Monday, July 09, 2007

Custom Inspection Rules

Mars has the capability to fire Incidents based on keywords, received from Reporting Devices.

In the example below, i`ll show how we can create a rule based on a keyword, and then use logic to further Tune the particular rule, to your needs.

Consider this poor, but effective example. Company A has some Catalyst switches reporting to MARS. Security is poorly configured, in that they are not using AAA services in Cisco ACS, or restricting access to the administration interfaces.

When anybody, via Console or Telnet accesses Configuration mode, a generic Syslog entry is sent to MARS. Seen here via a RAW Event Query....

Now as can be seen, the Key text in the syslog is "Configured from console". Also note the Syslog will contain the remote access IP, if via a Telnet Session.

Now if wanted to create a rule, that fired, when anybody except the administrators workstation entered Configuration mode on that particular switch, We could create an Custom Inspection Rule, to look for this......

And specify some logic in the RAW Message...

ie, Fire the Incident, if we see "configured by console", but not the ip, which would be everyone except the Admin Workstation.

Now as can be seen below, this works fine, except for one small problem! If the admin, goes into configuration mode via the Console itself, the Rule still fires.

So we can add further logic, to the Rule. This time adding an extra NOT statement....

And now, we only get the Incidents we are interested in..

And running a RAW Event Query over time, proves this. Note, that any "Console" event, not created by the IP, has created a Incident. (Noted by the "I" and Incident Number/Symbol)

And we can thus, create reports on this Particular Rule, here shown over the last 10 minutes...

Obviously, i hope your Internal Security isn`t as bad as the above! But it does show how you can be creative when creating keyword based rules.

Lastly, remember the closing date for the Blog Header competition is the 16th July, to win the new Cisco MARS book.


Anonymous said...

Your blog is very interesting!
Please, send me the photo of your pc desk and the link of your blog.
I'll publish on my blog!.
Thanks Frank

Anonymous said...

Great post, while it makes alot of sense, my rules mirror the ones you have setup, (expect the IP) and I cant get it to work. The expected result is to alert by e-mail, which is working for other rules.
Either way, very interesting, look forward to future posts.

Justin said...

How do I set up my switch to send these events? I have done logging monitor 6 and logging trap 6. I don't see those messages hitting MARS. I see other messages though like people being blocked by ACLs.