Mars Rules

Similar Messages

• Doubt about the creation MARS rule ??

  Hello,
  My question is the following one: I have a double authentication system (already created) to which a Juniper FW as well as a Cisco ASA 8.0 equipment are related as (Secure Access). This is the process:
  a)      From his pc, the user accesses an authentication website. It is in the FW Juniper (that information is verified in a radiator).
  b)      If the identity is the correct one, the second step would be in the Cisco ASA, in which, to validate, the user has to enter his user LDAP.
  My idea is to register those events (rule) in Cisco MARS in the best/clear way possible. The equipments are already configured to inform to the MARS, and they are already included.
  Thanks in Advance.

  Please clarify what do you intend to accomplist with this rule, the post is not clear.
  Regards
  Farrukh

• MARS - rule scheduling

  Does anyone else think it would be helpful to be able to fire certain rules on a schedule? For example, if I want to be notified about attempts to connect to tcp 22 on a host during the hours of 22:00 - 2:00 but not any other time of the day, I don't see a way to do that in MARS. I could, of course, use a time range ACL for most things, but there are limitations. For example, I want to be notified during certain hours when a service stops on a windows box. I don't see a way to do that. I am curious what others think.
  -mike

  No. Based on the definition of that control it should have no effect but I'll try it. In the meantime my workaround is to issue pnstop and pnstart from the CLI. The rule changes always take effect immediately. TAC responded back with:
  Hi Mike,
  I'm still trying to recreate this with our developers.
  We had some success and failures.
  We are trying to find the reason for this behavior.
  I will let you know as soon as we find out.
  For the temporary workaround, please create a new report instead of modifying the existing report.
  Thank you for your patience.
  Edward
  I don't think he really gets the problem at all because if the rule changes are not taking effect it doesn't matter how many times you run a new report on it. It still reports according to how it thinks it is set up.
  -mike

• Tuning out a specific IP or user ID in MARS 50 v4.3

  I have a vendor that monitors some firewalls remotely, and with that, the MARS is always firing the alert "System Rule: Modify Network Config" because of the "Firewall user entered a command other than show" rule. I'd like to tune either their IP or their user ID within MARS to have it not send an alert when they peform their duties.
  Does anyone know how to do this just for their ID or IP? Thanks, Tony

  The problem with this MARS' rule is that it will hardly ever report the source / destination IP field/username fields. The username field is also always blank (specially with firewalls).
  So your only option is to disable this rule for the WHOLE device itself i.e. by editing the "System Rule: Modify Network Config" in MARS. Then click on DEVICE (ANY) and select != (Not Equal To) after entering the Firewall's Reporting IP/Hostname. But of course after doing this CS-MARS won't notify you about 'any' future management activity on the device.
  Or if this vendor has there own dedicated virtual context on the firewall, you can disable syslog id# 111007 for them as follows:
  no logging message 111007
  Regards
  Farrukh

• MARS and Tippingpoint

  I would like to know if we can customize CS MARS to receive and understand logs from Tippingpoint IPS.
  I would like create a drop rule or customized rule that says that anything followed by the event "dropped package by IPS" is system determined false positive or just drop it to reduce false positives.Is this possible and please correct me if the idea is correct because according to below link, when Cisco IPS and CS MARS integrate, it identifies all dropped packages by IPS as false positive incident and i think that will decrease the number of incidents considering the number of blocked traffic by Tippingpoint IPS?!
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap11.html
  Thank you

  Nora;
    Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap.  You can read more about creating custom devices here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html
    System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident.  You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database.  You can read more about CS-MARS rules here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html
  Scott

• Cisco firewall rate limited syslogs and MARS

  We're getting a ton of informational packets (tcp build / teardown) from firewalls here.  I can kill this at the source (drop to "notification" level, filter out the build / teardown events, etc.) but would rather not throw this stuff away (good clues in an investigation).
  I can filter this on the MARS side so rules don't fire, but that doesn't address the performance hit at the firewall, or the traffic on the network.
  I can rate limit at the firewall - if I do will MARS be able to parse this out properly - i.e if there's a rule that fires on a 100 count for example, and a firewall that's set to rate limit a certain event to, say, every 200 instances of the event, and single syslog shows up at MARS with rate limited information in the packet, will the MARS rule fire?
  hope this makes sense - thanks

  What kind of firewall are you running?  ASA?  FWSM?  Something else?
  If you're running an ASA, the ideal solution would be to implement Netflow Secure Event Logging (NSEL).  This feature uses Netflow v9 to handle security event logging along with traffic flow data.  Using NSEL can provide performance improvements over syslog, both on the ASA, and on your network. 
  Part of the configuration process includes a command to disable the redundant syslog types already handled by NSEL.  Many of those are the same types of logs you mentioned (buildups/teardowns, etc).  It's very simple to configure - you can read more about it here, in the ASA 8.2 CLI Configuration Guide:
  Configuring Network Secure Event Logging (NSEL)
  If you're running a FWSM, the same option isn't available.  Instead, you might want to reconsider disabling some of the log types that aren't really providing much benefit relative to the load.  In fact, Cisco themselves recommend disabling some of the more unimportant (but frequent) log types.
  From the "Cisco SIEM Deployment Guide", one of the "Smart Business Architecture" design guides (emphasis mine):
  At logging level Informational, Cisco recommends disabling the following messages, as they are of little interest for SIEM analysis:     305010: The address translation slot was deleted     305011: A TCP, UDP, or ICMP address translation slot was created     305012: The address translation slot was deletedTo disable these messages, use the following configuration commands:     no logging message 305010     no logging message 305011     no logging message 305012For more aggressive tuning, you may also consider disabling the following messages:     302014: A TCP connection between two hosts was deleted     302016: A UDP connection slot between two hosts was deletedIf dynamic Network Address Translation (NAT) is not configured on the appliance, message 302013 (for TCP connection slot creation) can also be disabled.
  So, that's at least 6 possible log types that can be disabled with no impact: 302013, 302014, 302016, 305010, 305011, and 305012.  And that's straight from Cisco's own documentation.
  Now, to expand on that ...
  - if 302016 (UDP teardown) can be disabled, why not 302015 (UDP create)?
  - similarly, what about 302020 and 302021 (ICMP)? Disable those as well?
  Final list:
  302013
  302014
  302015
  302016
  302020
  302021
  305010
  305011
  305012
  In the end, though, only you can determine which options are acceptable for your environment.
  Note: all 3020xx log types listed are disabled automatically during the NSEL configuration process.

• MARS Query 'Hit-Count' versus 'Total-Count'

  Hi, I have a question about MARS queries: I run queries using 'custom columns' and I continually hit over 5000 entries. I was wondering if there is a way to show the following:
  Custom Colums:
  - event type set
  - source IP address
  - destination IP address, port, and protocol
  - <NEW FIELD> 'Hit-count'
  The reason I posit the 'Hit-count' field is that this would help me see everything that happened on the first three columns and not limit me when MARS says 'only the first 5000 entries will be displayed'.
  If there is any way to count the number of times it happened in a hit-count field, versus counting the number of times it happened and then limiting the displayed results, I would think that would be tremendously useful.
  Please let me know if there is already a way to do this, or if there are any plans to add this! Thanks!

  Don't know about queries, but you define 'Count' in MARS rules, so you could clone the built-in rule and perhaps modify the count value to suit your needs. I know this is not exactly what you are looking for but it might get you going in the right direction. You also have the following variables to play with to further suit your needs:
  ANY-(Default). Signifies that the IP address for each count is any IP address.
  SAME-Signifies that the IP address for each count is the same IP address. This variable is local to its offset.
  DISTINCT- Signifies that the IP address for each count is a unique IP address. This variable is local to its offset.
  $Target01 to $Target20-The same variable in another field or offset signifies that the IP address for each count is the same IP address.
  Have a look at:
  http://ciscosystems.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/5_3/uglc/rules.htm#wp1054961
  Also on strange idea, but it might work, in the "Maximum Number of Rows Returned" why don't you try and put 1000, does the MARS accept that? I seriously doubt it would work, but worth a try. I think they used to have an even lower limit in older version (1000).
  Regards
  Farrukh

• Situation in Storage Location Determination

  Hai,
  I have a scenario where I have to determine a different storage location based on the sales doc type. On searching the forum here I learnt that I should use USER EXIT to achieve this.
  I want to know whether I can use situations to handle this scenario.
  I am able to define situations. But where can I assign these situations? In SO or Delivery document?
  Will be thankful if anybody helps me out in this issue regarding the 'situation'
  Regards,
  Maheshwaran. I

  Hi
  Storage Locations are Determined in the delivery document based on The priority rules like MALA or RETA or MARE
  Here the RETA rule is Storage Location Determination determination based on shipping pt + delivering plant and Situation
  The difference between MALA and RETA is these two are same (shipping pt + delivering plant)
  MALA  uses storage conditions as the third factor
  RETA  uses situation  as the third factor
  RETA  is used in trading scenario
  But both of these are used or assigned to  delivery types only via t code OVLQ
  So using situation will not help you to Determine Storage Location  in sales doc type
  Storage location is normally not determined in sales order
  It is determined only in delivery
  If you want storage location to be determined for sales order then you have to use user exit
  If storage location is specified manually in sales order then it is copied into delivery
  Otherwise it is determined using either MALA,RETA or MARE rules which we specify in delivery doc type
  For sales order you have to use usetr exit in program MV45AFZZ
  To determine storage location in Sale Order, there is no configuration available and it has to be achieved using exit USEREXIT_SOURCE_DETERMINATION in program MV45AFZB.
  Maintain a zee table with the values based on which you want the storage location determination to happen. In the exit ask your abaper to write the code to pick up the relevant records based on the criterion and then fetch the storage location. This way storage location will be automatically populated in the sale order.
  You can try incompletion procedure option
  Put the storage location field in the sales order item incompletion procedure
  Regards
  Raja

• Shipment  and delivery

  SAPpers,
  could anybody guide me in the above mentioned topics by telling me what type of of questions i will be expecting?
  Thanx

  Delivery :
  Shipping Point determination, Route determination, Picking / Stor. Location determination - MALA / MARE rules, Route Schedule, Effects of PGI, cancelling PGI, What are the business data from the ship to party? , POD, Packaging materials and packing, Handling untis, etc.,
  Shipment :
  I am not much familiar with the shipments...
  Thanks
  Anand

• Query regarding Rules in MARS

  Hello Friends,
  Please let me know what type of Event these rules will trigger? (REFER ATTACHED DOC SCREENSHOT)
  Specifically I want to know the meaning behind “Count”. If I increase the count field to 2 or 3 what will it do.
  Also the time I configured is 10 minutes. Is it like it will check the condition for a time period of 10 minutes? What is the significance of time field here?

  Hi Rashid,
  The below link should give the description of each of the fields:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp532081
  The field "Count" refers to the number of times the event in the "Event" field has to fire within the "Time Range" specified for this Rule for the condition to be met. Hope this helps!!
  Regards,
  Prapanch

• MARS - "Sudden increase of traffic to a port" rule

  Hello. I duplicated the system rule "Sudden increase of traffic to a port" in MARS and it blew out the original system rule and now shows up as a user rule. It doesn't appear to be working either. It is active. Not sure what to make of this, and neither is TAC. Anybody every mess up a system rule like this? Anyway to recover it? Thanks!

  I upgraded to 4.2.2 and the rule seems to have been restored as a system rule. I noticed that it is showing up in our morning report (Event Types Ranked by Sessions), but we are not recieving an email or page for this rule firing (email/SMS notification works for all other rules). I ran a query for this event for the time period of the report it showed up on and no results were returned. Any thoughts would be appreciated. Thanks.
  Christine

• MARS DROP RULE QUESTION

  When you configure a drop rule, lets say you configure several.  If something happens to the software, is there a way to backup the drop rules that you have created?

  Hi,
  you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
  check archiving configuration for the mars:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
  regards
  Gabor
  /vote if it helps/

• How many rules in MARS by default? How/where to upgrade?

  I am taking over management of a MARS running 3.4 code. There are 102 system inspection rules, no user inspection rules, and no drop rules. How many are there by default? This doesn't seem like very many, at least compared to another vendor's system I've used in the past. Is there a site that has predefined rules (outside of having smartnet), as I'd prefer to not have to generate them (or at least many) manually?
  Thank you.

  didn't you have to create/configure the rules with acid/snort? It's no different with the csmars. It ships with some, yes...but you have to configure it to your needs. Hell, the thing is how many signatures back from the Cisco IPS?...every one of those signatures it doesn't understand requires you own custom rule if you plan to do anything with the alarms.

• CS-MARS - Drop rule keyword based

  Hi all,
  I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.
  Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.
  Any idea?
  Thanks a lot.

  Hi Beth,
  Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.
  Sorry again if I don't understand what you mean or where apply the regex string you're talking about.
  Thanks a lot.

• MARS General FP Drop Rule vs. Listed Unconf. FPs

  I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
  It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
  But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
  1. It will take a long time.
  2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
  Any ideas?
  Paul Trivino

  Try this to prevent System Determined False Positives from displaying as incidents?
  If you confirm what was previously an unconfirmed false positive, then a
  drop rule is created. That drop rule should prevent any further incidents
  of that type. So, this shouldn't be happening. Please make sure you've
  clicked `Activate'.
  Check the related bug-id:CSCsc74104