tag:blogger.com,1999:blog-34995790.comments2023-06-29T07:31:14.002+00:00The Unofficial MARS BlogChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.comBlogger160125tag:blogger.com,1999:blog-34995790.post-80676141290006012742011-09-04T21:36:59.598+00:002011-09-04T21:36:59.598+00:00Glad to see, I'm still getting MARS updates, b...Glad to see, I'm still getting MARS updates, but i see your point on device support.<br /><br />I think its time to persuade management to look into a replacement ;-o<br /><br />Chad, DCAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-14699923068998280612011-05-22T11:32:50.992+00:002011-05-22T11:32:50.992+00:00how much is that device?how much is that device?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-86639270952888044542011-01-16T21:39:58.592+00:002011-01-16T21:39:58.592+00:00Great post, I had a demo from these guys, and it l...Great post, I had a demo from these guys, and it looks greatAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-45994923578422691442011-01-10T19:19:52.691+00:002011-01-10T19:19:52.691+00:00In about an hour from now I'm training the Cis...In about an hour from now I'm training the Cisco sales team on how to position LogLogic 5 running on Cisco blades as a replacement for MARS. Should be fun...Andy Morrishttp://www.loglogic.comnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-63515322784009558092010-12-09T17:12:44.684+00:002010-12-09T17:12:44.684+00:00I think SPLUNK might have most of the features req...I think SPLUNK might have most of the features required for a good SIEM platform. Extensible and scalable. There are SPLUNK Apps for Cisco products which increase the filtering and reporting capabilities around those products.<br /><br />I used to maintain an RSA . . . I am with you . . . clunky.<br /><br />Q1 is cool too . . . even when its sold as Dragon by Enterasys.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-55627692318918736072010-12-07T15:12:43.804+00:002010-12-07T15:12:43.804+00:00checkout the all-in-one solution from accelops too...checkout the all-in-one solution from accelops too. It has all the next gen functionality for a SIEM plus availability and performance monitoring..We were pretty impressed with that solution.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-839765804011910652010-12-06T12:53:44.613+00:002010-12-06T12:53:44.613+00:00http://www.reddit.com/r/netsec/comments/8gxw7/here...http://www.reddit.com/r/netsec/comments/8gxw7/here_is_a_propaganda_video_on_rsa_envision_i/<br /><br />A great review on RSA above, I agree.Khorgolnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-13920706129234930062010-12-06T11:48:51.601+00:002010-12-06T11:48:51.601+00:00No surprises here then, Cisco told our company mon...No surprises here then, Cisco told our company months ago, and tried to get us to go the CSM route.<br /><br />But since we have lots of other vendors kit, we have decided to test products, like RSA, AccelOps and Q1.<br /><br />RSA we have junked, its worse than MARS! now onto the other 3.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-9266742330178346662010-11-29T15:34:43.368+00:002010-11-29T15:34:43.368+00:00AccelOps supports SNMP v3, and not just related to...AccelOps supports SNMP v3, and not just related to Cisco devices...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-90398429614998999992010-11-18T16:49:39.074+00:002010-11-18T16:49:39.074+00:00I agree. It seems like every SIM solution Cisco re...I agree. It seems like every SIM solution Cisco releases gets abandoned after a while.Joehttp://certificationchat.comnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-63712758255452309202010-11-01T04:43:47.553+00:002010-11-01T04:43:47.553+00:00And that's a big *yaaawn*. Come on, there wer...And that's a big *yaaawn*. Come on, there were more updates between 6.0.5 and 6.0.6, but THIS gets a minor release number (6.0 to 6.1)?MikeInSeoulhttps://www.blogger.com/profile/11165119488565916276noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-85080998969290972692010-09-03T04:09:56.274+00:002010-09-03T04:09:56.274+00:00What was interesting about this release, to me, wa...What was interesting about this release, to me, was that it was published twice. There was 6.0.8(3427), posted around August 10th. It was then pulled, apparently due to some nasty bug with CSA clients.<br /><br />Then, about two weeks later, they released it as 6.0.8(3428), with the CSA bug fixed.<br /><br />The updates for the Cisco IPS products have been available in an on-going basis (MikeInSeoulhttps://www.blogger.com/profile/11165119488565916276noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-3908147342670074402010-09-01T16:42:18.076+00:002010-09-01T16:42:18.076+00:00Where is part deux?Where is part deux?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-73688454034778392912010-08-12T17:42:21.195+00:002010-08-12T17:42:21.195+00:00The problem I am encountering is that NetWitness h...The problem I am encountering is that NetWitness has no data, and SIEMLink doesn't do anything but put a query in its window, doesn't pull anything. There is clearly something I am missing. From reading the documentation on NetWitness, perhaps I need to set up a new Remote Collection, which would require purchasing a license? Please forgive my ignorance - can't find a lot of Mars Phanboynoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-32293353900271317632010-08-10T08:35:18.604+00:002010-08-10T08:35:18.604+00:00Hi, no MARS does not syslog to NetWitness.
MARS i...Hi, no MARS does not syslog to NetWitness.<br /><br />MARS is simply sending a query to NetWitness with the src and dst ip, and time, and displaying the results.<br /><br />Remember, MARS is logs, and NetWitness is Packets.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-28968082206844496072010-08-09T19:36:00.693+00:002010-08-09T19:36:00.693+00:00Intriguing. So all the equipment syslogs to Mars,...Intriguing. So all the equipment syslogs to Mars, and I assume Mars would then have to syslog to the Netwitness box? And once Netwitness has the raw data on box, then SIEMLink can query against it on its own local box?Mars Phanboynoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-39040728900245111312010-08-05T07:33:46.214+00:002010-08-05T07:33:46.214+00:00> AccelOps ... SNMP v1, v2 (v3 in next release)...> AccelOps ... SNMP v1, v2 (v3 in next release)<br /><br />I found this very disappointing. I mean, come on!! How are vendors STILL releasing products these days without supporting SNMPv3? How did v3 support not make it into their product roadmap 5+ years ago, if not in the initial design phase?<br /><br />Anyway, it should be noted that the SNMPv3 support in MARS is limited to a ONLY CiscoMikeInSeoulhttps://www.blogger.com/profile/11165119488565916276noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-38032876458438012542010-07-22T22:55:08.331+00:002010-07-22T22:55:08.331+00:00Great review. Waiting for part 2 ! RegardsGreat review. Waiting for part 2 ! RegardsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-1799448138364330682010-06-28T17:01:11.702+00:002010-06-28T17:01:11.702+00:00I tried setting up a global rule to match any Red ...I tried setting up a global rule to match any Red severity and send an email alert and it looks like i achieved creating a catch all rule that superseded all of the other rules. So now all of the incidents i see are red that match the action rule. I would think alerting on a red alert (or email on yellow and page for red etc) would be absolutely critical for an effective security management Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-8575179661261146512010-02-17T07:58:17.516+00:002010-02-17T07:58:17.516+00:00Think I found out what's wrong...
The alert-ac...Think I found out what's wrong...<br />The alert-action fires when the event is RED, i.e. FTP Address Bounce Attack. But if that event is categorized as false positive, because the FW dropped the connection, the Incident is green...<br /><br />So what I actually would like to have is a aggregation rule that fires on red incidents. It would be great if it was possible to aggregate several Unknownhttps://www.blogger.com/profile/10561011053207961241noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-4244146012467608652010-02-16T15:37:08.868+00:002010-02-16T15:37:08.868+00:00thanks for your reply! the original rule doesn'...thanks for your reply! the original rule doesn't fire any action. this is due to too many (green) incidents on that particular rule. My intention was to send only RED incidents to my firewall admins so they can try to track down any errors and such... I.e. there's red and green'FTP Address Bounce Attack'-events. Altough the Alert-Rule should only fire on the red ones (severity = Unknownhttps://www.blogger.com/profile/10561011053207961241noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-19910717410338095022010-02-16T14:26:19.200+00:002010-02-16T14:26:19.200+00:00did you disable thr alert for your original rule?did you disable thr alert for your original rule?Chris Durkinhttps://www.blogger.com/profile/08997829845892677696noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-66779836389706756092010-02-16T14:23:47.511+00:002010-02-16T14:23:47.511+00:00Going through the same process... Though I defined...Going through the same process... Though I defined a second Rule matching only RED events (i.e. for DoS/FTPServer) it also reacts on green events sending email alerts!<br />Considering the original post is from 2008 chances seem to be slim for Cisco making any changes to the system... Does anybody have some more information?<br /><br />(running v6.0.6 on a Mars 110R)Unknownhttps://www.blogger.com/profile/10561011053207961241noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-64905282436173221852010-02-15T17:46:33.342+00:002010-02-15T17:46:33.342+00:00I have this problem when I want to upgrade multipl...I have this problem when I want to upgrade multiple patches.<br />Solution, upgrade to 6.0.1 then reboot.<br />Upgrade to 6.0.2 then reboot.<br />Upgrade to 6.0.3 then reboot and continue in this way.-Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-81542595986752668472010-01-25T20:37:52.904+00:002010-01-25T20:37:52.904+00:00Does anyone know what port(s) data archiving uses?...Does anyone know what port(s) data archiving uses?Anonymousnoreply@blogger.com