CS-MARS Database Info
The CS-MARS appliance uses an Oracle 9.2i Enterprise database. The database is fully licensed for operation on the appliance and requires no administration whatsoever; therefore, it is completely self-sustaining.
CS-MARS Database Structure
You will not find much info about the database anywhere, as it looks like a Cisco secret, but searching blogs, and reading the Cisco Press book below, here is what we have come up with.
Each CS-MARS appliance has its own database storage requirements.
The CS-MARS appliance uses an Oracle 9.2i Enterprise database. The database is fully licensed for operation on the appliance and requires no administration whatsoever; therefore, it is completely self-sustaining.
CS-MARS Database Structure
You will not find much info about the database anywhere, as it looks like a Cisco secret, but searching blogs, and reading the Cisco Press book below, here is what we have come up with.
Each CS-MARS appliance has its own database storage requirements.
The actual event-data storage is alot smaller than the Total Storage available to each appliance. The remainder of the storage is used for other database on the box, that comprise configuration files, reports, vunerability data etc..
There were also a couple of vunerabilities in the Oracle database earlier this year, in how to modifiy the "expert" username and password to get root access to the appliance. Thank fully these have been fixed now, if you are running the later releases.
There were also a couple of vunerabilities in the Oracle database earlier this year, in how to modifiy the "expert" username and password to get root access to the appliance. Thank fully these have been fixed now, if you are running the later releases.
Mars Appliances Events Storage and Total Storage
(reference Cisco Security MARS - Cisco Press)
(reference Cisco Security MARS - Cisco Press)
When storing event data in its database, CS-MARS stores it in its raw format, uncompressed, using a first-in, first-out (FIFO) approach. When the 77 GB of storage is reached in a M20, it wipes out the oldest day (database) of event data. This data is lost if you are not archiving the data. This process allows CS-MARS to have room for event data in case a network infection or an attack happens.
How do we view the amount of storage being used on our MARS appliance?
How do we view the amount of storage being used on our MARS appliance?
SSH into the box and run the command "pndbusage" This will give a result similar to below...
[pnadmin]$ pndbusage
Current partition started on Tue Aug 8 00:41:54 BST 2006 and uses 30.7% of its available capacity.
Switching to next partition is estimated for Thu Mar 22 18:23:29 GMT 2007.
9 empty partitions are available for storage
[pnadmin]$ pndbusage
Current partition started on Tue Aug 8 00:41:54 BST 2006 and uses 30.7% of its available capacity.
Switching to next partition is estimated for Thu Mar 22 18:23:29 GMT 2007.
9 empty partitions are available for storage
This command displays the percentage used within the current partition, as well as specifies whether additional partitions are available. If no unused partitions exist, the command identifies which partition will be purged, provides an approximate schedule for when that purge will occur, and specifies the date range and total number of events scheduled to be purged.
If the database was full, then you would get an output similar to this...
Current partition started on and uses % of its available capacity.
Switching to next partition is estimated for events, received between and will be purged.
A word of warning if you are running CS-MARS 4.2.1, that there was an open caveat, for this, as detailed below...
Reference Number: CSCse54808
Issue: The time stamp shown by the pndbusage command is incorrect
Description: Two consecutive uses of the pndbusage command display a different current partition starting time.
Workaround: None.
So if you have a very busy network, please make sure you size your CS-MARS box accordingly (ask your Cisco Account Rep, to size the box), and also think about using the Archive Feature.
There is a new event since v4.2.1, CS-MARS DB partition filling up causing the next partition to be purged soon, notifies the administrators when the current partition is 75% full and switching to the next partition will result in data being purged from a previously used partition.
The system inspection rule and report allow you to monitor when this event fires. The inspection rule is System Rule: CS-MARS Database Partition Usage, and the report is Resource Utilization: CS-MARS-All Events.
If the database was full, then you would get an output similar to this...
Current partition started on
A word of warning if you are running CS-MARS 4.2.1, that there was an open caveat, for this, as detailed below...
Reference Number: CSCse54808
Issue: The time stamp shown by the pndbusage command is incorrect
Description: Two consecutive uses of the pndbusage command display a different current partition starting time.
Workaround: None.
So if you have a very busy network, please make sure you size your CS-MARS box accordingly (ask your Cisco Account Rep, to size the box), and also think about using the Archive Feature.
There is a new event since v4.2.1, CS-MARS DB partition filling up causing the next partition to be purged soon, notifies the administrators when the current partition is 75% full and switching to the next partition will result in data being purged from a previously used partition.
The system inspection rule and report allow you to monitor when this event fires. The inspection rule is System Rule: CS-MARS Database Partition Usage, and the report is Resource Utilization: CS-MARS-All Events.
Posts
No comments:
Post a Comment