tag:blogger.com,1999:blog-349957902012-02-17T00:42:27.454ZChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.comBlogger1901100tag:blogger.com,1999:blog-34995790.post-44633447498382880652012-01-06T23:36:00.000Z2012-01-06T23:36:28.374Z

Cisco released MARS 6.1.4 late December. The release notes can be viewed HERE Signature updates as follows..... In terms of disclosure, i am also pleased to announce I have recently joined the AccelOps EMEA team, as a Technical Consultant. A great product with a big future. Happy New Year for 2012.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-88684372008244754752011-10-07T21:59:00.001Z2011-10-07T22:01:56.328Z

Book Review: Practical Packet Analysis, 2nd Edition Author: Chris Sanders Published By: no starch press ISBN: 978-1-59327-266-1 Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems "It's easy enough to install Wireshark and begin capturing packets off the wire--or from the air. But how do you interpret those packets once you've captured them? And how can those

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-32659393678466010982011-09-04T21:20:00.000Z2011-09-04T21:20:17.117Z

If you are still using MARS, you will be pleased to hear Cisco released MARS version 6.1.3 a couple of weeks ago. No new features, which is not surprising, being end of sale, but a few bugs have been fixed. Some signature updates, as in the table below, but you may also notice some devices are now over a year out of date! New Features This release includes contains no new features. It is a

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-66054491244948814092011-06-28T16:43:00.000Z2011-06-28T16:43:40.266Z

I note via, the number of emails and blog visitors, that the search for Cisco MARS replacements, is starting to hot up, now the End-of-Sale Date, has officially passed. Thats not to say, i have had a few emails recently, telling me that their local partner, is offering them a good deal, on a new MARS appliance! So have you started your replacement search?

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-7138257872130862382011-04-13T17:31:00.000Z2011-04-13T17:31:39.998Z

How to Replace a SIEM by Dr. Anton Chuvakin Ouch! That “Venus” SIEM appliance that we got with routers has finally croaked. That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML. That managed SIEM provider has annoyed us one last time. What do the above situations have in common? The unfortunate time to replace your SIEM has

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-236621178131427852011-03-06T21:54:00.001Z2011-03-07T07:41:28.115Z

Sponsor Advertisement AccelOps, the integrated datacenter and cloud monitoring company, today announced a Competitive Upgrade Package with “10 Reasons for Migrating from CS-MARS to AccelOps” exclusively for Cisco CS-MARS security appliance customers and resellers. This is in response to the market demand from the current CS-MARS user community and resellers seeking a

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-89361353922672606432011-03-04T21:07:00.000Z2011-03-04T21:07:55.605Z

Looks like Cisco released MARS 6.1.2 towards the end of February. Obviously no new features, but signature updates, and a couple of fixes. New Features This release includes contains no new features. It is a release dedicated to issue resolution.  You can read the release notes HERE

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-77751848991272863602011-02-21T11:10:00.000Z2011-02-21T11:10:06.868Z

WIth the Cisco MARS End of Life dates, being finally announced at the end of last year, I am starting to see more enquires to the blog around replacement products. So I have lined up some new content for the blog, including some great guest articles, and I am still looking for more.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-66323521360880890722010-12-04T17:15:00.000Z2010-12-04T17:15:45.205Z

Well its official, Cisco have announced the End of Life for Cisco MARS. "Cisco announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System. The last day to order the affected product(s) is June 3, 2011." You can read the official End of Life/End of Sales notification HERE. The end of an Era, for probably the largest deployed SIEM tool out

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com5tag:blogger.com,1999:blog-34995790.post-72767556211762000052010-11-29T15:45:00.000Z2010-11-29T15:45:36.284Z

November updates, a mixture of old and new news. Cisco has made a few SIEM partner announcements in their efforts to bolster their Secure Borderless Network initiative as deftly referenced by Sean Martin in CIO Insight. The new rather flashy SIEM Deployment Guide  also references how Cisco is working with some other SIEM vendors. Also see how others are working with SIEMS such as NetWitness .

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-34456314086371787812010-11-12T20:24:00.001Z2010-11-13T18:36:21.914Z

Found this interesting article in a new infosecurity magazine, on the demise of Cisco MARS, entitled "Where on Earth is MARS?" The article references MARS past, and surmises on the demise of Cisco MARS, and continues to relay some of the negative sentiment from a handful of analysts in the past year. I have to say that many people though appreciate and still utilize the many innovations and

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-28906423116034697472010-10-28T13:37:00.001Z2010-10-28T13:38:12.922Z

Cisco have released MARS Version 6.1.1 You can view the release notes HEREChanges and Enhancements ASA 8.2.2 Botnet Traffic Filter The ASA BTF feature was enhanced in ASA 8.2.2 to add blacklist actions including blocking functionality to Dynamic Filter, as well as additional attributes. MARS Release 6.1.1 supports these enhanced BTF attributes: •Parses the new BTF-specific syslogs that

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-18290231686919061992010-09-01T14:04:00.000Z2010-09-01T14:04:07.876Z

A couple of weeks, out of date due to my holidays, but Cisco have released MARS 6.0.8 You can review the release notes HERE There are no new product enhancements, but this release has updated Vendor Signatures, for Cisco (and Non Cisco Devices), as shown below.... New Vendor Signatures The following table describes the most recent signatures supported for each product or technology:

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-90815367318618944692010-08-12T08:11:00.000Z2010-08-12T08:11:31.031Z

Book Review: Network Flow Analysis Author: Michael W.Lucas Published By: no starch press ISBN: 1593272030 "Stop asking your users to reproduce problems. Network Flow Analysis gives you the tools and real-world examples you need to effectively analyze your network flow data." If you have ever read any of Michael W.Lucas' other books, you will know you are in for a humorous and entertaining read.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-49499496547715985022010-07-30T21:38:00.001Z2010-11-29T15:29:16.028Z

In the first part of the AccelOps review, I gave a quick overview of its many features. In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison. Dashboards One of the items where AccelOps excels is dashboards, and there are plenty

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-65642678806532035302010-07-27T09:38:00.001Z2010-07-27T11:23:00.014Z

Cisco have released, the Security Information Event Management (SIEM) Deployment Guide, as part of the Smart Business Architecture, Borderless Networks for Enterprise Organizations. Personally this looks like a first step, Cisco is making to work with other SIEM vendors, to handle non Cisco and Cisco devices. "This guide is for security operations personnel in enterprise organizations who want

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-91378050375572151652010-07-21T11:34:00.010Z2010-07-21T11:58:02.801Z

Although not exactly new news, you may not know, that one of the complaints from the security community regarding MARS, and to be honest most SIEMS, is the lack of real session data, or raw packets, for incident response. Now one of the hottest products around, in this arena is NetWitness. "NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-56312874650924601252010-07-09T16:26:00.001Z2010-08-31T19:09:00.770Z

What options have you got, if you are looking to replace or upgrade your MARS appliance or other SIEM/logging solution? A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005. MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com4tag:blogger.com,1999:blog-34995790.post-58090221595233037172010-07-08T20:47:00.003Z2010-07-09T08:32:27.910Z

You may of noticed that  Gartner left Cisco MARS out of the SIEM Magic Quadrant for 2010 this year.  And although hard to find, Cisco did come out and say MARS will in future will concentrate on Cisco only devices, and critical host OS. (And then recently released 6.07 with support for Windows 2008) Cisco have also recently announced Cisco Security Agent has gone End of Sale, but there have been

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-38403005027562863862010-06-02T16:29:00.001Z2010-06-02T21:41:01.123Z

Book: Securing the Borderless Network Published By: Cisco Press Author: Tom Gillis "Today’s new Web 2.0, virtualization, mobility, telepresence, and collaborative applications offer immense potential for enhancing productivity and competitive advantage. However, they also introduce daunting new security issues, many of which are already being exploited by cybercriminals. Securing the Borderless

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-1348118987516952712010-05-26T20:15:00.000Z2010-05-26T20:15:36.511Z

Cisco have released MARS version 6.0.7 You can read the release notes HERE Changes and EnhancementsThe following enhancement exists in Cisco Security MARS, Release 6.0.7:•Support for Windows 2008—Cisco Security MARS provides agent based, native log support for Windows 2008 server hosts. Users can send syslog to CS-MARS by installing a Snare agent on their Windows 2008 server hosts.•Support for

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-17767261433469478912010-05-11T16:39:00.000Z2010-05-11T16:39:37.146Z

Doug McKillip, a Global Knowledge Instructor, has created a white paper, "Using Syslog Effectively for Security Troubleshooting". Part of this whitepaper, details using The Cisco ASA Secure Logging feature, over TCP to Cisco MARS. You can get access to this whitepaper HERE. Further info on secure logging and the ASA, can be found here, in the  Cisco ASA 8.2 CLI Guide.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-87008808789471419732010-04-21T20:47:00.002Z2010-04-21T20:50:02.079Z

Rather than re-invent the wheel, there is a good write up on the new SNMP v3 feature, in MARS 6.0.6 on the Global Knowledge Blog.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-18581554158903203592010-03-24T16:04:00.003Z2010-03-24T16:14:51.292Z

I have been busy recently on a couple of new demos on making the most of MARS, by interfacing with some 3rd party products, unfortunately these are not finished yet.But in the meantime I thought i would let you know about some jobs that are going at the United Health Group.Recession -what recession? !!!Network Manager – United Health Group UHG has multiple network operations positions open

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-34996219482210583222010-01-26T09:07:00.002Z2010-01-26T09:13:24.155Z

Release Notes for 6.0.6 are available HEREMiscellaneous Changes and Enhancements The following changes and enhancements exist in MARS, Release 6.0.6: •SNMP v. 3.0 Support—Leveraging a secure communication protocol between MARS and Cisco security enforcement devices, customers can be assured that they are securely mitigating attacks and configuring and managing devices. SNMPv3 support enables

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-71591106031658687162009-11-13T16:30:00.003Z2009-11-13T16:44:53.259Z

Thanks to an eagle eyed reader, (though it is a couple of months old now), if you are running 6.0.4 and earlier, there is an Vulnerability when MARS is configured to pull Windows Event Logs."The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-83018311646641579442009-11-05T21:12:00.002Z2009-11-05T21:23:29.298Z

There has been plenty of rumours recently regarding MARS, and its support for Non Cisco Devices, more so, over the last couple of days...Whether its Gartner a few days ago, or MARS competitors, like Nitro putting out releases yesterday, (and I`d fully expect the others to follow)I noticed an official Business Unit response, in the Netpro Forums......"October 30, 2009 Cisco response to Gartner

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-51204761750746240662009-11-05T20:52:00.002Z2009-11-05T21:01:14.485Z

"Cisco Routers for the Desperate, 2nd Edition is designed to be read once and left alone until something breaks. When it does, you'll have everything you need to know in one easy-to-follow guidebook." Cisco Routers for the Desperate, 2nd Edition, by Michael W.Lucas, condenses all you need to know about Cisco routers, and some switching down to a mere 125 pages. Now your not going to pass your

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-1809003067520610842009-11-02T14:06:00.002Z2009-11-02T14:08:21.514Z

As you may of read in the release notes for MARS 6.0.5, a FIPS PCI Card is available for the MARS 110RYou can read details here

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-83438742785823030852009-10-20T13:14:00.001Z2009-10-20T13:15:18.795Z

Release notes here: 6.0.5 Miscellaneous Changes and Enhancements The following changes and enhancements exist in: •FIPS 140-2 Level 2 Compliance for the MARS 110R—Some customers, especially those in the federal market, require secure appliance communications to use government approved encryption technologies and provide tamper protection. When used in conjunction with a Cisco FIPS 140-2 Level

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-6980883365005626922009-08-05T09:53:00.003Z2009-08-05T09:58:15.480Z

To clear any confusion!, although there has been no announcement, the release notes have been revised for MARS Version 6.0.4Upgrade to 6.0.4No important notes exist for the 6.0.4 upgrade.As you will see, no mention of the "last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances.":-)

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-13960581669495567202009-08-04T15:34:00.004Z2009-08-04T15:45:12.025Z

Earlier from the release notes, there was a notice regarding 6.0.4 and supported versions.Upgrade to 6.0.4 The 6.0.3 release, distributed in April 2009, was the last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances. Therefore, you cannot apply the 6.0.4 release to these appliance models. For a full list of supported appliance models, see Supported Hardware. BUT, if you

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-53548616561546976102009-08-04T12:16:00.004Z2009-08-04T12:28:47.923Z

Thanks to Csaba for pointing out to me, that Cisco have released MARS version 6.0.4Surprisingly with some of the rumours out there at the moment, there are some new features in this release, and not just signature updates for the supported products.You can check out the release notes HERE.So apart from some cosmetic changes, here is what is new... New Device Support The 6.0.4 release of MARS

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-58009543336170079282009-05-28T10:42:00.004Z2009-05-28T11:00:20.842Z

"The Cisco® ASA Botnet Traffic Filter complements existing endpoint security solutions by monitoring network ports for rogue activity and detecting infected internal endpoints sending command and control traffic back to a host on the Internet. The Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-17556144161346568622009-05-15T09:05:00.001Z2009-05-15T09:07:53.202Z

Thanks to Bob Lin, for an update on the 6.0.3 patch I mentioned yesterday.Incidentally, the 6.0.3 patch and patch readme can both be downloaded from the MARS Miscellaneous CCO site:http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc. It is only required if you encounter one of those two bugs.Regards,Bob LinCS-MARS Release Manager and Escalation Engineer

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-2069973243413942692009-05-14T08:51:00.002Z2009-05-14T08:56:25.010Z

Thanks to Jeremy Wood in the MARS User Group for pointing out there is a patch available for MARS release 6.0.3"I was noticing that I had a bunch of Drop rules that were nottriggering correctly after upgrading to 6.0.3 and in my quest for asolution ran across a patch here:Looks like it fixes the following problems:CSCsz14701 - some drop rules do not drop packets after 602 to 603 upgradeCSCsz22056

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-65132592569326580412009-05-04T21:22:00.002Z2009-05-04T21:24:13.582Z

I notice Cisco have added a new doc, under the MARS configuration examples section on Cisco.com, on Troubleshooting.Worth a read for any newbies.You can view this HERE.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-68587410244506133192009-04-27T12:27:00.003Z2009-04-27T12:35:37.206Z

In today’s recession hit world, companies world wide are letting staff go, and making redundancies.At Satisnet, the UK’s leading Security Partner, we are actually hiring!I`m looking to add another member to our Security Consulting Practice, and that could well be you.If think you meet the following requirements....Have a Cisco CCSP or CCIE, or are at least working towards these qualificationsA

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-83967953449724265142009-04-24T12:58:00.003Z2009-04-24T13:01:19.421Z

A new set of Cisco SAFE Reference Guides, have just been released. These were very successful a few years ago, and it looks like they have been brought upto date.You can view the MARS Safe Doc HERE, and the full set of documents HERE.Worth a read. :-)

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-35299728098273967842009-04-07T09:53:00.002Z2009-04-07T09:55:15.469Z

Cisco have released MARS version 6.0.3 Miscellaneous Changes and Enhancements The following changes and enhancements exist in : •Credential Automation—Save administrative time by updating many Cisco device credentials in a single operation rather than touching each device definition in MARS. Using a seed file to re-import devices that are already defined in MARS, users can update some

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com4tag:blogger.com,1999:blog-34995790.post-8690843753625445422009-04-03T10:22:00.002Z2009-04-03T10:23:07.932Z

Sorry for the delay in posts recently, but since there has been no new updates to MARS since mid December, i aint got much to write about!Any ideas let me know......................

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-86154238864036453762009-02-26T21:59:00.003Z2009-02-26T22:03:27.083Z

There is a demo on Cisco.com, on using IOS IPS configured with Cisco Configuration Professional and MARS.You can view this HERE.*************Want to advertise HERE? Make me an offer.......**************

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-4179593420909222942009-02-24T12:20:00.005Z2009-02-24T12:29:01.190Z

Looks like, there is now a draft DSF package for NAC Appliance 4.5 been uploaded to the MARS Package Sharing Exchange.But my only grievance with this exchange, is that there is no where to tell users what the import passwords are.Hence one reason, i put the Lancope Stealthwatch 5.7 Package, as an import password of: lancopeSo if anyone knows the import pass for the NAC Appliance 4.5 parser,

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-61702631038455413302009-02-17T12:05:00.003Z2009-02-17T12:12:06.366Z

The Netpro Package Sharing facility on Cisco.com, is now open to the public. (previously it hidden, and only truely available by your MARS appliance)Lets hope this will now encourage people to start sharing rules, reports and of course custom parsers.Appologies for the lack of postings recently, i`ve been concentrating on getting the Unoffical Cisco Security Agent Blog up and running. Hopefully i

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-30781676893053025542009-01-28T09:58:00.001Z2009-01-28T10:00:23.128Z

I see lots of visitors to the MARS blog, looking for training. Jim Thomas, MARS Course Director for Global Knowledge, gives us an insight into their offering below...."In a truly Self Defending Network, detection and mitigation occur automatically. Alerts come in after the fact for forensic purposes, but all in all, we rest assured that when we leave our business day behind us, the network is

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-16799524628943954662009-01-05T16:38:00.003Z2009-01-05T16:45:42.166Z

Happy new Year!You may of heard that the newer ASA 5580`s supported Netflow Secure Event Logging.Now i`ve never seen this in action, but it may be of interest to see this is supported by MARS..Check out the links Below...Configuring NSEL for MARS on the ASA 5580Configuring and Using NetFlow Secure Event Logging (NSEL) Cisco ASA 5580 Implementation Note for NetFlow CollectorsOn a further note, i

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-90648089099143358862008-12-17T17:35:00.002Z2008-12-17T17:37:28.591Z

CS-MARS Upgrade Package for 6.0.2 (3102) Cisco MARS 6.0.2 has been released, with the obvious 3rd Party Signature updates, and a few bug fixes. A summary of the updated Cisco devices support is below...Miscellaneous Changes and Enhancements The following changes and enhancements exist in 6.0.2: •Cisco ASA 8.0.4 support •Cisco ASA 8.1.2 support •Cisco IPS 6.1 supportYou can check out the

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-52704400121734278312008-11-25T15:53:00.006Z2008-11-25T16:05:32.592Z

I got asked the question the other day, if it was possible only to receive an email, when Incidents were of the RED Severity.Now if you think about it, its an option to get an email when an Incident is created, but you cannot be selective if this was RED, AMBER or GREEN.Now there is a noddy way to achieve this, if you want to go the trouble, and this would be based on duplicating rules...Consider

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com9tag:blogger.com,1999:blog-34995790.post-38565147023664536752008-11-05T14:33:00.000Z2008-11-05T14:35:26.989Z

Cisco have released a patch, CS-MARS 6.0.1 3070, for users on MARS 6.0.1 release (3066).Who should apply the Patch1) Users who have the following devices reporting to MARS: Cisco Switch IOS, Cisco IPS- User has a Cisco Switch-IOS configured to send syslogs to the MARS (CSCsu94548)- User downloaded and installed MARS IPS packages S333, S351, or S354 from http://www.cisco.com/cgi-bin/tablebuild.pl/

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-6243500218149074502008-10-31T15:52:00.005Z2008-10-31T16:20:41.944Z

For those, that have not yet upgraded to the latest V6 code of MARS, (and i know thats quite a few!), here are some screenshots of the new Parser Sharing Forum.With V4/5 and below, there was the concept of the Custom Parser. Beginning with MARS 6.0, these new custom parsing features are referred to as the Device Support Framework (DSF).With DSF you can quickly add support for new device types,

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-78796819896888419192008-09-18T08:36:00.003Z2008-09-18T08:44:37.816Z

Cisco MARS 6.0.1 is now available to download from CCO.Documentation Links below....Device Configuration Guide for Cisco Security MARS, Release 6.x Cisco Security MARS Initial Configuration and Upgrade Guide, 6.X Cisco Security MARS Hardware Installation and Maintenance Guide 6.XUser Guide for Cisco Security MARS Local and Global Controllers, Release 6.xCisco Security MARS Command Reference, 6.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-59243021971110744092008-09-17T09:00:00.002Z2008-09-17T09:04:26.803Z

Thanks to a post in the Cisco MARS User Group , the Release notes for MARS 6.0.1 are now available on Cisco.comA snippet below, shows the updated on box, vendor sigs....You can also find, a Migrating Data from Cisco Security MARS 4.x to 6.0.1, document HERE.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-89024504169955907432008-09-17T08:37:00.003Z2008-09-17T08:40:15.341Z

Not sure if anyone has seen this, but there is a current "Ask the Expert" series, running on the Netpro forums, on MARS.Looking at the discussions, it looks like MARS 6.0 will be out by the end of September.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-58407967021347516092008-09-11T08:50:00.003Z2008-09-11T09:01:15.333Z

Sorry for the lack of posts recently, i`ve been busy....With work....Studying for the CCIE!I got marriedWent on Honeymoon to Mexico and the USA.And apart from the above, i`ve been patiently waiting for MARS v6 to be released!So whats new?Well thanks to everyone who has sent me the link to the article below... Sebastian from the Firewall Guru Blog has posted an article, on how to create a custom

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-26864727094547620942008-08-22T08:25:00.003Z2008-08-22T08:35:05.920Z

Cisco have yesterday released MARS 4.3.6 and 5.3.6.Theres no new features in this release, but a major fix.The following changes and enhancements exist in 4.3.6 and 5.3.6: •Resolution of issue introduced in x.3.4 release. The driver for the x.3.6 release is to correct CSCsr47032, a defect introduced in x.3.4 that results in the database gradually filling up with unneeded audit logs. This defect

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-52980262717745725882008-07-24T14:31:00.004Z2008-07-24T14:34:53.615Z

I know I have posted on this before, but newer readers may not have seen this document.On the Cisco Learning Network, there is a PDF Doc, that lists the various compliance requirements, and the reports in Cisco MARS that can help meet that objective.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-19252022801204966422008-07-14T08:45:00.003Z2008-07-14T08:49:48.647Z

I`ve added a new links section named "Cisco Emulation" to the blog.As you may know i`m currently studying for the CCIE Security. If your in the same boat as me, there are some great sites out there you should be aware of. Go check them out!

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-13113256117567401252008-06-24T15:40:00.004Z2008-06-24T16:04:00.621Z

Cisco has launched the new Cisco Learning Network. This is a great new online community of Cisco learning professionals, looking to gain training and support on the various Cisco Qualifications and Technologies.Sign up with an account, and you gain access to short CBT style training segments, PDF documents, discussions, career advise, certification information, plus much more.In relation to Cisco

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-81936883722005167342008-06-13T10:20:00.006Z2008-06-13T10:27:27.916Z

Appologies for the lack of posts recently, i`ve been overloaded with PIX/VPN3000 to ASA Migrations, and Cisco Security Manager jobs.Anyhow, Cisco have just released MARS 4.3.5 and 5.3.5, so whats new? Miscellaneous Changes and Enhancements The following changes and enhancements exist in 4.3.5: •Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-72759365863646276622008-05-16T08:02:00.002Z2008-05-16T08:05:28.257Z

Cisco have introduced a new section dedicated to MARS on the Netpro Forums on Cisco.com"Welcome to the Cisco Networking Professionals Cisco Security MARS Forum. This conversation will provide you the opportunity to discuss the product, solutions and issues surrounding Cisco Security MARS deployments, maintenance and integration. We encourage everyone to share their knowledge and start

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-55286975533734374122008-05-07T08:41:00.001Z2008-05-07T08:43:14.204Z

"Cisco® announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis and Response System (MARS) 20R/20/50 Appliances. The last day to order the affected product(s) is July 31, 2008."Full details of this announcment can be found here

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-55360873714818123232008-04-17T15:18:00.003Z2008-04-17T15:51:11.581Z

Cisco MARS Versions 4.3.4 for Gen1 Appliances, and 5.3.4 for Gen2 Appliances has just been released.You can find here, the release notes for 4.3.4 and 5.3.4New FeaturesAs mentioned on an earlier post, the CSM 3.2 Video i created on Demolabs, was done with a 5.34 Beta Code, these features are now possible! Improved CSM-MARS Linkage. "With Security Manager 3.2 and MARS 4.3.4 and 5.3.4, you can

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-78255640749394675692008-04-08T15:23:00.005Z2008-04-08T20:50:03.479Z

Cisco yesterday released a bulletin and datasheet for the forthcoming Cisco MARS version 6.0You can find the Bulletin HERE, and the Datasheet HERE.It looks like there are going to be some great new features, i`ll look forward to it!"Cisco Security MARS Release 6.0 will be included in all appliances purchased beginning approximately August 2008. Current Cisco Security MARS customers who have valid

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com7tag:blogger.com,1999:blog-34995790.post-47849884930363119152008-04-04T15:11:00.006Z2008-04-04T15:33:04.873Z

Some of you may of noticed Cisco Security Manager 3.2 was released at the end of March.Now i managed to wing a beta of this earlier in the year, as there are some great new MARS linkages. I aslo produced a Demo which can be seen HERE, for a Seminar in London. (I`ll add the version with sound next week).I`m not completely sure what will work today, as I created the demo using an early MARS 5.34

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-29585867860439591212008-03-28T11:32:00.010Z2008-03-28T12:17:01.738Z

In Part 3 of the Cisco IPS Custom Signatures Article, after discussion with someone i cant remember,I made the following statement...."An important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten."Now this is not strictly true, as i have found, whilst doing some custom parser work. When defining event parsers i noticed that an event was in

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-20177864128440770112008-03-25T16:58:00.004Z2008-03-25T17:22:00.430Z

I`m in the process of finishing a custom parser, to share with the user group. Have a look at the image above, everything looks fine, the message has been successfully parsed.But on closer inspection the Matched Strings and Parsed Strings for the Source and Destination Addresses are different.Why is this? Well in this particular case, the device sending the syslog to MARS was "zero-padding" the

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-3894583485329698402008-03-14T16:46:00.007Z2008-03-14T17:15:53.410Z

Sometimes i get asked, about the Rule "System Rule: Operational Issue: Firewall", and what kinds of events would trigger this."This rule detects operational errors (e.g. bad network connectivity, failover errors, internal software/hardware errors) reported by a firewall - this may indicate that the firewall is not functioning properly."Well one such event, is "URL Server not responding".In this

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-76404726951605662212008-03-10T15:39:00.003Z2008-03-10T15:56:50.415Z

I noticed on CDW that pricing for the new Cisco MARS 25, 25R and 55 models was available.•CS-MARS-25R-K9•CS-MARS-25-K9•CS-MARS-55-K9To my knowledge these new 1U, Gen2 based models are not yet released, but looking on Cisco.com, information on the models is starting to slip out...The information above, taken from the 5.3 install guide. Interesting to note that the 55 model, has a field replaceable

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-16641999901178285972008-03-04T16:51:00.004Z2008-03-04T17:07:44.091Z

Ok as promised the link to a new Demo i`ve created for Demolabs.co.uk now with sound! :-)This demo created for a seminar, shows creating a custom signature in Cisco IPS, and the process for MARS to understand the event, with a little scenario around remote users downloading confidential files.Note: The demo does not imply that custom signatures should be used wisely on the network for this

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-1465980747611195402008-03-03T15:30:00.009Z2008-03-03T16:11:53.349Z

A customer asked me the other day "I`ve no access to the firewall, and Person X claims they are working at home today. Can i check with MARS if they`ve actually used the VPN."Not exactly, a major security event i know, but that data is in MARS. A quick look at the known WEBVPN events for the Cisco ASA, shows over 66, that MARS understands.So i basically set up a RAW event query on the ASA device,

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-10409826273958857972008-02-21T10:25:00.017Z2008-02-21T11:41:00.790Z

Ok, MARS supports a number of different IDS/IPS vendors, out the box, including Netscreen, Symantec, ISS, Snort,Dragon and McAfee and obviously the Cisco IPS Range.Now if you were a member of the MARS User Group, you would know, its no secret, but you can also get Tipping Point IPS Sensors to work with MARS also.And here is the trick, Tipping Points Security Management System (SMS), can send

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-75848145273531487282008-02-21T09:25:00.002Z2008-02-21T09:37:01.795Z

This morning I was honoured to find out, that i am featured in Network World`s 20 useful sites for Cisco networking professionals.Quote "If you're studying for Cisco exams and just about to tear your hair out, don't fret, there are many others in the same position, and many of them are writing up their experiences in their blogs and passing along hints and tips. Even if you're a CCIE pro, there's

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-37533531511377748012008-02-11T16:28:00.000Z2008-02-11T16:31:13.989Z

This is taken straight out of the release notes, and its definately something you should be aware of, at upgrade time....."The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:•If the system has not been rebooted during the past 180 days.•If the system has been rebooted 30 times.The fsck operation takes a long time to

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-43882708385416291312008-02-08T10:04:00.001Z2008-02-08T10:22:54.971Z

Cisco have released Cisco MARS 4.3.3 for Gen1 appliances, and 5.3.3 code for Gen2 appliances.The release notes can be found here - 4.3.3 and 5.3.3I`m not sure why theres such a difference in the file sizes, seeing as the only difference is updated Wireless LAN Controller support in the 5.3.3 code.For both releases, enhanced device support is as follows...Enhanced Cisco Device Support: –FWSM

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-89418111526869684602008-02-04T11:30:00.001Z2008-02-04T11:42:04.093Z

Here a little tip, if you are using Gen 2 box, on a 5.x code.You need to get the serial number, for a license/TAC case etc, and its stuck in the rack, 3000 miles away.....There are 2 ways to get this, from the GUI, and from the CLI.From the CLI - If you SSH into the MARS box, and run a SHOW INVENTORY, you get the model number, whether its a local or global controller, plus the Serial Number.[

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-14151148790397482008-01-18T11:51:00.000Z2008-01-18T12:14:44.104Z

Okay Dokey, how do you add more than one Custom Signature at a time?This again is not documented, so i`ve experimented with a test box i have, and basically copied the format that the dynamic IPS updates use.Consider the example below, 2 Custom Sigs are in the XML file, one in RED and one in BLUE, with the remaining XML headers in bold.And this works fine..TroubleshootingNow an important note to

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com4tag:blogger.com,1999:blog-34995790.post-31560307540779097002008-01-16T10:42:00.000Z2008-01-18T11:51:13.973Z

Following on from yesterdays article, i`m going to move onto adding Cisco IPS Custom Signatures into MARS.As you will probably already know, if you create a Custom IPS Sig, and this Signature is fired, with an alert to MARS, this will appear as an "Unknown Device Event Type"Why is this? Well simply put, MARS does not understand this Event, as its not defined in the MARS database, unlike all the

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-21425764819382196652008-01-15T14:42:00.000Z2008-01-15T17:03:22.921Z

One of the things i`m always asked is , what are the differences between then Gen1 and Gen2 appliances, as well as hardware changes?Well one difference, is the way that the MARS Box can integrate with Cisco IPS.If you are a Cisco IPS user, you will know, that you can Log IP packets associated with a Signature thats fired.You can view the trigger packets and IP log data associated with incidents

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-72083750146217552082008-01-10T09:40:00.000Z2008-01-10T09:59:12.977Z

I came across this paper below the other day, that`s worth a read to MARS newbies, in the SANS reading room.Entitled "Configuring and Tuning Cisco CS-MARS", this paper was produced by John Jarocki, for his GCIA Qualification.The paper is based on an older version of MARS, so note there have been some improvements like Dynamic IPS Updates since its creation.On another note, if you have something

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-49186468931574793692008-01-06T20:29:00.000Z2008-01-06T21:12:21.200Z

Happy new year to you all.Some news that appeared mid Dec 07, if you have not seen this already..Cisco have announced the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) models 100, 100e, 200, GCm, and GC.Full info available here.Ok following the trend of other blogs, my prediction for 2008! I predict Cisco MARS will get

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-2336409085294249512007-12-12T22:17:00.000Z2007-12-12T22:26:43.845Z

As promised links to the release notes for MARS 4.3.2 for Gen1 and 5.3.2 for Gen2 appliances.Release Notes for Cisco Security MARS Appliance 4.3.2Release Notes for Cisco Security MARS Appliance 5.3.2 As mentioned the other day, the major difference between the 2 release codes, is Wireless Controller support in 5.3.2, but not 4.3.2."Cisco Secure MARS 5.3. x supports the collection, parsing, and

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-77914135910081465412007-12-12T12:46:00.000Z2007-12-12T12:48:05.079Z

CS-MARS Versions 4.3.2 and 5.3.2 have been released.More info on these, when the release notes are posted!

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-48607665635178291502007-12-10T15:15:00.001Z2007-12-10T15:25:07.571Z

The ASK the expert forum has now finished, but you can still go over to the ASK the Expert Forums and read the posts.One that caught my eye, was the question "will there be a native support for Cisco access-points in further releases? "And Gary Halleen`s reponse, "Cisco access points will be supported through integration with the wireless controllers. This support comes in the 5.3.2 release,

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-68364271117533849672007-11-29T11:13:00.000Z2007-11-29T11:19:50.229Z

There is a new Net Pro, ask the Expert discussion, regarding the new features is MARS 4.3.1This is with Gary Halleen one of the authors of, the latest Cisco MARS Book.You can find this HERE.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-48424309946499801352007-11-21T10:06:00.000Z2007-11-21T10:21:15.550Z

You may of heard of products that can make use of the Cisco MARS Archive data. There are 3 i`ve heard of that can do this, once such product is SecureVue from EIQNetworks.eIQ SecureVue provides extended forensics and investigative search capabilities that allow Cisco Security MARS customers to quickly search volumes of archived log data collected across the enterprise.SecureVue processes Cisco

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com5tag:blogger.com,1999:blog-34995790.post-72277417572647096332007-11-14T09:06:00.000Z2007-11-14T09:10:47.746Z

Thanks to Joe Harris` 6200 Networks Blog, for a great link to Netflow Performance Analysis."Although many Cisco customers want to deploy NetFlow services, they are naturally cautious about introducing new technology into their network without completely understanding the potential performance impact. This paper examines the CPU impact of enabling NetFlow services in various scenarios on several

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-78830833321806433792007-11-07T10:19:00.000Z2007-11-07T11:34:15.151Z

Beginning in 4.3.1 and 5.3.1, MARS can discover new Cisco IPS signatures and correctly process and categorize received events that match those signatures.Note, the Dynamic IPS Update feature is not enabled by default, and has to be configured as pictured above. Now there are two ways to get the updates. One is automatically (via a schedule) from Cisco, where a valid username and password is

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-36270386530716398922007-11-02T17:29:00.001Z2007-11-02T21:40:05.701Z

Title: LAN Switch Security: What Hackers Know About Your SwitchesAuthors: Eric Vyncke and Christopher PaggenPublisher: Cisco PressQuote "Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-19441297968720470992007-10-25T15:32:00.000Z2007-10-25T16:21:21.999Z

As promised, a short article on unlocking user accounts via the CLI.MARS 4.3.1 introduced the new AAA features.For both Local or AAA authentication methods, if enabled, GUI access is locked for an account upon login failure, which occurs when a specified number of incorrect password entries are made for a single login name.Now an important thing to note. The administrator GUI access can be locked

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-27230266385287012362007-10-09T14:33:00.000Z2007-10-09T16:35:25.104Z

I was going to do a write up on configuring the new MARS 4.3.1 AAA authentication feature with Cisco ACS.But to be honest, there is a great write up in the official MARS documentation on doing just that, so in this article i`ll show you how to configure AAA with Microsoft IAS Server, for those of you who dont own an ACS Box.We'll use Microsoft IAS, and if you dont know, this is the Microsoft

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com2tag:blogger.com,1999:blog-34995790.post-44085364310459567172007-10-02T08:43:00.000Z2007-10-02T21:20:29.604Z

I get a lot of visitors to the Blog via the keyword 642-544, so I thought i`d give the new MARS exam another mention.The MARS exam is part of the Cisco CCSP Certification Track, and there are a couple of training courses available in the official Instructor Led Course or 3rd Party Hands On Real World Training Course by Priveon.There are also two books available, Security Threat Mitigation and

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-75502274188636245382007-10-01T10:10:00.001Z2007-10-01T10:20:03.325Z

For readers in the UK, there are still some limited spaces available, this week and next, at a Cisco/Ironport Email and Web Security event."Satisnet in conjunction with Cisco invite you to a seminar aimed at educating you on the Ironport solutions and how they can save you time and money in terms of managing your messaging and web environment and enabling sophisticated secure business messaging

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-16308518485039636062007-09-27T10:08:00.000Z2007-09-27T10:18:49.521Z

Cisco MARS 4.3.1 is now available (and 5.3.1 for Gen2).There are some great new features, briefly mentioned below...Data Migration Support Beginning with this release, you can migrate configuration and event data from a MARS Appliance running 4.x to a newer model running 5.x.Centralized Password Management—External AAA Server Support External Authentication, Authorization, and Auditing (AAA)

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-72084315273646870202007-09-26T08:16:00.000Z2007-09-26T09:08:40.196Z

As promised an example Custom Parser for the impressive Cisco Guard & Detector.Like any Cisco device, these appliances or Catalyst 6500 Modules can produce syslog. And since these devices are not on the MARS supported Device list, a Custom Parser was needed for MARS to understand the incoming syslog, to convert to Events.I created a few Log Parser Templates for a section of Guard Events,

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-87918683427669028302007-09-24T16:36:00.000Z2007-09-24T16:43:16.725Z

Appologies for the lack of updates, i`ve been working away on a DDOS project utilizing the Cisco Guard and Detector.These appliances (or Cat 6500 Modules) are based upon the patented Multi-Verification Process (MVP) architecture.This MVP architecture enables the Cisco Guard and Cisco Traffic Anomaly Detector to leverage the latest analysis and attack recognition techniques to detect and remove

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-41683678463444925882007-09-02T20:58:00.000Z2007-09-02T21:10:03.807Z

Sorry for no new posts over the last 2 weeks, (and appologies if you have emailed, and had no reply) i`ve been on Hols to Greece and Turkey.Old news now, but MARS 4.2.8 was released whilst I was away.Release notes for Cisco Security MARS Appliance 4.2.8 are available Here.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-40910359597433620622007-08-16T16:02:00.000Z2007-08-16T16:59:35.607Z

Trend Micro have come up with a new Integration for Cisco MARS, utilising there own Damage Cleanup Services.Quote"Trend Micro Damage Cleanup Service extends the capability of MARS not just to notify administrators of worm and spyware incidents but to also perform remediation action automatically within seconds after the incident has been identified by MARS. After DCS server completed its

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0tag:blogger.com,1999:blog-34995790.post-82335882219014552182007-08-07T15:39:00.000Z2007-08-07T15:48:42.984Z

The NAC Appliance Custom Parser has been available in the User Group for a while now. I`ve finally found the time to set this up for myself (and not a customer!) in the test lab, so i can produce a demo.Its really simple to setup, but give yourself a couple of hours, as there are over 60 templates to define.Once done, MARS can then understand the raw event messages coming in from the Clean Access

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com1tag:blogger.com,1999:blog-34995790.post-66757530283066084792007-08-05T20:41:00.000Z2007-08-05T21:23:58.274Z

Title: Security Monitoring with Cisco Security MARSAuthors: Gary Halleen and Greg KelloggPublisher: Cisco PressQuote"Security Monitoring with Cisco Security MARS helps you plan a MARS deployment and learn the installation and administration tasks you can expect to face."Top marks from me, for this book, and not just because i try to beg/borrow content for the Blog from the Authors!You may think

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com3tag:blogger.com,1999:blog-34995790.post-67832610419949868092007-08-02T21:36:00.000Z2007-08-02T21:38:48.752Z

Good job I didnt wait for the MARS exam for my recertification.This has been put back to the 15th August 2007.

Chris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.com0