Thursday, March 29, 2007

nProbe with Cisco MARS

Ok following on from the previous post. This is another probably not supported, but probably possible article.

I`m not afraid to mix open source tools with commercial products, and this follows on from some testing on the Netflow front.

Not everyone has a netflow capable switch or router on the network, and similarly the following can be achieved just as easily with a snort sensor, or Cisco IPS/3rd party supported IDS/IPS Sensor, (the better options) and is purely for reference.

There are open source tools available, that will simply sniff the network, via a tap/span port, and spit this out in Netflow.

One such tool is nProbe, which is a An Extensible NetFlow v5/v9/IPFIX GPL Probe for IPv4/v6.

And there are others too for instance NDSAD. But for my testing i used nProbe.

Now we can simply send the Netflow records to MARS, and MARS will process these.

Now remember from yesterday, it is not recommended to store Netflow records, and i`ve not come across anyone who does, but for this testing i did enable this feature.

What happens now? Well MARS starts to store this data, and also sessionize it too, so we can run queries, but they are of the unknown event type...

and similarly looking at an individual session

and an example raw event message

You will also probably find, that in the CLI pnlog show backend command, you will some errors like the following...

Mar 29 09:59:11.194 2007@localhost@1980@LM_ERROR@./pnparser|Thread 15376:Netflow device with IP '' is not configured in the GUI.

So how would we get MARS to recognise these events, when nProbe isnt listed on the supported device types? Well this was down to trial and error, but i found if i defined the nProbe box as an IOS device, this worked a treat.

You will get an obvious error, when this is submitted, and there was no SNMP available from my nProbe box, but this can be ignored,

Now when any queries are run, you will find, that MARS was able to sessionize these events forwarded by nProbe successfully (well at least the traffic i captured)

and similarly the session and raw event information.

As a final note, remember this is a very inefficient use of the MARS box`s resources, so it would not be recommended on a large production network!

So dont be blaming me!, if you ever try it out. :-)

Netflow from a HP Switch?

I was at a MARS meeting with a potential customer the other day, and it was one of those meetings where all is going great, the customer loves the idea of what MARS can do, and then we get onto what devices the customer has in their network.

Ok, HP Switches across the board, some 3rd party firewall in a DC that they are not allowed to touch, no IDS/IPS in place or any plans/skills for etc.. if you`ve been there you will know!

Coming home from the meeting got me thinking.

I know most high end HP switches can export Sflow, as opposed to Netflow that is supported by MARS.

Now what if there was a tool that could convert Sflow to Netflow?, at least we would be able to get some useful info into MARS, for anomaly detection at least.

Remember, MARS does not store netflow by default, only the records that are part of an incident. But you do get the option to store Netflow, though this is not recommended! (This has the potential of slowing the system by drastically increasing the events per second that it must process.)

Now i have not tried the following, or do i recommend it (i dont even have a Sflow supported HP Switch), nor do know if it would be supported by MARS, but here is the theory!
There is a tool called the Sflow Toolkit, by a company called InMon

This runs on Linux, Solaris or Windows, and will take Sflows and convert them to Netflow, to forward onto a Netflow collector such as MARS.

The following example shows sflowtool converting sFlow packets into NetFlow and sending the NetFlow packets to a NetFlow collector specified by a host and port.

sflowtool -c -d 9991 > /dev/null

If anyone has ever tried this, let me know.

Thursday, March 22, 2007

Guest Article - CS-MARS Compliance Reporting

With compliance a hot topic for many organizations IT Security Management at the moment, i am pleased to provide this great document by Dale Tesch, CS-MARS PSS US/Canada AT Security.

This document maps various compliance regulations from SOX, PCI Data Security Standard and GLBA, and the reports that can help meet those objectives in CS-MARS.

CS-MARS 4.2.5 Released

The following changes and enhancements exist in 4.2.5:

Support for Extended Daylight Savings Time. On March 11, 2007, the United States will adjust to Daylight Saving Time (DST) three weeks earlier than previous years and will end one week later on November 4, 2007. As per the Energy Policy Act of 2005, MARS supports this change in 4.2.4.

Bug fixes. For the list of resolved issues, see the release notes.

New Vendor Signatures......

Friday, March 16, 2007

Part 3 of the Custom Parser Demo is now Available

As i mentioned earlier in the week, Part 3 of the Custom Parser demo is now available.

This is a more advanced version of the Custom Parser demo, which is a whopping 15 minutes long.

Now i must admit when i first saw the Custom Parser, and regular expression (PCRE which is perl-compatible regular expressions), i thought, i`d never beable to work this out, and it must be for seasoned developers. But to be honest when you have grasped the basics, it isnt that bad at all.

There are a couple of snippets in the cisco documentation for MARS, which i have separated below for easy reading....

Cisco MARS 4.2 - Configuring Custom Devices

Cisco MARS 4.2 - Regular Expression Reference

There are some tools to help you. (if you can name any other ones i`d be interested)

If i get stuck if i need to create a pattern, i try and use ReguLazy, pictured above.

ReguLazy - is a visual designer for Regular Expressions, and requires little to no knowledge of Regex Syntax for most common and simple parsing activities

This is a great little tool, but it hasnt been updated in a while.

I am also trying to get people to share their Custom Parsers in the User Group, if you are interested join up Cisco MARS User Group.

Wednesday, March 14, 2007

New Custom Parser Demo Now Available

Theres a new Cisco MARS Parser flash demo available on Demolabs.

Now to cut a long story short, i`ve decided to split the Parser template demo, into 2 parts.

Part 2, which is available now, is what i would term the BASIC level demo. This doesn`t go into too much detail on actually creating the Parser Patterns, but it useful for getting a basic understanding of what the Custom Parser functionality is for.

Part 3, which should hopefully be ready by the end of the week, is what i would call the ADVANCED demo. A Log Template is created from start to finish.

Friday, March 09, 2007

Custom Parser Demo 2

I`ve been very busy this week working in London, thus i havent had much time to do any articles.

I will let you know though, that the second Custom Parser demo, should be available next week on

Heres a sneek peak of MARS picking up P2P traffic, from a user behind a Sonicwall Device.