Friday, September 29, 2006

CS-MARS Title Available at Cisco Press!

Hey again everyone! In keeping with trying to bring the most information about MARS that I have I thought I'd share a new resource. I own a slew of Cisco Press titles on everything from CCNA guides to MPLS network design titles. Now available at Cisco Press is a book on MARS... Security Threat Mitigation and Response: Understanding Cisco Security MARS. I'd highly recommend this text to anyone that uses a CS-MARS appliance. I do not own the title but can speak highly on the level of detail I've found in all Cisco Press titles. You can grab a copy here and make sure to sign up for Cisco Press... it's free and you can get all titles for the member price.

Tuesday, September 26, 2006

CS-MARS v4.2.2. Now Available!

Just as I was about to finish a new post I received notifcation that v4.2.2 of CS-MARS is now available from CCO. Go download it and make sure to check out the release notes.

Sunday, September 24, 2006

CS-MARS Rule: IOS Login Auditing

I'm back! Sorry for the short break... it's been rather busy around here. So now we've done an introduction about CS-MARS and seen how to get Windows servers logging events. Let's now take a look at creating a rule for our IOS network devices. This first rule we'll design (it actually can be customized into many rules) will allow us to generate incidents whenever a user succeeds or fails login to a monitored IOS device (switch, router, IOS AP, etc...). Start by reading this document at Cisco. Starting with IOS version 12.3(4)T we have the option of generating syslog messages when a user fails or succeeds login to the device. The important commands are:

login on-failure log
login on-success log
login block-for seconds attempts tries within seconds

Now let me briefly talk about the last command. This allows the IOS device to protect it's vty port by dynamically creating an ACL to block the IP that has failed times withing for a configurable amount of . As an example we use login block-for 180 attempt 3 within 60 on all of our IOS devices. With this configured, when I now login to a device a syslog message is generated and forwaded to our MARS server that looks like this:

Sep 25 13:48:58 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: marsguy] [Source: 10.27.
1.11] [localport: 22] at 13:48:58 EDT Mon Sep 25 2006

And if I fail login (which surely never happens!) it would look like this:

Sep 25 13:52:29 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.27.1.11] [localport: 22] [Reason: Login Authentication Failed] at 13:52:29 EDT Mon Sep 25 2006


Now we have some pretty nifty message... let's write a rule in MARS to generate incidents on successful and failed l
ogins. Let's start with successful logins. I took a screenshot of this rule as we have it written. We have some customizations so we don't get notified whenever our CiscoWorks server logs in (it's a chatter box!). Obviously this can be tuned by just looking at how I have ours tuned and customizing it for your infrastructure.



And here's a look at our failed login attempt rule. Again... edit the customizations to fit your environment:




I hope this was a good example of some basic rule writing I've done with our MARS system. Any questions on how these rules are implemented please let me know and I can help.