The Cisco Learning Network Launched

Cisco has launched the new Cisco Learning Network. This is a great new online community of Cisco learning professionals, looking to gain training and support on the various Cisco Qualifications and Technologies.

Sign up with an account, and you gain access to short CBT style training segments, PDF documents, discussions, career advise, certification information, plus much more.

In relation to Cisco MARS, on the site you will find 2 or 3 great training segments, or Quick Learning Modules as Cisco calls them, as shown below...


In more detail...


I`d recommend, you go check them out!

Cisco MARS 4.3.5 and 5.3.5 Out Now

Appologies for the lack of posts recently, i`ve been overloaded with PIX/VPN3000 to ASA Migrations, and Cisco Security Manager jobs.

Anyhow, Cisco have just released MARS 4.3.5 and 5.3.5, so whats new?

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 4.3.5:

•Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets.

•Bug fixes. For the list of resolved issues, see Resolved Caveats - Release 4.3.5.

You can view the Release notes for 4.3.5 HERE, and 5.3.5 HERE.

New Cisco NetPro Forum

Cisco have introduced a new section dedicated to MARS on the Netpro Forums on Cisco.com

"Welcome to the Cisco Networking Professionals Cisco Security MARS Forum. This conversation will provide you the opportunity to discuss the product, solutions and issues surrounding Cisco Security MARS deployments, maintenance and integration. We encourage everyone to share their knowledge and start conversations about topics involving the Cisco Security MARS. Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements. We encourage you to tell your fellow networking professionals about the site. Dan Bruhn NetPro Community Manager"

You can link straight to the forum HERE.

MARS 20,20R and 50 EOL Announced

"Cisco® announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis and Response System (MARS) 20R/20/50 Appliances. The last day to order the affected product(s) is July 31, 2008."

Full details of this announcment can be found here

Cisco MARS 4.3.4 and 5.3.4 Out Now

Cisco MARS Versions 4.3.4 for Gen1 Appliances, and 5.3.4 for Gen2 Appliances has just been released.

You can find here, the release notes for 4.3.4 and 5.3.4

New Features

As mentioned on an earlier post, the CSM 3.2 Video i created on Demolabs, was done with a 5.34 Beta Code, these features are now possible!

Improved CSM-MARS Linkage. "With Security Manager 3.2 and MARS 4.3.4 and 5.3.4, you can modify access rules generating the MARS event seamlessly from the read-only policy table popup window, which displays all rules associated with an event, by clicking the highlighted access rule number without starting Security Manager separately. Similarly, you can navigate to the signature summary table in Security Manager from MARS events associated with IPS sensors and IOS IPS devices and alter the signature properties. This feature enables you to map a syslog message to the policy that triggered that message and modify it simultaneously, thereby reducing time spent configuring and troubleshooting access rules in large or complex networks.

Additional improved support includes:

–Support for MARS to launch CSM and authenticate using stored login credentials.

–Improved support for firewall and IPS policy rule lookups.

–From Policy Query, you can edit a signature on an event or define a filter on the CSM device to perform device-side tuning.

–Edit IPS signatures that fired an inspection rule.

–Edit IPS signatures that fired an inspection rule."

Improved Global Controller-Local Controller Group Synchronization. "In the x.3.4 releases, MARS changes how source and destination information found in Global Controller rules is shared with managed Local Controllers. (This change is in support of CSCse03237: Changes made to GC network groups are not propagated to active LC rules.) "

Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets

And of course the usual bugfixes.

Cisco MARS 6.0

Cisco yesterday released a bulletin and datasheet for the forthcoming Cisco MARS version 6.0

You can find the Bulletin HERE, and the Datasheet HERE.

It looks like there are going to be some great new features, i`ll look forward to it!

"Cisco Security MARS Release 6.0 will be included in all appliances purchased beginning approximately August 2008. Current Cisco Security MARS customers who have valid Cisco SMARTnet® Service contracts when released can also download the release at the Cisco Software Center."

"New Features

Cisco Security MARS Release 6.0 enhancements make Cisco Security MARS more open, with the ability to use the greater Cisco Security MARS community to improve security device support. Some enhancements include:

Cisco Security MARS device support framework: Framework to add velocity and flexibility to the Cisco Security MARS system, allowing faster, more flexible, and more scalable security device log support for existing and new Cisco and third-party vendor devices.

Support for the ASA 5580: MARS becomes the first Security Threat Management appliance to be capable of accepting logs from high output devices such as the ASA 5580.

Cisco Security MARS forum on NetPro: Community enablement for Cisco Security MARS users, partners, and third-party vendors interested in discussing, sharing, and rating Cisco Security MARS device support packages.

Cisco IPS Sensor Software Version 6.0 rules and report enhancements: Native support of IPS risk rating, threat rating, and virtual sensor in Cisco Security MARS will competitively differentiate the Cisco IPS and Cisco Security MARS value proposition by enabling Cisco Security MARS to further refine IPS event data to more effectively define threat detection and attack fidelity of the incident. "

And a sneak of the new supported devices looks interesting.....

New MARS and CSM 3.2 Linkages

Some of you may of noticed Cisco Security Manager 3.2 was released at the end of March.

Now i managed to wing a beta of this earlier in the year, as there are some great new MARS linkages. I aslo produced a Demo which can be seen HERE, for a Seminar in London. (I`ll add the version with sound next week).

I`m not completely sure what will work today, as I created the demo using an early MARS 5.34 Beta, but the datasheets on Cisco.com for CSM which i have quoted below, give further info.

So whats new?

IPS Configuration

"Cross-collaboration with Cisco Security MARS enables event/anomaly investigation with immediate insight into policy deployment changes. This collaboration enables policy launching of historic and real-time events, encouraging tighter collaboration between network operations and security operations teams while keeping Cisco Security Manager policies in band. Insight and cross-collaboration decreases event investigation and troubleshooting, thus speeding resolution time. Cisco Security Manager and Cisco Security MARS collaboration enables interactive IPS event action filter creation, thus reducing your network's vulnerability exposure." - Source CSM 3.2 Datasheet


Enhanced Cisco Security Manager and MARS integration
– Ability to select syslog messages collected by Cisco Security MARS and launch to that specific rule in the Cisco Security Manager that generated the syslog
– Ability to select a rule in Cisco Security Manager and view historic or real-time syslog messages in Cisco Security MARS
– Ability to select an IPS signature in Cisco Security Manager and view historical or real-time events processed by Cisco Security MARS
– Ability to view IPS events in Cisco Security MARS and launch to that specific IPS signature in Cisco Security Manager. - Source CSM3.2 Bulletin

Finally some screenshots from the Datasheet....

Custom IPS Signature Events

In Part 3 of the Cisco IPS Custom Signatures Article, after discussion with someone i cant remember,I made the following statement....

"An important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten."

Now this is not strictly true, as i have found, whilst doing some custom parser work. When defining event parsers i noticed that an event was in the list (Confidential File.....), from a Cisco IPS custom signature i imported a while back...

Now events here can be deleted, so i thought i`d try it...

Sure enough, the Custom IPS Signature Event was listed, with the Cisco IPS Custom Sig ID of 60000/0, and the Groups and Inspection Rules it belongs too. So i went ahead and deleted.

Now i did a quick check on the Custom IPS Signature upload page, to see if anything untoward had happened here...

And i also did a check, whether or not the Event had actually gone. So a quick search of Events for device Cisco IPS 6.x, showed it had indeed been deleted.

Great stuff, so to be sure, so i uploaded a second custom parser event....

And sure enough, the event appeared under the Custom Parser Event Types, and thus can be slightly edited like any custom parser event.. (the description edited below)

And these changes do stick, as a quick event query for Cisco IPS6.x events shows.


NB: This is my own findings, and to my knowledge not in the MARS Userguide. So before you go deleting events as above, i`d check with TAC, that you are not going to explode your MARS box or anything :-)

Custom Parsing Gotcha

I`m in the process of finishing a custom parser, to share with the user group. Have a look at the image above, everything looks fine, the message has been successfully parsed.

But on closer inspection the Matched Strings and Parsed Strings for the Source and Destination Addresses are different.

Why is this? Well in this particular case, the device sending the syslog to MARS was "zero-padding" the syslog messages, so in the case of an ip address 10.10.10.10 this would appear as 010.010.010.010. Cisco MARS then treated that incoming syslog as an Octal number.

"Octal numerals can be made from binary numerals by grouping consecutive digits into groups of three (starting from the right). For example, the binary representation for decimal 74 is 1001010, which groups into 001 001 010 — so the octal representation is 112." - http://en.wikipedia.org/wiki/Octal

All is not lost though, as it is possible to include regex to elimate the leading zero. In my case the solution was a little simpler. Luckily the appliance i was creating the parser for, had the option to disable the option for zero padded IP Addresses in the Syslog. :-)

Firewall Issues

Sometimes i get asked, about the Rule "System Rule: Operational Issue: Firewall", and what kinds of events would trigger this.

"This rule detects operational errors (e.g. bad network connectivity, failover errors, internal software/hardware errors) reported by a firewall - this may indicate that the firewall is not functioning properly."

Well one such event, is "URL Server not responding".

In this example the customer was running Websense for their URL filtering, and basically the server died. Hence the following rule fired. This includes the IP of the Filtering Device, in this case an ASA, and the Filtering Server IP.

Now in that particular case, Internet Access would cease to function for everyone, configured to be be assesed via the Filtering Service (the default action). So you would probably be aware, something was a miss on the network.

But with the Cisco PIX/ASA, there are some other options, that can be configured in the event of the URL Filtering Solution failing.

We can configure "Allow outbound HTTP traffic when URL Server is down", great to keep Internet Access going, but not so great that users can then access any malware ridden side they please.

So another event to look out for is "URL Server not responding, ENTERING ALLOW mode"