I`ve been asked on many occasions, where does MARS decide on what Severity an Incident is?
Well this is down to many factors, i`ll explain more….
When an Incident is created, its classified by one of the three colours above. For the System Firing Rules this cannot be altered.
MARS matches every raw message it receives into an Event Type.
And as can be seen above, many different reporting devices will report this same device event type. So MARS effectively knows that for MARS Event X, different vendors will report IDS/IPS Signature Y, Alert Z and so forth.
Now MARS will also group different Events it understands into Groups, which makes creating Rules a lot easier.
Selecting Management/Event Management gives you the ability to view what Events MARS understands out the box, and what Groups those events belong to.
Now you will find, vendors usually provide an event severity within the syslog, and as can be seen below, for the Particular MARS event: NetBIOS OOB DoS (WinNuke), multiple devices can report this to MARS. But MARS categorizes this event as a High (Red) Severity, but ISS Real Secure categorizes this event as Medium.
Hence when MARS sees this event, irrespective of who reported it, its RED.
So we know how MARS categories the Events, but how do Incidents get their Severity?
Well this is down to the RULE.
Consider the following Incident…
The RULE that fired was the
System Rule: Server Attack: Database – Attempt.
This Incident`s Severity is RED.
How was this decided? Well we need to inspect the RULE to discover this.
If we look closely we can see the RULE is built from 3 conditions. Condition 1 FOLLOWED-BY Condition 2, OR Condition 3.
Looking at the Incident data, we can see Offset 3 “fired”.
See a condensed version below…
So for Offset 3, the Event “Microsoft SQL Server Resolution Service Stack Overflow”, is part of the “Penetrate/BufferOverflow/DB” Event Type Group, from “ANY” device, and with a Severity of “ANY”.
Looking at the particular Event, that matched this RULE…
We see that this is a High Severity Event. (RED).
Therefore the Incident Created is RED.
Similarly, as a basic example the custom parser for the XP firewall that I created for the User Group. The Built/Teardown connections were set as severity “Green”.
When the System Rule: Client Exploit: Sysbug Trojan rule was fired, when client traffic on TCP Port 5555 was fired, you can see again, it was Offset 3 that matched the traffic, and the corresponding Event was a Green Event, and therefore the Incident Severity was set as “Green”. Hopefully your IPS sensor would have picked up this trojan, well before then!
So that’s an important factor to take into consideration when configuring Custom Parsers for your Events.
Now not all RULES are configured to match on ANY Severity. Some rules are more tightly configured, as to what Events to fire on.
Consider the RULE below…
This particular rule for Resource Issue: Network Device, only looks for RED or YELLOW severity Events reported by Devices.
Now what happens when a rule has multiple conditions, like the one below Password Attack: SNMP – Success Likely?
There are basically 4 Offsets, with a match on 1 FOLLOWED-BY 2, OR 3 FOLLOWED-BY 4.
Now what if the Event Severity of Offset 1 is Green, and the Event Severity of Offset 2 is Yellow?
MARS will basically create the Incident as “YELLOW”, as this is the “Highest” Event Severity.
Also important to note that if the reporting device attached no severity to the Event, then MARS will classify that as “GREEN”.
Similarly, if an Incident has correlated multiple reporting devices, with multiple Event types matched, then again the most “Severe” is selected for the Incident Severity.
As a further note, you can select the Severity when working with CASES.
I hope this gives you a better understanding of the severity of Incidents.
Quote from Cisco.com
Posts
