tag:blogger.com,1999:blog-349957902024-03-14T11:15:15.249+00:00The Unofficial MARS BlogChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.comBlogger194125tag:blogger.com,1999:blog-34995790.post-82699023489816570312013-04-19T18:56:00.000+00:002013-04-19T18:56:53.714+00:00InfoSecurity London
I will be on the AccelOps stand at InfoSecurity London the 23rd - 25th April at Earls Court in London.
I have helped out many people over the last few years, if your attending come by for a chat!
To see why AccelOps is a leader in the Security space, check out the demo on demosondemand.
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-5177459027900941412013-04-19T18:47:00.001+00:002013-04-19T18:47:21.905+00:00CS-MARS 6.1.7 and 6.1.8For purposes of completeness if you are still maintaining your old Cisco MARS box and entering your last year of updates then you should be aware of these two..
6.1.7 was released Dec 2012.http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/release/notes/rnote_617.html6.1.8 was released in late March.http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-52398258371093163112012-11-29T15:06:00.000+00:002012-11-29T15:06:21.463+00:00CS-MARS 6.1.5 and 6.1.6Old news but for completeness if you are still maintaining a Cisco MARS box, then there are two updates available, the last being in Sept 2012.
Release notes for CS-MARS 6.1.5http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/release/notes/Release_Notes_for_Cisco_Security_MARS_Local_Controller_6.1.htmlRelease notes for CS-MARS 6.1.6http://www.cisco.com/en/US/docs/security/Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-68002992110336892742012-04-23T20:10:00.000+00:002012-04-23T20:10:53.755+00:00Another CS-MARS Milestone Fast Approaching
Did you delay that decision to look at the second generation SIEM options, to replace your aging Cisco MARS Appliance?
Just to note, that we are now around 6 weeks away from another milestone in the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System.
June 2, 2012, Cisco will no longer develop, repair, maintain or test the product software.
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-44633447498382880652012-01-06T23:36:00.000+00:002012-01-06T23:36:28.374+00:00Cisco MARS 6.1.4 ReleasedCisco released MARS 6.1.4 late December.
The release notes can be viewed HERE
Signature updates as follows.....
In terms of disclosure, i am also pleased to announce I have recently joined the AccelOps EMEA team, as a Technical Consultant. A great product with a big future.
Happy New Year for 2012.
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-88684372008244754752011-10-07T21:59:00.001+00:002011-10-07T22:01:56.328+00:00Book Review: Practical Packet Analysis, 2nd EdBook Review: Practical Packet Analysis, 2nd Edition
Author: Chris Sanders
Published By: no starch press
ISBN: 978-1-59327-266-1
Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
"It's easy enough to install Wireshark and begin capturing packets off the wire--or from the air. But how do you interpret those packets once you've captured them? And how can those Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-32659393678466010982011-09-04T21:20:00.000+00:002011-09-04T21:20:17.117+00:00Cisco MARS 6.1.3 ReleasedIf you are still using MARS, you will be pleased to hear Cisco released MARS version 6.1.3 a couple of weeks ago.
No new features, which is not surprising, being end of sale, but a few bugs have been fixed.
Some signature updates, as in the table below, but you may also notice some devices are now over a year out of date!
New Features
This release includes contains no new features. It is a Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-66054491244948814092011-06-28T16:43:00.000+00:002011-06-28T16:43:40.266+00:00Beyond the Cisco MARS End of Sale Date.
I note via, the number of emails and blog visitors, that the search for Cisco MARS replacements, is starting to hot up, now the End-of-Sale Date, has officially passed.
Thats not to say, i have had a few emails recently, telling me that their local partner, is offering them a good deal, on a new MARS appliance!
So have you started your replacement search?
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-7138257872130862382011-04-13T17:31:00.000+00:002011-04-13T17:31:39.998+00:00Guest Post: How to Replace a SIEM?How to Replace a SIEM
by Dr. Anton Chuvakin
Ouch! That “Venus” SIEM appliance that we got with routers has finally croaked. That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML. That managed SIEM provider has annoyed us one last time.
What do the above situations have in common? The unfortunate time to replace your SIEM hasChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-236621178131427852011-03-06T21:54:00.001+00:002011-03-07T07:41:28.115+00:00AD: 10 Reasons for Migrating from MARS to AccelOpsSponsor Advertisement
AccelOps, the integrated datacenter and cloud monitoring company, today announced a Competitive Upgrade Package with “10 Reasons for Migrating from CS-MARS to AccelOps” exclusively for Cisco CS-MARS security appliance customers and resellers. This is in response to the market demand from the current CS-MARS user community and resellers seeking aChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-89361353922672606432011-03-04T21:07:00.000+00:002011-03-04T21:07:55.605+00:00Cisco MARS 6.1.2 ReleasedLooks like Cisco released MARS 6.1.2 towards the end of February.
Obviously no new features, but signature updates, and a couple of fixes.
New Features
This release includes contains no new features. It is a release dedicated to issue resolution.
You can read the release notes HERE
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-77751848991272863602011-02-21T11:10:00.000+00:002011-02-21T11:10:06.868+00:00February UpdateWIth the Cisco MARS End of Life dates, being finally announced at the end of last year, I am starting to see more enquires to the blog around replacement products.
So I have lined up some new content for the blog, including some great guest articles, and I am still looking for more.Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-66323521360880890722010-12-04T17:15:00.000+00:002010-12-04T17:15:45.205+00:00Cisco MARS End of Life - OfficialWell its official, Cisco have announced the End of Life for Cisco MARS.
"Cisco announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System. The last day to order the affected product(s) is June 3, 2011."
You can read the official End of Life/End of Sales notification HERE.
The end of an Era, for probably the largest deployed SIEM tool outChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com5tag:blogger.com,1999:blog-34995790.post-72767556211762000052010-11-29T15:45:00.000+00:002010-11-29T15:45:36.284+00:00Cisco SIEM Deployment GuideNovember updates, a mixture of old and new news.
Cisco has made a few SIEM partner announcements in their efforts to bolster their Secure Borderless Network initiative as deftly referenced by Sean Martin in CIO Insight.
The new rather flashy SIEM Deployment Guide also references how Cisco is working with some other SIEM vendors.
Also see how others are working with SIEMS such as Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-34456314086371787812010-11-12T20:24:00.001+00:002010-11-13T18:36:21.914+00:00Where on Earth is MARS?Found this interesting article in a new infosecurity magazine, on the demise of Cisco MARS, entitled "Where on Earth is MARS?"
The article references MARS past, and surmises on the demise of Cisco MARS, and continues to relay some of the negative sentiment from a handful of analysts in the past year.
I have to say that many people though appreciate and still utilize the many innovations and Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-28906423116034697472010-10-28T13:37:00.001+00:002010-10-28T13:38:12.922+00:00Cisco MARS 6.1.1 ReleasedCisco have released MARS Version 6.1.1
You can view the release notes HEREChanges and Enhancements ASA 8.2.2 Botnet Traffic Filter The ASA BTF feature was enhanced in ASA 8.2.2 to add blacklist actions including blocking functionality to Dynamic Filter, as well as additional attributes. MARS Release 6.1.1 supports these enhanced BTF attributes: •Parses the new BTF-specific syslogs that Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-18290231686919061992010-09-01T14:04:00.000+00:002010-09-01T14:04:07.876+00:00Cisco MARS 6.0.8 Now AvailableA couple of weeks, out of date due to my holidays, but Cisco have released MARS 6.0.8
You can review the release notes HERE
There are no new product enhancements, but this release has updated Vendor Signatures, for Cisco (and Non Cisco Devices), as shown below....
New Vendor Signatures
The following table describes the most recent signatures supported for each product or technology:
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-90815367318618944692010-08-12T08:11:00.000+00:002010-08-12T08:11:31.031+00:00Book Review: Network Flow Analysis
Book Review: Network Flow Analysis
Author: Michael W.Lucas
Published By: no starch press
ISBN: 1593272030
"Stop asking your users to reproduce problems. Network Flow Analysis gives you the tools and real-world examples you need to effectively analyze your network flow data."
If you have ever read any of Michael W.Lucas' other books, you will know you are in for a humorous and entertaining read.
Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-49499496547715985022010-07-30T21:38:00.001+00:002010-11-29T15:29:16.028+00:00Review: AccelOps - Part 2In the first part of the AccelOps review, I gave a quick overview of its many features.
In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison.
Dashboards
One of the items where AccelOps excels is dashboards, and there are plentyChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-65642678806532035302010-07-27T09:38:00.001+00:002010-07-27T11:23:00.014+00:00New Cisco SIEM Deployment GuideCisco have released, the Security Information Event Management (SIEM) Deployment Guide, as part of the Smart Business Architecture, Borderless Networks for Enterprise Organizations.
Personally this looks like a first step, Cisco is making to work with other SIEM vendors, to handle non Cisco and Cisco devices.
"This guide is for security operations personnel in enterprise organizations who want Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-91378050375572151652010-07-21T11:34:00.010+00:002010-07-21T11:58:02.801+00:00SIEMLink with MARSAlthough not exactly new news, you may not know, that one of the complaints from the security community regarding MARS, and to be honest most SIEMS, is the lack of real session data, or raw packets, for incident response.
Now one of the hottest products around, in this arena is NetWitness.
"NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-56312874650924601252010-07-09T16:26:00.001+00:002010-08-31T19:09:00.770+00:00Review: Accelops - Part One
What options have you got, if you are looking to replace or upgrade your MARS appliance or other SIEM/logging solution?
A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005.
MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com4tag:blogger.com,1999:blog-34995790.post-58090221595233037172010-07-08T20:47:00.003+00:002010-07-09T08:32:27.910+00:00MARS Blog UpdateYou may of noticed that Gartner left Cisco MARS out of the SIEM Magic Quadrant for 2010 this year.
And although hard to find, Cisco did come out and say MARS will in future will concentrate on Cisco only devices, and critical host OS. (And then recently released 6.07 with support for Windows 2008)
Cisco have also recently announced Cisco Security Agent has gone End of Sale, but there Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-38403005027562863862010-06-02T16:29:00.001+00:002010-06-02T21:41:01.123+00:00Book Review: Securing the Borderless NetworkBook: Securing the Borderless Network
Published By: Cisco Press
Author: Tom Gillis
"Today’s new Web 2.0, virtualization, mobility, telepresence, and collaborative applications offer immense potential for enhancing productivity and competitive advantage. However, they also introduce daunting new security issues, many of which are already being exploited by cybercriminals. Securing the Borderless Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-1348118987516952712010-05-26T20:15:00.000+00:002010-05-26T20:15:36.511+00:00Cisco MARS 6.0.7 Now AvailableCisco have released MARS version 6.0.7
You can read the release notes HERE
Changes and EnhancementsThe following enhancement exists in Cisco Security MARS, Release 6.0.7:•Support for Windows 2008—Cisco Security MARS provides agent based, native log support for Windows 2008 server hosts. Users can send syslog to CS-MARS by installing a Snare agent on their Windows 2008 server hosts.•Support forChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0