Mike from New York, has another great MARS blog on blogger, entitled
"CS-MARS and All Things Security at Cisco".
Check it out....
http://cs-mars.blogspot.com/
Thursday, September 28, 2006
Tuesday, September 26, 2006
MARS Incident Views
Another new feature of the 4.2.2 release, is the ability to slim down the incident view, to the last hour, day, week, year etc, again by severity if required.
MARS 4.2.2 Now Available
The following changes and enhancements exist in 4.2.2:
•Support for Firewall Services Module 3.1.
•Performance Improvements for Windows and Cisco IPS Log Processing.
•Enhanced Topology Synchronization between Global and Local Controllers.
•Enhanced Result Format Display for the Custom Column Query. A query with a Custom Columns result format can now display up to 100,000 results.
New Vendor Signatures
•Support for Firewall Services Module 3.1.
•Performance Improvements for Windows and Cisco IPS Log Processing.
•Enhanced Topology Synchronization between Global and Local Controllers.
•Enhanced Result Format Display for the Custom Column Query. A query with a Custom Columns result format can now display up to 100,000 results.
New Vendor Signatures
Monday, September 25, 2006
Cisco Marketing MARS Demo available on Cisco.com
If your boss is still unsure on what MARS is...
http://www.cisco.com/cdc_content_elements/flash/security_mars/demo.htm
http://www.cisco.com/cdc_content_elements/flash/security_mars/demo.htm
Viewing Raw Data in Real-Time
Another question i get asked is "How can i view the raw data coming into my MARS appliance for a certain device?"
Well this is easy to configure, via a Query.
1) If we first select a device to monitor, on the Query screen
2) Now we need to Edit the Query Type, and select the Result Format as: "All Matching Event Raw Messages"
3) And finally select "Real Time" : Raw Events.
Well this is easy to configure, via a Query.
1) If we first select a device to monitor, on the Query screen
2) Now we need to Edit the Query Type, and select the Result Format as: "All Matching Event Raw Messages"
3) And finally select "Real Time" : Raw Events.
Now when we submit, we will watch in real time, all the raw events arriving from your selected device or devices.
Quite a cool feature i think!
1st Cisco MARS Book Available
Cisco Press are about the release the first book on the Cisco MARS Product.
Entitled: Security Threat Mitigation and Response: Understanding Cisco Security MARS
This book is by Dale Tesch & Greg Abelar, and stuffed with 400 pages.
ISBN-10: 1-58705-260-1
An example chapter is available here...
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052601&rl=1
Entitled: Security Threat Mitigation and Response: Understanding Cisco Security MARS
This book is by Dale Tesch & Greg Abelar, and stuffed with 400 pages.
ISBN-10: 1-58705-260-1
An example chapter is available here...
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052601&rl=1
Cisco MARS Video Demos on the Web
This website has some useful Cisco MARS Video demos, for those intrigued what the MARS product is all about.
www.demolabs.co.uk/csmars.html
Thanks to the guys at UK MARS integrator Satisnet for this.
www.demolabs.co.uk/csmars.html
Thanks to the guys at UK MARS integrator Satisnet for this.
Importing 3rd Party Vulnerability Data into MARS
I have been asked quite a few times in my job as a Security Consulant, "Can Mars make use of my exisiting Qualys or Foundstone Appliance?"
Well yes, we can grab all the information that the 3rd party vulnerablilty scanner, knows about your network, and import this into the MARS database.
As you may already know, MARS has a built in Nessus scanner, and will use this (optional) for false positive analysis on incidents.
But using your exisiting VA will also add value, and save you time in manually configuring the OS, and Services running on your assets.
See below...
Well yes, we can grab all the information that the 3rd party vulnerablilty scanner, knows about your network, and import this into the MARS database.
As you may already know, MARS has a built in Nessus scanner, and will use this (optional) for false positive analysis on incidents.
But using your exisiting VA will also add value, and save you time in manually configuring the OS, and Services running on your assets.
See below...
Cisco MARS Starts Here!
Welcome to my Blog for the superb Cisco MARS (Monitoring, Analysis and Response System) Appliance.
Be sure to visit often, for a whole range of information on the MARS product.
I hope to create a site full of real world integrations, how-to`s and demonstrations, to get the most out of your investment in MARS.
Any questions or ideas, please get in touch.
Be sure to visit often, for a whole range of information on the MARS product.
I hope to create a site full of real world integrations, how-to`s and demonstrations, to get the most out of your investment in MARS.
Any questions or ideas, please get in touch.
Subscribe to:
Posts (Atom)
Posts
