CS-MARS Sizing Script

Appologies for the delay in posting an recent material, i`ve been very busy passing an exam to recertify my CCSP.

Back to the Blog, I have a python script that didnt quite make it in the new Cisco MARS Book.


This script can help with Sizing Cisco MARS boxes, you simply run the python script against syslog, to get an idea of min and max events per second.

This is very much a work in progress, and it is open source has been released under the BSD license.

I have put this script in the MARS User Group downloads section.


Please feel free to modify/update this to your needs, and share your results with the group.

There are some internationalization issues with it at the present time, so you may need to tweak the code, to get your timestamps correct.

Thanks to Greg Kellogg for this.


For those of you new to Python, here are some links......



Python Website - www.python.org

Python is a dynamic object-oriented programming language that can be used for many kinds of software development. It offers strong support for integration with other languages and tools, comes with extensive standard libraries, and can be learned in a few days.

Python on Windows FAQ - www.python.org/doc/faq/windows

Python Videos - showmedo.com

Ian Ozsvald has produced some videos to get you up and running with Python on Windows XP, these can be found here.

Lastly, i hope to announce the winner of the MARS Book shortly, thanks for all your entries.

Cisco MARS Training

Good news for MARS users in UK/Europe.

Satisnet have partnered with US Company Priveon, to bring the Cisco MARS Admin and Expert Hands On Courses to the UK.

"Real Training for Real People

Since the beginning of the Technical Certification Revolution that began many years ago in the IT industry, too many people have been forced to sit through classes that attempted to prepare them for multiple choice tests rather than preparing them for real world implementations. Priveon is revolutionizing the training industry by providing Real Training for Real People! Priveon developed training covers scenario based real world situations that will prepare you to architect, implement, support and maintain your products efficiently and effectively. No more boring lectures, just the knowledge you need and the experience to back it up!"

The two courses will be held 10th -13th September, at Cisco, Bedfont Lakes, UK.

Satisnet/Priveon Real-World MARS - Admin Training
This 2 day class covers the information you will require in order to become proficient in installing, supporting, and troubleshooting the Cisco Security Monitoring, Analysis, and Reporting [CS-MARS] product in your environment.
This class uses the Priveon Real-World Training System to ensure you come away with practical and memorable techniques and information. Real-World training involves instruction by individuals who have actual field experience with the CS-MARS product and is delivered via a series of scenario based hands on labs. This class emphasizes skill application where you will learn by doing in challenging scenarios that have all occurred in actual customer environments.


Satisnet/Priveon Real-World MARS - Expert Training
This 2 day expert level class starts at an advanced level and pace that will take advanced MARS users to the next stage. This class uses the Priveon Real-World Training System to ensure you come away with practical and memorable techniques and information. Real-World training involves instruction by individuals who have actual field experience with the MARS product and is delivered via a series of scenario based hands-on labs. There is no review of the basic concepts delivered in the Priveon Admin course and participants are expected to step into the scenario-based challenge labs with minimal supervision.


For information and pricing on these courses in the UK, please email enquiries@satisnet.co.uk

CS-MARS 4.2.7 Released

Cisco MARS 4.2.7 has been released.

New vendor signatures....

The release notes for 4.2.7 can be found here.

Book Review: Self-Defending Networks

Book: Self-Defending Networks: The Next Generation of Network Security
Author: Duane De Capite
Publisher: Cisco Press

Quote: "This security primer provides unique insight into the entire range of Cisco security solutions, showing what each element is capable of doing and how all of the pieces work together to form an end-to-end Self-Defending Network. While other books tend to focus on individual security components, providing in-depth configuration guidelines for various devices and technologies, Self-Defending Networks instead presents a high-level overview of the entire range of technologies and techniques that comprise the latest thinking in proactive network security defenses."

Well i must admit i agree with the above quote. I read this book over the weekend, its quite slim for a CiscoPress book, only 250 pages.

Its definitely not a deep technical read, and you wouldn't beable to maintain all the products listed with this book alone. If that is what you are looking for, then you would be best buying the individual Cisco Press books for ASA, NAC, MARS etc...

But it does give an overview of a variety of Cisco security technologies, including the Cisco Guard DDoS mitigation appliances (which i haven't found in any Book so far, but i`m starting to get involved with), the ASA, including the IPS and Content Security and Control Security Modules, ICS (Incident Control Service), CSA, NAC Appliance, MARS, Cisco Security Manager and a small section on 802.1x/NAC Framework.

The book ideal for someone at CCNA or Management Level, or somebody new to Cisco Security Technologies who is looking for an overview of the Technologies on offer, without going too technical in any one area.

Custom Inspection Rules

Mars has the capability to fire Incidents based on keywords, received from Reporting Devices.

In the example below, i`ll show how we can create a rule based on a keyword, and then use logic to further Tune the particular rule, to your needs.

Consider this poor, but effective example. Company A has some Catalyst switches reporting to MARS. Security is poorly configured, in that they are not using AAA services in Cisco ACS, or restricting access to the administration interfaces.

When anybody, via Console or Telnet accesses Configuration mode, a generic Syslog entry is sent to MARS. Seen here via a RAW Event Query....

Now as can be seen, the Key text in the syslog is "Configured from console". Also note the Syslog will contain the remote access IP, if via a Telnet Session.

Now if wanted to create a rule, that fired, when anybody except the administrators workstation entered Configuration mode on that particular switch, We could create an Custom Inspection Rule, to look for this......

And specify some logic in the RAW Message...

ie, Fire the Incident, if we see "configured by console", but not the ip 192.168.2.58, which would be everyone except the Admin Workstation.

Now as can be seen below, this works fine, except for one small problem! If the admin, goes into configuration mode via the Console itself, the Rule still fires.

So we can add further logic, to the Rule. This time adding an extra NOT statement....

And now, we only get the Incidents we are interested in..

And running a RAW Event Query over time, proves this. Note, that any "Console" event, not created by the IP 192.168.2.58, has created a Incident. (Noted by the "I" and Incident Number/Symbol)

And we can thus, create reports on this Particular Rule, here shown over the last 10 minutes...

Obviously, i hope your Internal Security isn`t as bad as the above! But it does show how you can be creative when creating keyword based rules.

Lastly, remember the closing date for the Blog Header competition is the 16th July, to win the new Cisco MARS book.