MARS?
  2. Am I correct that there is currently no way to customize the types of alerts in CSA which can trigger an email message or an SNMP trap to a MARS box? I don't see anyway to do this under the Alerts section of the Events pull-down menu.
  Thank you in advance!

  To answer my own first question:
  We have added CSA MC to MARS and have CSA MC forward SNMP events to MARS. MARS then discovered all the devices that were reporting to CSA MC automatically. This is a very cool feature when you have version 4.x of MARS and 5.x of CSA.
  I believe the answer to my second question involves using Event Sets to customize the types of alerts in CSA which can trigger an email message or an SNMP trap to MARS.
  I'll post again after testing it. Though if I am mistaken somebody please set me straight.
  Thanks in advance!

• CS MARS and CSA

  If we have both CS MARS and CSA to monitor network devices, and we have all servers send logs to CSA only and then CSA send logs to CS MARS, is that going to affect the result of vulnerability scanning done by CS MARS on servers as in order for CS MARS to recognise that the incident is system determind false positive. therefore, will adding servers in CSA only not allow CS MARS to directly perform vulnerability scanning on servers or will it do it through CSA?
  Thank you

  Hello Nora
  This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.
  However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.
  Regards
  Farrukh

• MARS and Check Point Firewall Logging

  Hi,
  I have added my Check Point CMA object to MARS, but am not getting seeing any log information.  My CLM is a separate server (child enforcement module), which is discovered OK when the intial CMA discovery takes place in MARS.  I have configured the Log Info settings for the CLM entry in MARS with the SIC details for the Check Point MARS and CLM objects.
  I've created a simple query to gather outbound ftp data (for which there is lots) and I am seeing nothing when running this query in MARS.  The associated CLM log shows plenty of entries.  I am keen to be able to get some historical logging data via MARS, so any help to resolve this issue would be appreciated.
  Many thanks
  Liam

  Liam;
    CS-MARS<>Check Point integration can be very tricky and is very dependent on the versions of software involved.  You may be able to find out some additional insight into the process by raising the CS-MARS logging level for Check Point and monitoring the output.  This is accomplished from the CS-MARS CLI:
  [pnadmin]$ pnlog setlevel cpdebug
  You can then view the messages via the CLI as well:
  [pnadmin]$ pnlog show cpdebug
    If this does not shed any light on the communication between CS-MARS and the Check Point devices, it would be best to open a service request with TAC to further troubleshooting can be performed.
  Scott

• MARS and CiscoWorks

  Is there any way to integrate MARS and CiscoWorks? I would like to have the CiscoWorks Common Syslog Collector to forward all syslog messages to MARS. Is this possible? Thanks for any help in advance.

  I don't believe that Ciscoworks does syslog forwarding, but the latest version of MARS supports being 'fed' syslog messages via a true syslog forwarder (e.g. Kiwi Syslog). I think Kiwi is free or otherwise inexpensive (compared to MARS!). Have the devices forward to the Kiwi server, and then forward to LMS and MARS respectively.
  There's not much integration between Ciscoworks LMS and MARS since it was developed as an independent product and then acquired by Cisco a little over a year ago. Based on conversations I've had with the MARS TME and my Cisco reps I think they've heard the message that we want better integration, but they're probably going to focus on security features first, and integration second (and rightly so.) Still, it certainly would be nice to tie into the DCR instead of the kludgy way you add devices to MARS now.

• How do I fix Oracle Apache Trace and Track vulnerability?

  Hi All,
  After a vulnerability scan of our Oracle 10g (10.1.2.0.2) OID & Portal environments and Oracle 6i (9.0.2.2) Forms & Reports machines, I found a vulnerability with Trace & Track (http://www.kb.cert.org/vuls/id/867593) on these machines. The proposed fix for Apache is as follows:
  Apache HTTP Server
  To disable HTTP TRACE support, set TraceEnable Off.
  Alternatively, use the Apache mod_rewrite module to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. TRACE requests can be disabled with the following mod_rewrite syntax:
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  However, this did not resolve the vulnerability. I realize that Oracle has modified Apache and so a non-standard approach may be required. Does anyone know of a fix for either version of Oracle (10g or 6i)?
  Thanks in advance!
  Sunil

  You need to put this in the Virtual host tag for it to work.

• HT4235 ipod will not sync after mcafee vulnerability scan installs itunes update?

  ipod will not sync after mcafee vulnerability scan installs itunes update?

  When I tried the first time it asked me if i wanted it to stop syncing and to restore. It gave the choices of yes and cancel, i didn't click either because the option box went away and it just stopped restoring on its own. I did the store again and now it is asking if i want to set up as a new ipod or to restore to Andrea's ipod. Should I set up as new?
  Thank you Espeon for the article

• Is it recommend to have a vulnerability scan for Cisco ASA device.

  Dear everyone. 
  I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 
  Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

  Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?
  If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.
  If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

• Repeated ASA 5510 failed vulnerability scan (OpenSSL error)

  We are getting vulnerability scanned by a PCI company and keep getting failures that state "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG".  I've opened two TAC cases and TAC said that this vulnerability was addressed several versions back (we're currently running version 8.2.2 on our 5510 ASA).  TAC made several small changes to attempt to address this issue but we keep failing with the same message.  Has anyone ever failed their scan with this error and if so, what did you do to address this error?
  Here is the detailed error:
  OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
  Ciphersuite Change Issue
  Synopsis :
  The remote host allows resuming SSL sessions.
  Description :
  The version of OpenSSL on the remote host has been shown to allow
  resuming session with a different cipher than was used when the
  session was initiated. This means that an attacker that sees (e.g.
  by sniffing) the start of an SSL connection can manipulate the OpenSSL
  session cache to cause subsequent resumes of that session to use a
  cipher chosen by the attacker.
  See also :
  http://openssl.org/news/secadv_20101202.txt
  Solution :
  Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later.
  Risk factor :
  Medium / CVSS Base Score : 4.3
  (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
  Plugin output :
  Session ID :
  4e4c1b0b13d5e48b5421479419da1c95f8ca01da3f83eed7494f2d254389c9ec
  Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)
  Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  CVE : CVE-2010-4180
  BID : 45164
  Other references : OSVDB:69565
  Thanks,
  John

  Hi John,
  The Cisco bug ID filed to track this vulnerability is CSCtk61443. You can read the details here:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk61443
  The vulnerability will be fixed in an upcoming release of 8.2.4.8. Please open up a TAC case to request this image for your ASA.
  Hope that helps.
  -Mike

• Ports (vulnerability scan)

  I ran a vulnerability scan on a 2960 switch and some "ports" (I don't even know if this is the right way to call them) showed being open or that needed to be reviewed. I really need to know what they are and if I need to keep them or need to get rid of them. How do you disable "ports" (I am not talking about the actual ports on the switch ex. gig1/0/1) on a cisco switch? The ports are 4786 tcp, 67 udp, 161 udp, 162 udp, 1975 udp, 2228 udp, and 49688 udp.

  udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.
  udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.
  The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.
  Good link for port number reference.

• Qualys vulnerability Scanner caused JMS Server to reset connection

  Hi
  Our customer is doing vulnerability scanning for our product. We are using Oracle AS 10.1.2.0.2.
  When customer ran Qualys vulnerability scanner, our application stopped working. While debugging we found that Oracle JMS server closed its connections.
  We got following error in jms.log under OC4J
  java.net.SocketException: Connection reset
  at java.net.SocketInputStream.read(SocketInputStream.java:173)
  at java.io.BufferedInputStream.fill(BufferedInputStream.java:183)
  at java.io.BufferedInputStream.read(BufferedInputStream.java:201)
  at java.io.DataInputStream.readInt(DataInputStream.java:443)
  at com.evermind.server.jms.JMSRequestHandler.readCheck(JMSRequestHandler.java:269)
  at com.evermind.server.jms.JMSRequestHandler.protocol(JMSRequestHandler.java:282)
  at com.evermind.server.jms.JMSRequestHandler.run(JMSRequestHandler.java:124)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
  at java.lang.Thread.run(Thread.java:534)
  09/09/08 02:08:16 protocol
  javax.jms.JMSException: [PROTOCOL ERROR] JMSRequestHandler[2:10.129.246.48:33729]: "JMS protocol" error, expected "-559,038,735", got "1,735,489,335".
  at com.evermind.server.jms.JMSUtils.toJMSException(JMSUtils.java:1854)
  at com.evermind.server.jms.JMSRequestHandler.readCheck(JMSRequestHandler.java:272)
  at com.evermind.server.jms.JMSRequestHandler.protocol(JMSRequestHandler.java:282)
  at com.evermind.server.jms.JMSRequestHandler.run(JMSRequestHandler.java:124)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
  This shows that JMS server is prone to denial of service problem. Can any one have any idea, is this is some known issue. Or how to debug the issue.

  HI,
  Have a look into SAP Notes – 804124, 807000
  Check the JMS drivers are installed or not?
  Thnx
  Chirag Gohil

• Cm1312nfi mfp on 32bit windows 7 - upgraded with full solution sw and can't scan from printer

  I have had a cm1312nfi mrp since 2009 that works fine but my HP Solution centre stopped giving me ink levels.
  I uninstalled the printer software and downloded the current full solution sw for 32 bit windows 7 from HP. The printer works but I did not 'get' HP solution centre back and so cannot scan from the printer.
  [I did download HP toolbox so I can see ink levels and can test the scan function which does work. However it does not have the ocr capabiltity which I had before and also it doesn't allow me to operate the scanner from the printer.]
  Can you help me either get HP solution Centre back and functioning on my computer or else suggest some other solution to my problem?

  Hi,
  The HP Solution Center is a software for inkjet printers as the HP Officejet product line, not for laserjet printers as the CM1312.
  You may find the Supplies status within the HPToolboxFX softwre by selecting Supplies:
  http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/learnUseDisplay/?sp4ts.oid=35589...
  Hope that helps,
  Shlomi
  Say thanks by clicking the Kudos thumb up in the post.
  If my post resolve your problem please mark it as an Accepted Solution