Tipping Point with MARS

Ok, MARS supports a number of different IDS/IPS vendors, out the box, including Netscreen, Symantec, ISS, Snort,Dragon and McAfee and obviously the Cisco IPS Range.

Now if you were a member of the MARS User Group, you would know, its no secret, but you can also get Tipping Point IPS Sensors to work with MARS also.

And here is the trick, Tipping Points Security Management System (SMS), can send syslog in Snort format.

Now your not going to get zero-day updates to the known signatures (or Digital Vaccines in Tipping Point Terminology), as you would with Cisco IPS, as MARS 5.3.3 (latest) only knows about snort signatures upto Dec 2007.

But it can be done. As i just briefly mentioned, you configure the Tipping Points Security Management System (SMS), to send syslog in Snort format. This is documented in the SMS User Guide...

And add the Tipping Point box to MARS as a Snort Device...

And as we would expect, we can then get alerts that appear in the SMS console, to be (mostly) recognised in the MARS GUI.

As we can see from a Raw Message Query, Tipping Point Events, are being recognised by MARS.

And Incidents are created..

And looking at the Tipping Point Raw Message, funny enough its in Snort format!

But, as i mentioned earlier, it will not recognise "newer" Digital Vaccines, or snort alerts beyond Dec 2007, in the current MARS release.

So a Session query, shows some "Unknown Device Event Type"

And a Raw Message Query, shows that its down to a PHP Exploit, that MARS did not understand from the Tipping Point/Snort syslog.

Network World’s 20 Useful Sites for Cisco Networking Professionals

This morning I was honoured to find out, that i am featured in Network World`s 20 useful sites for Cisco networking professionals.

Quote "If you're studying for Cisco exams and just about to tear your hair out, don't fret, there are many others in the same position, and many of them are writing up their experiences in their blogs and passing along hints and tips. Even if you're a CCIE pro, there's always room for personal improvement and expansion. With that in mind we've scoured the Web to bring you our top 20 most useful Web resources for Cisco networking professionals. Of course, we don't want you to forget the resources and blogs of Cisco Subnet and our own bloggers, so we'll give a recap of our own Cisco resources and bloggers at the end of our top 20 list. Compiled by Jim Duffy and Linda Leung"


Let me say a big thank you to the folks at network world for mentioning the blog, and a big welcome to any new readers.

Upgrade Note

This is taken straight out of the release notes, and its definately something you should be aware of, at upgrade time.....

"The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:

•If the system has not been rebooted during the past 180 days.

•If the system has been rebooted 30 times.

The fsck operation takes a long time to complete, which can result in significant unplanned downtime when rebooting the system after meeting a condition above.

For example, a MARS 50 appliance can take up to 90 minutes to perform the operation. "

4.3.3 and 5.3.3 Released

Cisco have released Cisco MARS 4.3.3 for Gen1 appliances, and 5.3.3 code for Gen2 appliances.

The release notes can be found here - 4.3.3 and 5.3.3

I`m not sure why theres such a difference in the file sizes, seeing as the only difference is updated Wireless LAN Controller support in the 5.3.3 code.

For both releases, enhanced device support is as follows...

Enhanced Cisco Device Support:

–FWSM 3.1.7 (as 3.1)

Enhanced 3rd-Party Device Support:

–Oracle 11g (as Oracle Database Server Generic)

–Snort 2.7 and 2.8 (as 2.0)

–QualysGuard 5.1 (as QualysGuard ANY)

The new updated Vendor Signatures are shown below, i have pictured both releases for reference, but they seem to be the same.

Release 4.3.3

Release 5.3.3

I have successfully updated a Gen2 model this morning...

############################################# 100.0%
Upgrading ... - Stopping CS-MARS applications : #
- Updating database schema : #
- Updating MARS applications : #
- Importing data : #
- Signature upgrade ...
- Signature upgrade success
- Rebooting ...
1
1
succeed!

And a handy tip is after an upgrade is to run a pnupgrade log, to check that you have the "Upgrade from 5.3.2 2765 to 5.3.3 2774 finished." statement at the end.

[pnadmin]$ pnupgrade log
--------------------------------------
5.3.2 2765 --> 5.3.3 2774
--------------------------------------
1 Preparing upgrade start
1.1 Load the step table start
1.1 Load the step table end
1.2 Stop pnmonitor start
1.2 Stop pnmonitor end
1.3 Stop jboss start
1.3 Stop jboss end
1.4 Stop other applications start
1.4 Stop other applications end
1 Preparing upgrade end
2 Upgrade OS start
2.1 Patch OS start
2.1 Patch OS end
2 Upgrade OS end
3 Upgrade schema start
3.1 Run upgrade schema script start
3.1 Run upgrade schema script end
3.2 Backup schema script start
3.2 Backup schema script end
3 Upgrade schema end
4 Upgrade MARS applications start
4.1 Untar MARS executable binary start
4.2 Untar MARS executable binary end
4.3 Modify janus.conf start
4.3 Modify janus.conf end
4.4 Swap MARS executable binary start
4.4 Swap MARS executable binary end
4.5 Run post-unpack-deployment start
4.5 Run post-unpack-deployment end
4 Upgrade MARS applications end
5 Upgrade data start
5.1 Start jboss start
5.1 Start jboss end
5.2 Importing signature data start
5.2 Importing signature data end
5.3 Missing-id fix start
5.3 Missing-id fix end
5 Upgrade data end
6 reboot ...
Upgrade from 5.3.2 2765 to 5.3.3 2774 finished.

Show Inventory

Here a little tip, if you are using Gen 2 box, on a 5.x code.

You need to get the serial number, for a license/TAC case etc, and its stuck in the rack, 3000 miles away.....

There are 2 ways to get this, from the GUI, and from the CLI.

From the CLI - If you SSH into the MARS box, and run a SHOW INVENTORY, you get the model number, whether its a local or global controller, plus the Serial Number.

[pnadmin]$
[pnadmin]$ show inventory
NAME: "Chassis", DESCR: "CS-MARS-XXX Local Controller"
PID: CS-MARS-XXX, VID: V01, SN: MXXXXXXXXXXX

From the GUI - If you browse to Admin/System Maintenance/Set License/ and click on the existing License file...



You will find the Serial number in the text.