Wednesday, December 17, 2008

Cisco MARS 6.0.2 Now Available

CS-MARS Upgrade Package for 6.0.2 (3102)

Cisco MARS 6.0.2 has been released, with the obvious 3rd Party Signature updates, and a few bug fixes. A summary of the updated Cisco devices support is below...

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 6.0.2:

Cisco ASA 8.0.4 support

Cisco ASA 8.1.2 support

Cisco IPS 6.1 support

You can check out the release notes for 6.0.2 HERE

Tuesday, November 25, 2008

Email Alerts based on the Incident Severity

I got asked the question the other day, if it was possible only to receive an email, when Incidents were of the RED Severity.

Now if you think about it, its an option to get an email when an Incident is created, but you cannot be selective if this was RED, AMBER or GREEN.

Now there is a noddy way to achieve this, if you want to go the trouble, and this would be based on duplicating rules...

Consider this RULE below...

If fires based on events received in the Info/UncommonTraffic/Chat and Info/UncommonTraffic/Chat/Proxy groups, but for ANY severity. There is no "Action" defined for this Rule.

If we duplicate the Rule in question, then edit the Severity to be RED Only, then we can apply an Action of email.

If you leave the default rule, to ANY, then you will probably get 2 Incidents Fired, but only 1 email.

So it may be worth changing the default rule, or duplicating again, to set GREEN or YELLOW Severity Events. (You may want to create a second offset, with an OR operation).

You would need to proceed with caution with this method, as the example choosen has only 1 condition to be met. If you select a more complex rule, then you may get in hot water, and render the rule useless!!!

Take care....

Wednesday, November 05, 2008

Cisco MARS 6.01 Patch Available

Cisco have released a patch, CS-MARS 6.0.1 3070, for users on MARS 6.0.1 release (3066).

Who should apply the Patch

1) Users who have the following devices reporting to MARS: Cisco Switch IOS, Cisco IPS
- User has a Cisco Switch-IOS configured to send syslogs to the MARS (CSCsu94548)
- User downloaded and installed MARS IPS packages S333, S351, or S354 from, or configured the dynamic autoupdate utility to download these packages (CSCsu96311)

2) Users who attempt to download raw messages from the database in the GMT+ timezone (CSCsv01999)
3) Users who make use of source/destination port ranking queries (CSCsq48971)

This patch is being released to address four issues

1) CSCsu94548 - None of the Cisco Switch-IOS syslog messages are parsed by MARS
2) CSCsu96311 - Need to fix missing/mis-mapped IPS events in database.
3) CSCsv01999 - Not able to retrieve raw message files using MARS GUI
4) CSCsq48971 - service filter for src/dest port ranking query displays all ports

I suggest you read the readme file before applying.

Friday, October 31, 2008

Netpro Package Sharing

For those, that have not yet upgraded to the latest V6 code of MARS, (and i know thats quite a few!), here are some screenshots of the new Parser Sharing Forum.

With V4/5 and below, there was the concept of the Custom Parser. Beginning with MARS 6.0, these new custom parsing features are referred to as the Device Support Framework (DSF).

With DSF you can quickly add support for new device types, improve support for existing device types, and replicate accomplished work from one CS-MARS appliance to another. (not only device types, but Rules and Reports also)

Device support packages are posted to and downloaded from the Package Sharing page of the MARS forum at the Networking Professionals Connection (NetPro) forum on

These packages can also be protected with an import and unlock password, to prevent you giving the crown jewels away.

As can be seen above, i seem to be the only person to upload so far! :-), but the plan would be to have much more content.

Another cool feature, is that you can also subscribe to the forum, and get updated, when new content is added.

I have created a test Microsoft IIS 6.0 FTP Parser DSF File, which i will upload next week. You can test this out, then start adding your own content, and get the community going.

There are a few other parsers also in development, but more on these soon.

Wednesday, September 17, 2008

Cisco MARS 6.0.1 Release Notes

Thanks to a post in the Cisco MARS User Group , the Release notes for MARS 6.0.1 are now available on

A snippet below, shows the updated on box, vendor sigs....

You can also find, a Migrating Data from Cisco Security MARS 4.x to 6.0.1, document HERE.


Not sure if anyone has seen this, but there is a current "Ask the Expert" series, running on the Netpro forums, on MARS.

Looking at the discussions, it looks like MARS 6.0 will be out by the end of September.

Thursday, September 11, 2008

Fortinet Custom Parsing

Sorry for the lack of posts recently, i`ve been busy....
  • With work....
  • Studying for the CCIE!
  • I got married
  • Went on Honeymoon to Mexico and the USA.
And apart from the above, i`ve been patiently waiting for MARS v6 to be released!

So whats new?

Well thanks to everyone who has sent me the link to the article below...

Sebastian from the Firewall Guru Blog has posted an article, on how to create a custom parser to get MARS to understand some Fortinet events..

Go check it out...

Friday, August 22, 2008

Cisco MARS 4.3.6 and 5.3.6 released

Cisco have yesterday released MARS 4.3.6 and 5.3.6.

Theres no new features in this release, but a major fix.

The following changes and enhancements exist in 4.3.6 and 5.3.6:

Resolution of issue introduced in x.3.4 release. The driver for the x.3.6 release is to correct CSCsr47032, a defect introduced in x.3.4 that results in the database gradually filling up with unneeded audit logs. This defect can lead to a file system overflow when archiving is enabled or exporting is used for migration purposes.

Customers should upgrade to the x.3.6 release soon as possible to avoid consuming all hard drive space on CS-MARS 20/20R, 25/25R, 50, and 55 models. High-end models are not in danger of disk overflow but may experience a malfunction of archiving and export depending on the quantity of accumulated audit logs.

To determine whether an appliance is affected by this defect, click ADMIN > System Maintenance >View the Audit Trail, and look for messages like "8/18/08 3:50:11 PM PDT Unknown User (unknown) Database insert: DbReportResult: DbReportResult:215178". If thousands of such messages appear from the previous hour, an upgrade to x.3.6 is strongly recommende.

Release notes for 4.3.6 are available HERE.

Release notes for 5.3.6 are available HERE.

Thursday, July 24, 2008

MARS Canned Reports

I know I have posted on this before, but newer readers may not have seen this document.

On the Cisco Learning Network, there is a PDF Doc, that lists the various compliance requirements, and the reports in Cisco MARS that can help meet that objective.

Monday, July 14, 2008

Emulation Links Added

I`ve added a new links section named "Cisco Emulation" to the blog.

As you may know i`m currently studying for the CCIE Security. If your in the same boat as me, there are some great sites out there you should be aware of. Go check them out!

Tuesday, June 24, 2008

The Cisco Learning Network Launched

Cisco has launched the new Cisco Learning Network. This is a great new online community of Cisco learning professionals, looking to gain training and support on the various Cisco Qualifications and Technologies.

Sign up with an account, and you gain access to short CBT style training segments, PDF documents, discussions, career advise, certification information, plus much more.

In relation to Cisco MARS, on the site you will find 2 or 3 great training segments, or Quick Learning Modules as Cisco calls them, as shown below...

In more detail...

I`d recommend, you go check them out!

Friday, June 13, 2008

Cisco MARS 4.3.5 and 5.3.5 Out Now

Appologies for the lack of posts recently, i`ve been overloaded with PIX/VPN3000 to ASA Migrations, and Cisco Security Manager jobs.

Anyhow, Cisco have just released MARS 4.3.5 and 5.3.5, so whats new?

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 4.3.5:

•Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets.

•Bug fixes. For the list of resolved issues, see Resolved Caveats - Release 4.3.5.

You can view the Release notes for 4.3.5 HERE, and 5.3.5 HERE.

Friday, May 16, 2008

New Cisco NetPro Forum

Cisco have introduced a new section dedicated to MARS on the Netpro Forums on

"Welcome to the Cisco Networking Professionals Cisco Security MARS Forum. This conversation will provide you the opportunity to discuss the product, solutions and issues surrounding Cisco Security MARS deployments, maintenance and integration. We encourage everyone to share their knowledge and start conversations about topics involving the Cisco Security MARS. Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements. We encourage you to tell your fellow networking professionals about the site. Dan Bruhn NetPro Community Manager"

You can link straight to the forum HERE.

Wednesday, May 07, 2008

MARS 20,20R and 50 EOL Announced

"Cisco® announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis and Response System (MARS) 20R/20/50 Appliances. The last day to order the affected product(s) is July 31, 2008."

Full details of this announcment can be found here

Thursday, April 17, 2008

Cisco MARS 4.3.4 and 5.3.4 Out Now

Cisco MARS Versions 4.3.4 for Gen1 Appliances, and 5.3.4 for Gen2 Appliances has just been released.

You can find here, the release notes for 4.3.4 and 5.3.4

New Features

As mentioned on an earlier post, the CSM 3.2 Video i created on Demolabs, was done with a 5.34 Beta Code, these features are now possible!

Improved CSM-MARS Linkage. "With Security Manager 3.2 and MARS 4.3.4 and 5.3.4, you can modify access rules generating the MARS event seamlessly from the read-only policy table popup window, which displays all rules associated with an event, by clicking the highlighted access rule number without starting Security Manager separately. Similarly, you can navigate to the signature summary table in Security Manager from MARS events associated with IPS sensors and IOS IPS devices and alter the signature properties. This feature enables you to map a syslog message to the policy that triggered that message and modify it simultaneously, thereby reducing time spent configuring and troubleshooting access rules in large or complex networks.

Additional improved support includes:

Support for MARS to launch CSM and authenticate using stored login credentials.

Improved support for firewall and IPS policy rule lookups.

From Policy Query, you can edit a signature on an event or define a filter on the CSM device to perform device-side tuning.

Edit IPS signatures that fired an inspection rule.

Edit IPS signatures that fired an inspection rule."

Improved Global Controller-Local Controller Group Synchronization. "In the x.3.4 releases, MARS changes how source and destination information found in Global Controller rules is shared with managed Local Controllers. (This change is in support of CSCse03237: Changes made to GC network groups are not propagated to active LC rules.) "

Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets

And of course the usual bugfixes.

Tuesday, April 08, 2008

Cisco MARS 6.0

Cisco yesterday released a bulletin and datasheet for the forthcoming Cisco MARS version 6.0

You can find the Bulletin HERE, and the Datasheet HERE.

It looks like there are going to be some great new features, i`ll look forward to it!

"Cisco Security MARS Release 6.0 will be included in all appliances purchased beginning approximately August 2008. Current Cisco Security MARS customers who have valid Cisco SMARTnet® Service contracts when released can also download the release at the Cisco Software Center."

"New Features
Cisco Security MARS Release 6.0 enhancements make Cisco Security MARS more open, with the ability to use the greater Cisco Security MARS community to improve security device support. Some enhancements include:
Cisco Security MARS device support framework: Framework to add velocity and flexibility to the Cisco Security MARS system, allowing faster, more flexible, and more scalable security device log support for existing and new Cisco and third-party vendor devices.
Support for the ASA 5580: MARS becomes the first Security Threat Management appliance to be capable of accepting logs from high output devices such as the ASA 5580.
Cisco Security MARS forum on NetPro: Community enablement for Cisco Security MARS users, partners, and third-party vendors interested in discussing, sharing, and rating Cisco Security MARS device support packages.
Cisco IPS Sensor Software Version 6.0 rules and report enhancements: Native support of IPS risk rating, threat rating, and virtual sensor in Cisco Security MARS will competitively differentiate the Cisco IPS and Cisco Security MARS value proposition by enabling Cisco Security MARS to further refine IPS event data to more effectively define threat detection and attack fidelity of the incident. "

And a sneak of the new supported devices looks interesting.....

Friday, April 04, 2008

New MARS and CSM 3.2 Linkages

Some of you may of noticed Cisco Security Manager 3.2 was released at the end of March.

Now i managed to wing a beta of this earlier in the year, as there are some great new MARS linkages. I aslo produced a Demo which can be seen HERE, for a Seminar in London. (I`ll add the version with sound next week).

I`m not completely sure what will work today, as I created the demo using an early MARS 5.34 Beta, but the datasheets on for CSM which i have quoted below, give further info.

So whats new?

IPS Configuration
"Cross-collaboration with Cisco Security MARS enables event/anomaly investigation with immediate insight into policy deployment changes. This collaboration enables policy launching of historic and real-time events, encouraging tighter collaboration between network operations and security operations teams while keeping Cisco Security Manager policies in band. Insight and cross-collaboration decreases event investigation and troubleshooting, thus speeding resolution time. Cisco Security Manager and Cisco Security MARS collaboration enables interactive IPS event action filter creation, thus reducing your network's vulnerability exposure." - Source CSM 3.2 Datasheet

Enhanced Cisco Security Manager and MARS integration
– Ability to select syslog messages collected by Cisco Security MARS and launch to that specific rule in the Cisco Security Manager that generated the syslog
– Ability to select a rule in Cisco Security Manager and view historic or real-time syslog messages in Cisco Security MARS
– Ability to select an IPS signature in Cisco Security Manager and view historical or real-time events processed by Cisco Security MARS
– Ability to view IPS events in Cisco Security MARS and launch to that specific IPS signature in Cisco Security Manager. - Source CSM3.2 Bulletin

Finally some screenshots from the Datasheet....

Friday, March 28, 2008

Custom IPS Signature Events

In Part 3 of the Cisco IPS Custom Signatures Article, after discussion with someone i cant remember,I made the following statement....

"An important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten."

Now this is not strictly true, as i have found, whilst doing some custom parser work. When defining event parsers i noticed that an event was in the list (Confidential File.....), from a Cisco IPS custom signature i imported a while back...

Now events here can be deleted, so i thought i`d try it...

Sure enough, the Custom IPS Signature Event was listed, with the Cisco IPS Custom Sig ID of 60000/0, and the Groups and Inspection Rules it belongs too. So i went ahead and deleted.

Now i did a quick check on the Custom IPS Signature upload page, to see if anything untoward had happened here...

And i also did a check, whether or not the Event had actually gone. So a quick search of Events for device Cisco IPS 6.x, showed it had indeed been deleted.

Great stuff, so to be sure, so i uploaded a second custom parser event....

And sure enough, the event appeared under the Custom Parser Event Types, and thus can be slightly edited like any custom parser event.. (the description edited below)
And these changes do stick, as a quick event query for Cisco IPS6.x events shows.

NB: This is my own findings, and to my knowledge not in the MARS Userguide. So before you go deleting events as above, i`d check with TAC, that you are not going to explode your MARS box or anything :-)

Tuesday, March 25, 2008

Custom Parsing Gotcha

I`m in the process of finishing a custom parser, to share with the user group. Have a look at the image above, everything looks fine, the message has been successfully parsed.

But on closer inspection the Matched Strings and Parsed Strings for the Source and Destination Addresses are different.

Why is this? Well in this particular case, the device sending the syslog to MARS was "zero-padding" the syslog messages, so in the case of an ip address this would appear as Cisco MARS then treated that incoming syslog as an Octal number.

"Octal numerals can be made from binary numerals by grouping consecutive digits into groups of three (starting from the right). For example, the binary representation for decimal 74 is 1001010, which groups into 001 001 010 — so the octal representation is 112." -

All is not lost though, as it is possible to include regex to elimate the leading zero. In my case the solution was a little simpler. Luckily the appliance i was creating the parser for, had the option to disable the option for zero padded IP Addresses in the Syslog. :-)

Friday, March 14, 2008

Firewall Issues

Sometimes i get asked, about the Rule "System Rule: Operational Issue: Firewall", and what kinds of events would trigger this.

"This rule detects operational errors (e.g. bad network connectivity, failover errors, internal software/hardware errors) reported by a firewall - this may indicate that the firewall is not functioning properly."

Well one such event, is "URL Server not responding".

In this example the customer was running Websense for their URL filtering, and basically the server died. Hence the following rule fired. This includes the IP of the Filtering Device, in this case an ASA, and the Filtering Server IP.

Now in that particular case, Internet Access would cease to function for everyone, configured to be be assesed via the Filtering Service (the default action). So you would probably be aware, something was a miss on the network.

But with the Cisco PIX/ASA, there are some other options, that can be configured in the event of the URL Filtering Solution failing.

We can configure "Allow outbound HTTP traffic when URL Server is down", great to keep Internet Access going, but not so great that users can then access any malware ridden side they please.

So another event to look out for is "URL Server not responding, ENTERING ALLOW mode"

Monday, March 10, 2008

MARS 25, 25R and 55 on the Horizon

I noticed on CDW that pricing for the new Cisco MARS 25, 25R and 55 models was available.




To my knowledge these new 1U, Gen2 based models are not yet released, but looking on, information on the models is starting to slip out...

The information above, taken from the 5.3 install guide. Interesting to note that the 55 model, has a field replaceable hot swappable drives.

More info on these models, soon.

So what else is new? Well... the Cisco MARS User Group, now has over 700 members, this is great.

I also noticed a new voicemail feature that google were pushing for blogger, but it was only available to US members. So i`ve created my own via skype. Any comments, requests for articles etc, leave me a voicemail!

Tuesday, March 04, 2008

Custom IPS Signatures with Cisco MARS Demo

Ok as promised the link to a new Demo i`ve created for now with sound! :-)

This demo created for a seminar, shows creating a custom signature in Cisco IPS, and the process for MARS to understand the event, with a little scenario around remote users downloading confidential files.

Note: The demo does not imply that custom signatures should be used wisely on the network for this purpose!, as there are more relevant products such as websense data security suite that could meet this objective.

Monday, March 03, 2008

SSL VPN Event Reporting

A customer asked me the other day "I`ve no access to the firewall, and Person X claims they are working at home today. Can i check with MARS if they`ve actually used the VPN."

Not exactly, a major security event i know, but that data is in MARS. A quick look at the known WEBVPN events for the Cisco ASA, shows over 66, that MARS understands.

So i basically set up a RAW event query on the ASA device, with a keyword of Webvpn, to see what events i could build a query from.

The event i chose to build the query on, was "Webvpn User Authentication Successful".

The query was set to display event data for the last 7 days, i selected to display the data, as "Reported User Ranking", results format. Once happy with the results being shown, i saved the query as a report.

We can schedule how often we require reports to be run, in which i selected every hour.

And, one cool thing, is that we can customise which reports we want to display under Summary/My Reports..

Now i didnt, just leave it there, with this particular customer. Seeing who has been using the VPN is good, but its also important to see who has been failing to authenticate with the VPN...

And maybe some resource usage...

That completes this article, but look out tomorrow for a new demo, i`ve created for, on using Custom IPS Signatures with MARS. This is from a Cisco Security Seminar that Satisnet, have been giving in London over the last week.