User Guide for Cisco Security MARS Local Controller, Release 4.2.x - Configuring Network-based IDS and IPS Devices [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Configuring Network-based IDS and IPS Devices

Cisco IDS 3.1 Sensors

Configure Sensors Running IDS 3.1

Add and Configure a Cisco IDS 3.1 Device in MARS

Cisco IDS 4.0 and IPS 5.x Sensors

Bootstrap the Sensor

Enable the Access Protocol on the Sensor

Enable the Correct Signatures and Actions

Add and Configure a Cisco IDS or IPS Device in MARS

Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File

View Detailed Event Data for Cisco IPS Devices

Verify that MARS Pulls Events from a Cisco IPS Device

Cisco IPS Modules

Enable DTM Support

Enable SDEE on the Cisco IOS Device with an IPS Module

Add an IPS Module to a Cisco Switch or Cisco ASA

ISS Site Protector

ISS RealSecure 6.5 and 7.0

Configure ISS RealSecure to Send SNMP Traps to MARS

Add an ISS RealSecure Device as a NIDS

Add an ISS RealSecure Device as a HIDS

IntruVert IntruShield

Extracting Intruvert Sensor Information from the IntruShield Manager

Configure IntruShield Version 1.5 to Send SNMP traps to MARS

Configure IntruShield Version 1.8 to Send SNMP Traps to MARS

Add and Configure an IntruShield Manager and its Sensors in MARS

Add the IntruShield Manager Host to MARS

Add IntruShield Sensors Manually

Add IntruShield Sensors Using a Seed File

Snort 2.0

Configure Snort to Send Syslogs to MARS

Add the Snort Device to MARS

Symantec ManHunt

Symantec ManHunt Side Configuration

MARS Side Configuration

Add Configuration Information for Symantec ManHunt 3.x

NetScreen IDP 2.1

IDP-side Configuration

MARS-side Configuration

Add Configuration Information for the IDP

Add NetScreen IDP 2.1 Sensors Manually

Enterasys Dragon 6.x

DPM/EFP Configuration

Configure the DPM or EFP

Host-side Configuration

Configure the syslog on the UNIX host

MARS-side Configuration

Add Configuration Information for the Enterasys Dragon

Add a Dragon NIDS Device

Configuring Network-based IDS and IPS Devices

Revised: February 26, 2007

Network intrusion detection and intrusion preventions systems are a critical source for identifying active attacks to MARS.

This chapter explains how to bootstrap and add the following network-based IDS and IPS devices to MARS:

•Cisco IDS 3.1 Sensors

•Cisco IDS 4.0 and IPS 5.x Sensors

•Cisco IPS Modules

•ISS Site Protector

•ISS RealSecure 6.5 and 7.0

•IntruVert IntruShield

•Snort 2.0

•Symantec ManHunt

•NetScreen IDP 2.1

•Enterasys Dragon 6.x

Cisco IDS 3.1 Sensors

Before you add the Cisco IDS 3.1 device, make sure that you have configured the Cisco IDS device for the MARS to retrieve the device configuration. The device configuration would be used for mapping of the logs received by MARS.

When configuring the IDS device to send logs to the MARS, you must use the exact name of the MARS Appliance. To determine the name of the appliance, select Admin > System Setup > Configuration Information and review the value in the Name field.

Configure Sensors Running IDS 3.1

Step 1 Log in to the Cisco IDS device.

Step 2 Change to directory that has all the configurations files that need to be edited:
cd /usr/nr/etc
Step 3 You need to edit 4 files (organizations, hosts, routes and destinations) that are in this directory.

In the organizations file add a line indicating your organization name or grouping;
e.g., 1 protego
where 1 is the item number followed by the organization name protego. If there is already item in this file, simply increase the item number (has to be unique).

Figure 6-1 Add MARS Information to Cisco IDS 3.1 Organizations File

In the hosts file add a line indicating your MARS appliances' name associated to the organization that was previously added in the organizations file;
	    e.g., 2001.1 pnmars.protego
where 2001.1 is a unique item number followed by the MARS appliances' name and organization name protego. If there is already items in this file, simply increase the item number (has to be unique).

Figure 6-2 Add MARS Information to Cisco IDS 3.1 Hosts File

In the routes file add a line indicating your MARS appliances' name and its IP address;
e.g., pnmars.protego 1 10.1.1.10 45000 1 5
where pnmars.protego is the MARS's name (with organizations' name) followed by 1 then the MARS appliances' IP address.

The 45000 is the port number that the IDS will use to send its logs to MARS. Add a 1 follows by a 5 at the end of this line (these numbers are not used by MARS).

Figure 6-3 Add MARS Information to Cisco IDS 3.1 Routes File

In the destinations file add a line indicating your MARS appliances' name (as defined in the routes file) the client process that the appliance is using to listen for events from the sensor (in this case smid), and the list of log types you want sent to the appliance as a comma separated list:
e.g., 	 pnmars.protego smid ERRORS, EVENTS, COMMANDS
where pnmars.protego is the MARS's name (with organizations' name) followed by smid and the list of log types that the loggerd daemon will publish to the appliance.

Figure 6-4 Add MARS Information to Cisco IDS 3.1 Destinations File

Step 4 Once you've edited these four files (organizations, hosts, routes, and destinations), reboot the sensor using the following commands:

a. nrstop

b. nstart

Add and Configure a Cisco IDS 3.1 Device in MARS

To add and configure a Cisco IDS device in MARS, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 Select Cisco IDS 3.1 from the Device Type list.

Step 3 Enter the hostname of the sensor in the Device Name field.

The Device Name value must be identical to the configured sensor name.

Step 4 Enter the administrative IP address in the Access IP field.

Step 5 Enter the administrative IP address in the Reporting IP field.

The Reporting IP address is the same address as the administrative IP address.

Step 6 Select either SSH or TELNET.

Step 7 Enter "netrangr" as the Login and its Password.

When adding a Cisco IDS 3.1 device, use the netrangr username or some other username that is not the root login for the sensor. Using the root login causes MARS to fail to parse the login prompt correctly, which in turn, cause the Test Connectivity to fail.

Figure 6-5 Configure Cisco IDS 3.1

Step 8 For attack path calculation and mitigation, add networks into the Monitored Networks field.

a. Click the Select a Network or Define a Network radio button.

•In the Select a Network list, click a network.

•In the Define a Network field, enter its network IP and network mask information.

b. Click Add to move the selected networks into the Monitored Networks field.

Step 9 (Optional) To discover the device settings, click Discover.

Step 10 Click Submit.

Cisco IDS 4.0 and IPS 5.x Sensors

Adding a Cisco IDS or IPS network sensor to MARS involves two parts:

1. Bootstrap the Sensor

2. Add and Configure a Cisco IDS or IPS Device in MARS

3. Verify that MARS Pulls Events from a Cisco IPS Device

The following topic supports Cisco IDS and IPS devices:

•View Detailed Event Data for Cisco IPS Devices

Note If you've imported your sensor definitions using the seed file format, as specified in Load Devices From the Seed File, page 2-24, you must define the networks monitored by the sensor.

Bootstrap the Sensor

Preparing a sensor to be monitored by MARS involves two steps:

•Enable the Access Protocol on the Sensor

•Enable the Correct Signatures and Actions

Enable the Access Protocol on the Sensor

The configuration of the sensor depends on the version of the software that is running on the sensor. The following topics identify the requirements of each version:

•Cisco IDS 4.x Software

•Cisco IPS 5.x Software

Cisco IDS 4.x Software

For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over SSL. Therefore, MARS must have HTTPS access to the sensor. To prepare the sensor, you must enable the HTTP server on the sensor, enable TLS to allow HTTPS access, and make sure that the IP address of MARS is defined as an allowed host, one that can access the sensor and pull events. If the sensors have been configured to allow access from limited hosts or subnets on the network, you can use the accessList ipAddress ip_address netmask command to enable this access.

Cisco IPS 5.x Software

For Cisco IPS 5.x devices, MARS pulls the logs using SDEE over SSL. Therefore, MARS must have HTTPS access to the sensor. To prepare the sensor, you must enable the HTTP server on the sensor, enable TLS to allow HTTPS access, and make sure that the IP address of MARS is defined as an allowed host, one that can access the sensor and pull events. If the sensors have been configured to allow access from limited hosts or subnets on the network, you can use the access-list ip_address/netmask command to enable this access.

Enable the Correct Signatures and Actions

If the signature actions are correctly configured, MARS can display the trigger packet information for the first event that fires a signature on a Cisco IDS or IPS device. MARS is also able to pull the IP log data from Cisco IDS and IPS devices, however, this operation is system intensive. Therefore, you should select the set of signatures that generate IP log data carefully.

When configuring the active signatures on a Cisco IDS or IPS device, you must specify the alert action and the action that generates the desired data:

•To view trigger packets, you must enable the "produce-verbose-alert" action.

•To view IP logs, you must enable the alert or "produce-verbose-alert" action and the "log-pair-packets" action.

Caution Configuring IP logging and verbose alerts on the sensor is system intensive and does affect the performance of your sensor. In addition, it affects the performance of your MARS Appliance. Because of these effects, you be cautious in configuring signatures to generate IP logs.

Add and Configure a Cisco IDS or IPS Device in MARS

To add and configure a Cisco IDS or IPS device in MARS, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 Do one of the following:

•Select Cisco IDS 4.0 from the Device Type list.

Figure 6-6 Configure Cisco IDS 4.0

•Select Cisco IPS 5.x from the Device Type list.

Figure 6-7 Configure Cisco IPS 5.x

Step 3 Enter the hostname of the sensor in the Device Name field.

The Device Name value must be identical to the configured sensor name.

Step 4 Enter the administrative IP address in the Access IP field.

Step 5 Enter the administrative IP address in the Reporting IP field.

The Reporting IP address is the same address as the administrative IP address.

Step 6 In the Login field, enter the username associated with the administrative account that will be used to access the reporting device.

Step 7 In the Password field, enter the password associated with the username specified in the Login field.

Step 8 In the Port field, enter the TCP port on which the webserver running on the sensor listens. The default HTTPS port is 443.

Note While it is possible to configure HTTP only, MARS requires HTTPS.

Step 9 To pull the IP logs from the sensor, select Yes in the Pull IP Logs box.

Step 10 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 11 To verify the configuration, click Test Connectivity.

Step 12 Click Submit.

Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File

After you import a Cisco IPS or IDS device into MARS using a seed file, you must define the networks that are monitored by that sensor.

To define the networks monitored by a sensor, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices.

Step 2 Select the check box next to the Cisco IPS or IDS device that was imported using a seed file. and click Edit.

Step 3 To specify the networks being monitored by the sensor, do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 4 To save your changes, click Submit.

Step 5 To enable MARS to start sessionizing events from this module, click Activate.

View Detailed Event Data for Cisco IPS Devices

You can view the trigger packets and IP log data associated with incidents reported by Cisco IDS 4.x and Cisco IPS 5.x devices, whether they are sensor appliances or modules. This information is useful when an in-depth understanding of the attack method is desired. MARS includes two event types that focus on the these two data types:

•Trigger packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. The trigger packet provides a single data packet—the data packet that caused the alarm to fire.

•Packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. Although the amount of data contained in an IP log varies based on sensor configuration, by default an IP log contains 30 seconds of packet data. To view this data, you must enable the Pull IP Logs option on the Cisco IPS device under Admin > System Setup > Security and Monitor Devices.

Note MARS does not collect this data for Cisco IDS 3.x devices.

For the correct signature settings required to generate this data, see Enable the Correct Signatures and Actions.

If the IP log feature is enable for the reporting Cisco IPS device, these event types are combined as part of the incident data. You can view this data by drilling down in an incident, expanding the desired event type (either Packet Data or Trigger Packet Data), selecting an event, and clicking on the RAW Events for this Session icon under the Reporting Device column of that event. The source, destination, and other data displayed for these events matches that of the original alert. In addition, this data appears hexadecimal and binary format.

Note The trigger packet and IP log data is stored using a base64-encoded format in the MARS database. Therefore, keyword search does not work on it if you just provide the search string.

Verify that MARS Pulls Events from a Cisco IPS Device

Note If the Test Connectivity operation does not fail when configuring a Cisco IPS device in the MARS web interface, then communications are enabled. This task allows you to further verify the alerts are generated and pulled correctly.

It is common to create benign events on the network to verify the data flow. To verify the data flow between a Cisco IPS device and MARS, perform the following tasks:

1. On the Cisco IPS device, enable and alert on the signatures 2000 and 2004. The signatures monitor ICMP messages (pings).

2. Ping a device on the subnet on which the Cisco IPS device is listening. The events are generated and pulled by MARS.

3. Verify that the events appear in the MARS web interface. You can perform a query using the Cisco IPS device.

4. Once the dataflow is verified, you can disable the 2000 and 2004 signatures on the Cisco IPS device.

Cisco IPS Modules

MARS can monitor Cisco IPS modules installed in Cisco switches and Cisco ASA appliances. To prepare these modules, you must perform the following tasks:

•Define the base module, either the router, switch, or Cisco ASA, as defined in Cisco Router Devices, page 3-1, Cisco Switch Devices, page 3-9, and Cisco Firewall Devices (PIX, ASA, and FWSM), page 4-1.

•Bootstrap the base module to enable SDEE traffic on the Cisco IPS module, to forward events to the MARS Appliance, and to enable MARS to access the SDEE events stored on the modules. Module access enables MARS to retrieve trigger packets and IP log information.

•Add the IPS feature set t the base module previously defined in the web interface.

This section contains the following topics:

•Enable DTM Support

•Enable SDEE on the Cisco IOS Device with an IPS Module

•Add an IPS Module to a Cisco Switch or Cisco ASA

The following topic also supports the configuration of the Cisco IPS modules:

•Verify that MARS Pulls Events from a Cisco IPS Device

Enable DTM Support

To support DTM, you must configure your IPS module as follows:

•Purchase or enable the IOS IPS feature set.

•Enable HTTPS for SDEE.

•Enable SSH to discover settings, which is the method recommended over Telnet.

Enable SDEE on the Cisco IOS Device with an IPS Module

In addition to enabling either Telnet or SSH for configuration discovery on a Cisco IOS device, you must also enable SDEE on the device that supports IPS module. SDEE is used to publish events to MARS about signatures that have fired.

To enable SDEE protocol on the Cisco IOS device that supports IPS module, perform the following steps:

Step 1 Log in to the Cisco IOS device using the enable password.

Step 2 Enter the following commands to enable MARS to retrieve the events from the IPS module:
Router(config)#ip http secure-server
Router(config)#ip ips notify sdee
Router(config)#ip sdee subscriptions 3
Router(config)#ip sdee events 1000
Router(config)#no ip ips notify log
Note The "no ips notify log" causes the IPS modules to stop sending IPS events over syslog.

Add an IPS Module to a Cisco Switch or Cisco ASA

You can enable in-line IPS functionality and signature detection in multi-purpose Cisco platforms. You can identify an IDS-M2 running in a Cisco Switch or an ASA-SSM running in a Cisco ASA. To represent either of these modules, you must define the settings for the module as part of the base platform, which must be previously defined under Admin > System Setup > Security and Monitor Devices.

To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices.

Step 2 From the list of devices, select the Cisco switch or Cisco ASA to which you want to add the IPS module and click Edit.

Step 3 Click Add Module.

Step 4 Select Cisco IPS 5.x in the Device Type list.

For Cisco switches, you can also add a Cisco IPS 4.0 module or an IDS 3.1 module. You configure these modules just as you would a standalone sensor. For instructions on configuring these modules, refer to Cisco IDS 3.1 Sensors and Cisco IDS 4.0 and IPS 5.x Sensors.

Figure 6-8 Configure Cisco IPS 5.x

Step 5 Enter the hostname of the sensor in the Device Name field.

Step 6 Enter the administrative IP address in the Reporting IP field.

Step 7 The Reporting IP address is the same address as the administrative IP address.

Step 8 In the Login field, enter the username associated with the administrative account that will be used to access the reporting device.

Step 9 In the Password field, enter the password associated with the username specified in the Login field.

Step 10 In the Port field, enter the TCP port on which the webserver running on the sensor listens.

The default HTTPS port is 443.

Note While it is possible to configure HTTP only, MARS requires HTTPS.

Step 11 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 12 Click Test Connectivity to verify the configuration.

Step 13 To save your changes, click Submit.

Step 14 To enable MARS to start sessionizing events from this module, click Activate.

ISS Site Protector

Note This topic describes how to use Site Protector to configure the ISS NIDS and HIDS; Site Protector is not a device type that can be monitored or used as an aggregation point for ISS event data from the perspective of MARS. MARS cannot parse event data from Site Protector, unless you develop a custom event parser for each event type as described in Adding User Defined Log Parser Templates, page 16-1.

MARS supports ISS NIDS and HIDS event retrieval via SNMP. However, when configuring ISS RealSecure sensors (NIDS) and hosts (HIDS), you must configure each active signature to send an alert to the MARS Appliance. This task can be very tedious as it must be done for each sensor and after each signature upgrade, as it resets the redirect configuration. One approach to simplifying this task is to use the ISS Site Protector management console to define these changes globally and apply them to each sensor.

ISS Site Protector 2.0 allows you to centrally manage SNMP alert destinations, such as the MARS Appliance, for group policies. You can then push these group policies to all desired host and network sensors. For each ISS signature update, you must specify the MARS Appliance as an SNMP alert destination before you apply the downloaded signatures to sensors using Site Protector.

Note By default, the group policy response configuration is supported only on Proventia G400 and G2000 models. For all other models, including the G100 mentioned, a firmware upgrade is required. See the documentation that came with ISS Site Protector for more information.

To perform the major configuration steps required to use Site Protector to forward the SNMP alerts generated by sensors to MARS Appliance, follow these steps:

Step 1 Using the Add Sensor Wizard, register the sensor to Site Protector Console.

Other methods exist for registering sensors in Site Protector. For more information on using the Wizard as well as these other methods, see Chapter 9, Registering Software Managed by SiteProtector, on page 105 at the following URL:

http://documents.iss.net/literature/SiteProtector/SPUserGuideforSecurityManagers20SP52.pdf

Step 2 Right-click the sensor to edit, and click Edit Settings on the shortcut menu.

The Edit Settings dialog appears.

Step 3 Create a new SNMP response that sends messages to the IP address of the MARS Appliance:

a. Select Response Objects from the settings tree.

b. Select the SNMP tab.

c. Click Add to create a new SNMP response object using the IP address of the MARS Appliance.

Step 4 Select the Security Events to configure new SNMP destination.

a. Select Security Events under the sensor folder.

b. Select the required security events from the Security Events tab.

The Group By button allows you to group policies using any number of parameters.

Note You can also select policies and edit them at the group level.

c. Click Edit to configure SNMP response of all the selected policies.

Step 5 Select the MARS Appliance on SNMP tab.

a. Enable all the security events by selecting the Enabled checkbox located at the top of the Edit Security Events dialog box.

a. Select the SNMP tab under Responses, and then select the Enabled checkbox next to the name of MARS Appliance created in Step 3.

a. Click OK.

The security events and updated response target are applied to the selected sensor during the next synchronization.

ISS RealSecure 6.5 and 7.0

To configure ISS RealSecure, you must perform the following four tasks:

1. Prepare each ISS sensor as follows:

•Edit the common.policy files to point to the MARS Appliance as an SNMP target.

•Modify the current.policy files to configure each signature so that the SNMP notification is a default response when triggered.

•Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string.

•Restart the ISS daemon for the changes to take effect.

For more information, see Configure ISS RealSecure to Send SNMP Traps to MARS.

2. Add the ISS sensor to MARS as a network-based IDS device. For more information, see Add an ISS RealSecure Device as a NIDS.

3. Click Activate to enable proper processing of received events.

Configure ISS RealSecure to Send SNMP Traps to MARS

To configure an ISS RealSecure sensor, follow these steps:

Step 1 Log into the sensor.

Step 2 Locate the common.policy files in these directories:
Microsoft Windows
Program Files\ISS\issSensors\server_sensor_1
Program Files\ISS\issSensors\network_sensor_1
Linux
/opt/ISS/issSensors/server_sensor_1
/opt/ISS/issSensors/network_sensor_1
Step 3 Open the common.policy files in a text editor.

Step 4 Change the line that reads:
Manager =S
to:
Manager =S <MARS's IP address>
If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance.

Step 5 Save these edited files and exit the editor.

Step 6 Locate the current.policy files in these directories:
Microsoft Windows
Program Files\ISS\issSensors\server_sensor_1
Program Files\ISS\issSensors\network_sensor_1
Linux
/opt/ISS/issSensors/server_sensor_1
/opt/ISS/issSensors/network_sensor_1
Step 7 Open the current.policy files in a text editor.

Edit each signature to have SNMP as one of its responses, and set the choice for SNMP trap as default. For example, in this original signature:
[\template\features\AOLIM_File_Xfer\Response\];
[\template\features\AOLIM_File_Xfer\Response\DISPLAY\];
Choice =S Default;
[\template\features\AOLIM_File_Xfer\Response\LOGDB\];
Choice =S LogWithoutRaw;
Insert the following bolded lines to make it look similar to the following:
[\template\features\AOLIM_File_Xfer\Response\];
[\template\features\AOLIM_File_Xfer\Response\DISPLAY\];
Choice =S Default;
[\template\features\AOLIM_File_Xfer\Response\SNMP\];
Choice =S Default;
[\template\features\AOLIM_File_Xfer\Response\LOGDB\];
Choice =S LogWithoutRaw;
Step 8 Save these edited files and exit the editor.

Step 9 Locate the response.policy files in these directories:
Microsoft Windows
Program Files\ISS\RealSecure SiteProtector\Console
Linux
/opt/ISS/RealSecure SiteProtector/Console
Step 10 Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string:
SMTP_HOST			=S	;
addr_1			=S	;
[\Response\SNMP\];
[\Response\SNMP\Default\];
Manager			=S	;
Community			=S			public;
to:
Manager =S <MARS's IP address> ;
Community = S <string> public;
If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance.

Step 11 Save these edited files and exit the editor.

Step 12 Restart the ISS daemon.

•For sensors installed on Microsoft Windows, restart it in the Services menu.

•For sensors installed on Linux, run:
/etc/init.d/RealSecure stop
/etc/init.d/RealSecure start
Add an ISS RealSecure Device as a NIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name.

Step 4 Click Apply.

Step 5 Click on Reporting Applications tab.

Step 6 From the Select Application list, select RealSecure (6.5 or 7.0).

Step 7 Click Add.

Step 8 Click the NIDS radio button, if it is not already selected.

Figure 6-9 Configure ISS Real Secure NIDS

Step 9 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 10 To save your changes, click Submit.

Step 11 To enable MARS to start sessionizing events from this module, click Activate.

Add an ISS RealSecure Device as a HIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name.

Step 4 Click Apply.

Step 5 Click on Reporting Applications tab.

Step 6 From the Select Application list, select RealSecure (6.5 or 7.0).

Step 7 Click Add.

Step 8 Click the HIDS radio button.

Figure 6-10 Configure ISS Real Secure HIDS

Step 9 Click Submit.

Step 10 For multiple interfaces, click on General Tab, and add the new interfaces' name, IP address, and network mask.

Figure 6-11 Adding Multiple Interfaces

Step 11 Click Apply.

IntruVert IntruShield

To configure IntruVert IntruShield in MARS, you must perform the following tasks:

1. Generate CSV file that identifies each of the IntruShield senor hosts by logging into the database to which IntruShield Manager writes and performing and saving a database query.

2. Configure the IntruShield Manager to send SNMP traps to the MARS Appliance

3. Define a host that represents the management console (IntruVert Manger) in MARS web interface.

4. From that host in the MARS web interface, import the IntruShield sensor seed file to identify the IntruVert sensors running on other hosts.

The following sections provide details on performing each of these tasks:

•Extracting Intruvert Sensor Information from the IntruShield Manager

•Configure IntruShield Version 1.5 to Send SNMP traps to MARS

•Configure IntruShield Version 1.8 to Send SNMP Traps to MARS

•Add and Configure an IntruShield Manager and its Sensors in MARS

Extracting Intruvert Sensor Information from the IntruShield Manager

IntruVert sensor information is saved in a database on the IntruShield Manager host. When you configure the MARS to add Intruvert sensors, you can manually add the mapping of each Intruvert sensor name or you can extract them as a seed file from the database on the Intruvert Manager.

Note The instructions apply for Intruvert IntruShield version 1.5. IntruVert supports both MySQL and Oracle.

To create a CSV file for IntruVert IntruShield 1.5, follow these steps:

Step 1 Log in to the database.

Step 2 Perform the query:

use lf; select name, ip_address from iv_sensor where ip_address is not NULL;

Step 3 Store the query result into a file, remove the header, trailer, and separator lines, and edit the result to a CSV format.
For example, the query result could be:
	+------------+------------+
	| name       | ip_address |
	+------------+------------+
	| intruvert  | 0A010134   |
	| intruvert1 | 0A010135   |
	+------------+------------+
	2 row in set (0.00 sec)
You would then edit the above file to appear as:
	intruvert,0A010134
	intruvert1,0A010135
Step 4 Save the edited CSV file, move the file to an FTP server from which you can load the seed file using the MARS web interface.

Configure IntruShield Version 1.5 to Send SNMP traps to MARS

Step 1 Log in to the IntruShield Manager version 1.5.

Step 2 Click Configure.

Step 3 In the Resource Tree, click My Company.

Step 4 Click the Forwarding tab.

Step 5 In the Add SNMP Server field, enter:

a. Target Server IP Address: Enter MARS's IP address as it appears to IntruShield.

b. Target Server Port Number: Enter MARS's port number 162.

c. SNMP Version: 1

d. Check the Forward Alerts box.

e. Select the For this and child admin domains radio button.

f. Select the severity from the list. Cisco recommends selecting High and Medium severity.

g. Check the Forward Faults box.

h. Select the severity from the list. Cisco recommends selecting Error and above severity.

Step 6 Click Save and exit the program.

Configure IntruShield Version 1.8 to Send SNMP Traps to MARS

Step 1 Log in to the IntruShield Manager version 1.8.

Step 2 Click Configure.

Step 3 In the Resource Tree, click My Company.

Step 4 Click the Alert Notification tab.

Step 5 Click the SNMP Forwarder sub-tab.

Figure 6-12 IntruShield SNMP Forwarder Configuration

Step 6 Click the Add button.

Figure 6-13 IntruShield Target SNMP Server

Step 7 On the SNMP Forwarder page, enter:

a. Enable SNMP Forwarder: Select the Yes radio button.

b. Target Server (IP Address): Enter MARS's IP address as it appears to IntruShield.

c. Target Server Port Number: Enter MARS's port number 162.

d. SNMP Version: 1

e. Forward Alerts

f. Select the severity from the list. Cisco recommends selecting Informational and above severity.

g. Customize Community: Enter the community string that you want to use.

Step 8 Click Apply and exit the program.

Add and Configure an IntruShield Manager and its Sensors in MARS

Adding an IntruVert device has two distinct steps. First, you add configuration information for the for the IntruShield Manager host. Second, you add the sensors managed by that host.

•Add the IntruShield Manager Host to MARS

•Add IntruShield Sensors Manually

•Add IntruShield Sensors Using a Seed File

Add the IntruShield Manager Host to MARS

To define the host and represent the management console for IntruShield, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name and IP addresses if adding a new host.

Step 4 Click Apply.

Step 5 Click Reporting Applications tab.

Step 6 Select IntruVert IntruShield 1.5 from the Select Application list.

Step 7 To complete the definition of this console, click Add.

Figure 6-14 Add IntruShield Sensors

Step 8 Continue defining the sensors that the console manages using one of two methods:

•Add IntruShield Sensors Manually

•Add IntruShield Sensors Using a Seed File

Add IntruShield Sensors Manually

To add sensors manually, follow these steps:

Step 1 Click Add Sensor.

Step 2 Enter the Device Name, Sensor Name, and its Reporting IP address.

•Device Name - the DNS entry for this device

•Sensor Name - the name as it appears in the console

•Reporting IP - the IP address that the agent uses to send logs to the console

Step 3 Add the interface information.

Step 4 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 5 To save your changes, click Submit.

Step 6 To enable MARS to start sessionizing events from this module, click Activate.

Add IntruShield Sensors Using a Seed File

To add sensors using a seed file, follow these steps:

Step 1 Click Load From CSV.

Step 2 Enter the FTP server information and location of the CSV (comma separated values) file.

•If you need to generate the IntruShield sensors CSV file, Extracting Intruvert Sensor Information from the IntruShield Manager.

Step 3 Click Submit.

The list of sensors appears on the management console page.

Step 4 For each sensor that appears in the management console page, select the check box next to the sensor and click Edit Sensor.

Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 6 To save your changes, click Submit.

Step 7 To save the changes made to this management console and the sensors it manages, click Submit.

Step 8 To enable MARS to start sessionizing events from this module, click Activate.

Snort 2.0

Configure Snort to Send Syslogs to MARS

For Snort, use the syslog as your output plugin. Configure your syslogd to send copies to another host. On most older-style systems (Solaris/Linux), you need to edit /etc/syslog.conf. (Assuming that the system is based on syslogd, and not any of the newer system logging facilities. The newer logging facilities are not supported by Snort.)

To configure Snort to send syslog messages to the MARS Appliance, follow these steps:

Step 1 Make Snort's output go to syslog with log facility local4 in snort.conf (you can pick any local facility that's unused.)
	  output alert_syslog: LOG_LOCAL4 LOG_ALERT
snort.conf is normally in /etc/snort.

Step 2 Add a redirector in your /etc/syslog.conf on your Snort box to send syslog to MARS.
	 local4.alert @IPAddrOffMarsbox
Step 3 Restart the Snort daemon and the syslogd daemon on your Snort box.

Add the Snort Device to MARS

To add the Snort device to MARS, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host

Step 3 Enter the Device Name and IP addresses if adding a new host.

Step 4 Click Apply

Step 5 Click Reporting Applications tab

Step 6 From the Select Application list, select Snort Snort 2.0

Step 7 Click Add

Step 8 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 9 To save your changes, click Submit.

Step 10 To enable MARS to start sessionizing events from this module, click Activate.

Symantec ManHunt

Symantec ManHunt Side Configuration

Step 1 Login to the Symantec ManHunt with appropriate username and password.

Step 2 In the main screen, click Setup > Policy > Response Rules, then Response Rules window will appear.

Figure 6-15 ManHunt Configuration

Step 3 In the Response Rules window, click Action > Add response Rules.

Step 4 Click in the field of Response Action

Figure 6-16 ManHunt Response Rule Config

Step 5 In the left menu, click SNMP Notification and enter the following information:

a. SNMP Manager IP address: Reporting IP address of MARS

b. Maximum number of SNMP notification: (Example: 100000).

c. Delay between SNMP notification (mins): (Example: 1 min)

Step 6 Click OK to return to main screen.

MARS Side Configuration

Add Configuration Information for Symantec ManHunt 3.x

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host

Step 3 Enter the Device Name and IP addresses if adding a new host.

Step 4 Click Apply

Step 5 Click Reporting Applications tab

Step 6 From the Select Application list, select Symantec ManHunt 3.x

Step 7 Click Add

Step 8 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 9 To save your changes, click Submit.

Step 10 To enable MARS to start sessionizing events from this module, click Activate.

NetScreen IDP 2.1

IDP-side Configuration

Step 1 Click NetScreen-Global Pro > IDP Manager > IDP.

Step 2 Log in to the IDP Manager.

Step 3 From the main menu, click Tools > Preferences.

Step 4 In the tree on the left, click Management Server, enter the Local Controller's address in the Syslog host field, and click OK.

Step 5 Click Security Policies, and the name of your policy.

Step 6 In the Notification column, right-click anywhere in the cell in the field and select Configure.

Step 7 Check enable logging and syslog for each policy, and click OK. Repeat for all of your policies.

Step 8 From the main menu, click Policy > Install.

MARS-side Configuration

Add Configuration Information for the IDP

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name and IP Addresses if adding a new host.

Step 4 Click Apply.

Step 5 Click Reporting Applications tab.

Step 6 From the Select Application list, select NetScreen IDP 2.1.

Step 7 Click Add.

Figure 6-17 Add NetScreen IDP 2.1 Sensors

Add NetScreen IDP 2.1 Sensors Manually

Step 1 Click Add Sensor.

Step 2 Select existing device or Add New device.

Step 3 Enter the Device Name, Sensor Name, and its Reporting IP address.

•Device Name - the DNS entry for this device

•Sensor Name - the name as it appears in the console

•Reporting IP - the IP address that the agent uses to send logs to the console

Step 4 Add the interfaces, which important information for attack path calculation.

•For multiple interfaces, click Add Interface, and add the new interfaces's name, IP address and mask.

Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 6 To save your changes, click Submit.

Step 7 To enable MARS to start sessionizing events from this module, click Activate.

Enterasys Dragon 6.x

To configure the Enterasys Dragon devices, you must:

•Configure the Dragon Policy Manager (DPM) or Event Flow Processor (EFP).

•Configure the syslog daemon running on the same system as the DPM or EFP.

•Configure the MARS.

DPM/EFP Configuration

Before you configure the DPM or EFP, you must install and enable the Alarmtool.

Configure the DPM or EFP

Step 1 Log into the DPM or EFP.

Step 2 Click Alarmtool.

Step 3 In the left menu, click Notification Rules.

Step 4 In the right window, select syslog if it exists. If not, you need to create it:

a. Click New Notification Rules and select syslog.

b. Facility - Make sure the localn you select is not in use by the syslog daemon

c. Level - Select Debug

d. Message - Make sure its in such format:
%TIME% %DATE% SigName=%NAME% from Sensor=%SENSOR%
SrcIP=%SIP% DstIP=%DIP% SrcPort=%SPORT% DstPort=%DPORT% 
Protocol=%PROTO%
Step 5 Click Save.

Step 6 In the left menu, click Alarm.

Step 7 Set the Type to Real-time and the Notification Rule to syslog.

Step 8 Click Save.

Step 9 In the left menu, click Deployment.

Step 10 In the main screen, click View Configuration. Make sure the localn set in both notify syslog and alarm syslog match.

Step 11 In the main screen, click Deploy and Reset to confirm the configuration change.

Host-side Configuration

Configure the syslog on the UNIX host

Step 1 Log into the host as the root user.

Step 2 On the same system running the DPM or EFP, edit the file /etc/syslog.conf.

Step 3 Make sure n in localn matches the syslog entry you used on the DPM or EFP.

Step 4 Add the line
localn.*           @<mars ip address>
Replacing n with the value used in Step 3 and replacing <mars ip address> with the IP address of the MARS Appliance.

Step 5 Restart the syslog daemon by entering:
/etc/rc.d/rc.syslog restart
MARS-side Configuration

Add Configuration Information for the Enterasys Dragon

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host

Step 3 Enter the Device Name and IP Addresses if adding a new host.

Step 4 Click Apply

Step 5 Click Reporting Applications tab

Step 6 From the Select Application list, select Enterasys Dragon 6.x

Step 7 Click Add.

Add a Dragon NIDS Device

Step 1 Click Add Sensor.

Step 2 Select existing device or Add New device.

Step 3 Enter the Device Name, Sensor Name, and its Reporting IP address.

•Device Name - the DNS entry for this device

•Sensor Name - the name as it appears in the console

•Reporting IP - the IP address that the agent uses to send logs to the console

Step 4 Add the interfaces, which important information for attack path calculation.

•For multiple interfaces, click Add Interface, and add the new interfaces's name, IP address and mask.

Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the selected network into the Monitored Networks field.

c. Repeat as needed.

Step 6 To save your changes, click Submit.

Step 7 Click Done when you are done adding the sensor.

Step 8 To enable MARS to start sessionizing events from this module, click Activate.

	User Guide for Cisco Security MARS Local Controller, Release 4.2.x
	Configuring Network-based IDS and IPS Devices
User Guide for Cisco Security MARS Local Controller, Release 4.2.x Preface STM Task Flow Overview Reporting and Mitigation Devices Overview Configuring Router and Switch Devices Configuring Firewall Devices Configuring VPN Devices Configuring Network-based IDS and IPS Devices Configuring Host-Based IDS and IPS Devices Configuring Antivirus Devices Configuring Vulnerability Assessment Devices Configuring Generic, Solaris, Linux, and Windows Application Hosts Configuring Database Applications Configuring Web Server Devices Configuring Web Proxy Devices Configuring AAA Devices Configuring Custom Devices Policy Table Lookup on Cisco Security Manager Network Summary Case Management Incident Investigation and Mitigation Queries and Reports Rules Sending Alerts Management Tab Overview System Maintenance Cisco Security MARS XML API Reference Regular Expression Reference Date/Time Format Specfication System Rules and Reports Glossary Index	Download this chapter Configuring Network-based IDS and IPS Devices Download the complete book uglc42x.pdf (PDF - 7 MB) Table Of Contents Configuring Network-based IDS and IPS Devices Cisco IDS 3.1 Sensors Configure Sensors Running IDS 3.1 Add and Configure a Cisco IDS 3.1 Device in MARS Cisco IDS 4.0 and IPS 5.x Sensors Bootstrap the Sensor Enable the Access Protocol on the Sensor Enable the Correct Signatures and Actions Add and Configure a Cisco IDS or IPS Device in MARS Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File View Detailed Event Data for Cisco IPS Devices Verify that MARS Pulls Events from a Cisco IPS Device Cisco IPS Modules Enable DTM Support Enable SDEE on the Cisco IOS Device with an IPS Module Add an IPS Module to a Cisco Switch or Cisco ASA ISS Site Protector ISS RealSecure 6.5 and 7.0 Configure ISS RealSecure to Send SNMP Traps to MARS Add an ISS RealSecure Device as a NIDS Add an ISS RealSecure Device as a HIDS IntruVert IntruShield Extracting Intruvert Sensor Information from the IntruShield Manager Configure IntruShield Version 1.5 to Send SNMP traps to MARS Configure IntruShield Version 1.8 to Send SNMP Traps to MARS Add and Configure an IntruShield Manager and its Sensors in MARS Add the IntruShield Manager Host to MARS Add IntruShield Sensors Manually Add IntruShield Sensors Using a Seed File Snort 2.0 Configure Snort to Send Syslogs to MARS Add the Snort Device to MARS Symantec ManHunt Symantec ManHunt Side Configuration MARS Side Configuration Add Configuration Information for Symantec ManHunt 3.x NetScreen IDP 2.1 IDP-side Configuration MARS-side Configuration Add Configuration Information for the IDP Add NetScreen IDP 2.1 Sensors Manually Enterasys Dragon 6.x DPM/EFP Configuration Configure the DPM or EFP Host-side Configuration Configure the syslog on the UNIX host MARS-side Configuration Add Configuration Information for the Enterasys Dragon Add a Dragon NIDS Device Configuring Network-based IDS and IPS Devices Revised: February 26, 2007 Network intrusion detection and intrusion preventions systems are a critical source for identifying active attacks to MARS. This chapter explains how to bootstrap and add the following network-based IDS and IPS devices to MARS: •Cisco IDS 3.1 Sensors •Cisco IDS 4.0 and IPS 5.x Sensors •Cisco IPS Modules •ISS Site Protector •ISS RealSecure 6.5 and 7.0 •IntruVert IntruShield •Snort 2.0 •Symantec ManHunt •NetScreen IDP 2.1 •Enterasys Dragon 6.x Cisco IDS 3.1 Sensors Before you add the Cisco IDS 3.1 device, make sure that you have configured the Cisco IDS device for the MARS to retrieve the device configuration. The device configuration would be used for mapping of the logs received by MARS. When configuring the IDS device to send logs to the MARS, you must use the exact name of the MARS Appliance. To determine the name of the appliance, select Admin > System Setup > Configuration Information and review the value in the Name field. Configure Sensors Running IDS 3.1 Step 1 Log in to the Cisco IDS device. Step 2 Change to directory that has all the configurations files that need to be edited: cd /usr/nr/etc Step 3 You need to edit 4 files (organizations, hosts, routes and destinations) that are in this directory. In the organizations file add a line indicating your organization name or grouping; e.g., 1 protego where 1 is the item number followed by the organization name protego. If there is already item in this file, simply increase the item number (has to be unique). Figure 6-1 Add MARS Information to Cisco IDS 3.1 Organizations File In the hosts file add a line indicating your MARS appliances' name associated to the organization that was previously added in the organizations file; e.g., 2001.1 pnmars.protego where 2001.1 is a unique item number followed by the MARS appliances' name and organization name protego. If there is already items in this file, simply increase the item number (has to be unique). Figure 6-2 Add MARS Information to Cisco IDS 3.1 Hosts File In the routes file add a line indicating your MARS appliances' name and its IP address; e.g., pnmars.protego 1 10.1.1.10 45000 1 5 where pnmars.protego is the MARS's name (with organizations' name) followed by 1 then the MARS appliances' IP address. The 45000 is the port number that the IDS will use to send its logs to MARS. Add a 1 follows by a 5 at the end of this line (these numbers are not used by MARS). Figure 6-3 Add MARS Information to Cisco IDS 3.1 Routes File In the destinations file add a line indicating your MARS appliances' name (as defined in the routes file) the client process that the appliance is using to listen for events from the sensor (in this case smid), and the list of log types you want sent to the appliance as a comma separated list: e.g., pnmars.protego smid ERRORS, EVENTS, COMMANDS where pnmars.protego is the MARS's name (with organizations' name) followed by smid and the list of log types that the loggerd daemon will publish to the appliance. Figure 6-4 Add MARS Information to Cisco IDS 3.1 Destinations File Step 4 Once you've edited these four files (organizations, hosts, routes, and destinations), reboot the sensor using the following commands: a. nrstop b. nstart Add and Configure a Cisco IDS 3.1 Device in MARS To add and configure a Cisco IDS device in MARS, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Cisco IDS 3.1 from the Device Type list. Step 3 Enter the hostname of the sensor in the Device Name field. The Device Name value must be identical to the configured sensor name. Step 4 Enter the administrative IP address in the Access IP field. Step 5 Enter the administrative IP address in the Reporting IP field. The Reporting IP address is the same address as the administrative IP address. Step 6 Select either SSH or TELNET. Step 7 Enter "netrangr" as the Login and its Password. When adding a Cisco IDS 3.1 device, use the netrangr username or some other username that is not the root login for the sensor. Using the root login causes MARS to fail to parse the login prompt correctly, which in turn, cause the Test Connectivity to fail. Figure 6-5 Configure Cisco IDS 3.1 Step 8 For attack path calculation and mitigation, add networks into the Monitored Networks field. a. Click the Select a Network or Define a Network radio button. •In the Select a Network list, click a network. •In the Define a Network field, enter its network IP and network mask information. b. Click Add to move the selected networks into the Monitored Networks field. Step 9 (Optional) To discover the device settings, click Discover. Step 10 Click Submit. Cisco IDS 4.0 and IPS 5.x Sensors Adding a Cisco IDS or IPS network sensor to MARS involves two parts: 1. Bootstrap the Sensor 2. Add and Configure a Cisco IDS or IPS Device in MARS 3. Verify that MARS Pulls Events from a Cisco IPS Device The following topic supports Cisco IDS and IPS devices: •View Detailed Event Data for Cisco IPS Devices Note If you've imported your sensor definitions using the seed file format, as specified in Load Devices From the Seed File, page 2-24, you must define the networks monitored by the sensor. Bootstrap the Sensor Preparing a sensor to be monitored by MARS involves two steps: •Enable the Access Protocol on the Sensor •Enable the Correct Signatures and Actions Enable the Access Protocol on the Sensor The configuration of the sensor depends on the version of the software that is running on the sensor. The following topics identify the requirements of each version: •Cisco IDS 4.x Software •Cisco IPS 5.x Software Cisco IDS 4.x Software For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over SSL. Therefore, MARS must have HTTPS access to the sensor. To prepare the sensor, you must enable the HTTP server on the sensor, enable TLS to allow HTTPS access, and make sure that the IP address of MARS is defined as an allowed host, one that can access the sensor and pull events. If the sensors have been configured to allow access from limited hosts or subnets on the network, you can use the accessList ipAddress ip_address netmask command to enable this access. Cisco IPS 5.x Software For Cisco IPS 5.x devices, MARS pulls the logs using SDEE over SSL. Therefore, MARS must have HTTPS access to the sensor. To prepare the sensor, you must enable the HTTP server on the sensor, enable TLS to allow HTTPS access, and make sure that the IP address of MARS is defined as an allowed host, one that can access the sensor and pull events. If the sensors have been configured to allow access from limited hosts or subnets on the network, you can use the access-list ip_address/netmask command to enable this access. Enable the Correct Signatures and Actions If the signature actions are correctly configured, MARS can display the trigger packet information for the first event that fires a signature on a Cisco IDS or IPS device. MARS is also able to pull the IP log data from Cisco IDS and IPS devices, however, this operation is system intensive. Therefore, you should select the set of signatures that generate IP log data carefully. When configuring the active signatures on a Cisco IDS or IPS device, you must specify the alert action and the action that generates the desired data: •To view trigger packets, you must enable the "produce-verbose-alert" action. •To view IP logs, you must enable the alert or "produce-verbose-alert" action and the "log-pair-packets" action. Caution Configuring IP logging and verbose alerts on the sensor is system intensive and does affect the performance of your sensor. In addition, it affects the performance of your MARS Appliance. Because of these effects, you be cautious in configuring signatures to generate IP logs. Add and Configure a Cisco IDS or IPS Device in MARS To add and configure a Cisco IDS or IPS device in MARS, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 Do one of the following: •Select Cisco IDS 4.0 from the Device Type list. Figure 6-6 Configure Cisco IDS 4.0 •Select Cisco IPS 5.x from the Device Type list. Figure 6-7 Configure Cisco IPS 5.x Step 3 Enter the hostname of the sensor in the Device Name field. The Device Name value must be identical to the configured sensor name. Step 4 Enter the administrative IP address in the Access IP field. Step 5 Enter the administrative IP address in the Reporting IP field. The Reporting IP address is the same address as the administrative IP address. Step 6 In the Login field, enter the username associated with the administrative account that will be used to access the reporting device. Step 7 In the Password field, enter the password associated with the username specified in the Login field. Step 8 In the Port field, enter the TCP port on which the webserver running on the sensor listens. The default HTTPS port is 443. Note While it is possible to configure HTTP only, MARS requires HTTPS. Step 9 To pull the IP logs from the sensor, select Yes in the Pull IP Logs box. Step 10 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 11 To verify the configuration, click Test Connectivity. Step 12 Click Submit. Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File After you import a Cisco IPS or IDS device into MARS using a seed file, you must define the networks that are monitored by that sensor. To define the networks monitored by a sensor, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices. Step 2 Select the check box next to the Cisco IPS or IDS device that was imported using a seed file. and click Edit. Step 3 To specify the networks being monitored by the sensor, do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 4 To save your changes, click Submit. Step 5 To enable MARS to start sessionizing events from this module, click Activate. View Detailed Event Data for Cisco IPS Devices You can view the trigger packets and IP log data associated with incidents reported by Cisco IDS 4.x and Cisco IPS 5.x devices, whether they are sensor appliances or modules. This information is useful when an in-depth understanding of the attack method is desired. MARS includes two event types that focus on the these two data types: •Trigger packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. The trigger packet provides a single data packet—the data packet that caused the alarm to fire. •Packet data. Identifies the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. Although the amount of data contained in an IP log varies based on sensor configuration, by default an IP log contains 30 seconds of packet data. To view this data, you must enable the Pull IP Logs option on the Cisco IPS device under Admin > System Setup > Security and Monitor Devices. Note MARS does not collect this data for Cisco IDS 3.x devices. For the correct signature settings required to generate this data, see Enable the Correct Signatures and Actions. If the IP log feature is enable for the reporting Cisco IPS device, these event types are combined as part of the incident data. You can view this data by drilling down in an incident, expanding the desired event type (either Packet Data or Trigger Packet Data), selecting an event, and clicking on the RAW Events for this Session icon under the Reporting Device column of that event. The source, destination, and other data displayed for these events matches that of the original alert. In addition, this data appears hexadecimal and binary format. Note The trigger packet and IP log data is stored using a base64-encoded format in the MARS database. Therefore, keyword search does not work on it if you just provide the search string. Verify that MARS Pulls Events from a Cisco IPS Device Note If the Test Connectivity operation does not fail when configuring a Cisco IPS device in the MARS web interface, then communications are enabled. This task allows you to further verify the alerts are generated and pulled correctly. It is common to create benign events on the network to verify the data flow. To verify the data flow between a Cisco IPS device and MARS, perform the following tasks: 1. On the Cisco IPS device, enable and alert on the signatures 2000 and 2004. The signatures monitor ICMP messages (pings). 2. Ping a device on the subnet on which the Cisco IPS device is listening. The events are generated and pulled by MARS. 3. Verify that the events appear in the MARS web interface. You can perform a query using the Cisco IPS device. 4. Once the dataflow is verified, you can disable the 2000 and 2004 signatures on the Cisco IPS device. Cisco IPS Modules MARS can monitor Cisco IPS modules installed in Cisco switches and Cisco ASA appliances. To prepare these modules, you must perform the following tasks: •Define the base module, either the router, switch, or Cisco ASA, as defined in Cisco Router Devices, page 3-1, Cisco Switch Devices, page 3-9, and Cisco Firewall Devices (PIX, ASA, and FWSM), page 4-1. •Bootstrap the base module to enable SDEE traffic on the Cisco IPS module, to forward events to the MARS Appliance, and to enable MARS to access the SDEE events stored on the modules. Module access enables MARS to retrieve trigger packets and IP log information. •Add the IPS feature set t the base module previously defined in the web interface. This section contains the following topics: •Enable DTM Support •Enable SDEE on the Cisco IOS Device with an IPS Module •Add an IPS Module to a Cisco Switch or Cisco ASA The following topic also supports the configuration of the Cisco IPS modules: •Verify that MARS Pulls Events from a Cisco IPS Device Enable DTM Support To support DTM, you must configure your IPS module as follows: •Purchase or enable the IOS IPS feature set. •Enable HTTPS for SDEE. •Enable SSH to discover settings, which is the method recommended over Telnet. Enable SDEE on the Cisco IOS Device with an IPS Module In addition to enabling either Telnet or SSH for configuration discovery on a Cisco IOS device, you must also enable SDEE on the device that supports IPS module. SDEE is used to publish events to MARS about signatures that have fired. To enable SDEE protocol on the Cisco IOS device that supports IPS module, perform the following steps: Step 1 Log in to the Cisco IOS device using the enable password. Step 2 Enter the following commands to enable MARS to retrieve the events from the IPS module: Router(config)#ip http secure-server Router(config)#ip ips notify sdee Router(config)#ip sdee subscriptions 3 Router(config)#ip sdee events 1000 Router(config)#no ip ips notify log Note The "no ips notify log" causes the IPS modules to stop sending IPS events over syslog. Add an IPS Module to a Cisco Switch or Cisco ASA You can enable in-line IPS functionality and signature detection in multi-purpose Cisco platforms. You can identify an IDS-M2 running in a Cisco Switch or an ASA-SSM running in a Cisco ASA. To represent either of these modules, you must define the settings for the module as part of the base platform, which must be previously defined under Admin > System Setup > Security and Monitor Devices. To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices. Step 2 From the list of devices, select the Cisco switch or Cisco ASA to which you want to add the IPS module and click Edit. Step 3 Click Add Module. Step 4 Select Cisco IPS 5.x in the Device Type list. For Cisco switches, you can also add a Cisco IPS 4.0 module or an IDS 3.1 module. You configure these modules just as you would a standalone sensor. For instructions on configuring these modules, refer to Cisco IDS 3.1 Sensors and Cisco IDS 4.0 and IPS 5.x Sensors. Figure 6-8 Configure Cisco IPS 5.x Step 5 Enter the hostname of the sensor in the Device Name field. Step 6 Enter the administrative IP address in the Reporting IP field. Step 7 The Reporting IP address is the same address as the administrative IP address. Step 8 In the Login field, enter the username associated with the administrative account that will be used to access the reporting device. Step 9 In the Password field, enter the password associated with the username specified in the Login field. Step 10 In the Port field, enter the TCP port on which the webserver running on the sensor listens. The default HTTPS port is 443. Note While it is possible to configure HTTP only, MARS requires HTTPS. Step 11 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 12 Click Test Connectivity to verify the configuration. Step 13 To save your changes, click Submit. Step 14 To enable MARS to start sessionizing events from this module, click Activate. ISS Site Protector Note This topic describes how to use Site Protector to configure the ISS NIDS and HIDS; Site Protector is not a device type that can be monitored or used as an aggregation point for ISS event data from the perspective of MARS. MARS cannot parse event data from Site Protector, unless you develop a custom event parser for each event type as described in Adding User Defined Log Parser Templates, page 16-1. MARS supports ISS NIDS and HIDS event retrieval via SNMP. However, when configuring ISS RealSecure sensors (NIDS) and hosts (HIDS), you must configure each active signature to send an alert to the MARS Appliance. This task can be very tedious as it must be done for each sensor and after each signature upgrade, as it resets the redirect configuration. One approach to simplifying this task is to use the ISS Site Protector management console to define these changes globally and apply them to each sensor. ISS Site Protector 2.0 allows you to centrally manage SNMP alert destinations, such as the MARS Appliance, for group policies. You can then push these group policies to all desired host and network sensors. For each ISS signature update, you must specify the MARS Appliance as an SNMP alert destination before you apply the downloaded signatures to sensors using Site Protector. Note By default, the group policy response configuration is supported only on Proventia G400 and G2000 models. For all other models, including the G100 mentioned, a firmware upgrade is required. See the documentation that came with ISS Site Protector for more information. To perform the major configuration steps required to use Site Protector to forward the SNMP alerts generated by sensors to MARS Appliance, follow these steps: Step 1 Using the Add Sensor Wizard, register the sensor to Site Protector Console. Other methods exist for registering sensors in Site Protector. For more information on using the Wizard as well as these other methods, see Chapter 9, Registering Software Managed by SiteProtector, on page 105 at the following URL: http://documents.iss.net/literature/SiteProtector/SPUserGuideforSecurityManagers20SP52.pdf Step 2 Right-click the sensor to edit, and click Edit Settings on the shortcut menu. The Edit Settings dialog appears. Step 3 Create a new SNMP response that sends messages to the IP address of the MARS Appliance: a. Select Response Objects from the settings tree. b. Select the SNMP tab. c. Click Add to create a new SNMP response object using the IP address of the MARS Appliance. Step 4 Select the Security Events to configure new SNMP destination. a. Select Security Events under the sensor folder. b. Select the required security events from the Security Events tab. The Group By button allows you to group policies using any number of parameters. Note You can also select policies and edit them at the group level. c. Click Edit to configure SNMP response of all the selected policies. Step 5 Select the MARS Appliance on SNMP tab. a. Enable all the security events by selecting the Enabled checkbox located at the top of the Edit Security Events dialog box. a. Select the SNMP tab under Responses, and then select the Enabled checkbox next to the name of MARS Appliance created in Step 3. a. Click OK. The security events and updated response target are applied to the selected sensor during the next synchronization. ISS RealSecure 6.5 and 7.0 To configure ISS RealSecure, you must perform the following four tasks: 1. Prepare each ISS sensor as follows: •Edit the common.policy files to point to the MARS Appliance as an SNMP target. •Modify the current.policy files to configure each signature so that the SNMP notification is a default response when triggered. •Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string. •Restart the ISS daemon for the changes to take effect. For more information, see Configure ISS RealSecure to Send SNMP Traps to MARS. 2. Add the ISS sensor to MARS as a network-based IDS device. For more information, see Add an ISS RealSecure Device as a NIDS. 3. Click Activate to enable proper processing of received events. Configure ISS RealSecure to Send SNMP Traps to MARS To configure an ISS RealSecure sensor, follow these steps: Step 1 Log into the sensor. Step 2 Locate the common.policy files in these directories: Microsoft Windows Program Files\ISS\issSensors\server_sensor_1 Program Files\ISS\issSensors\network_sensor_1 Linux /opt/ISS/issSensors/server_sensor_1 /opt/ISS/issSensors/network_sensor_1 Step 3 Open the common.policy files in a text editor. Step 4 Change the line that reads: Manager =S to: Manager =S <MARS's IP address> If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance. Step 5 Save these edited files and exit the editor. Step 6 Locate the current.policy files in these directories: Microsoft Windows Program Files\ISS\issSensors\server_sensor_1 Program Files\ISS\issSensors\network_sensor_1 Linux /opt/ISS/issSensors/server_sensor_1 /opt/ISS/issSensors/network_sensor_1 Step 7 Open the current.policy files in a text editor. Edit each signature to have SNMP as one of its responses, and set the choice for SNMP trap as default. For example, in this original signature: [\template\features\AOLIM_File_Xfer\Response\]; [\template\features\AOLIM_File_Xfer\Response\DISPLAY\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\LOGDB\]; Choice =S LogWithoutRaw; Insert the following bolded lines to make it look similar to the following: [\template\features\AOLIM_File_Xfer\Response\]; [\template\features\AOLIM_File_Xfer\Response\DISPLAY\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\SNMP\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\LOGDB\]; Choice =S LogWithoutRaw; Step 8 Save these edited files and exit the editor. Step 9 Locate the response.policy files in these directories: Microsoft Windows Program Files\ISS\RealSecure SiteProtector\Console Linux /opt/ISS/RealSecure SiteProtector/Console Step 10 Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string: SMTP_HOST =S ; addr_1 =S ; [\Response\SNMP\]; [\Response\SNMP\Default\]; Manager =S ; Community =S public; to: Manager =S <MARS's IP address> ; Community = S <string> public; If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance. Step 11 Save these edited files and exit the editor. Step 12 Restart the ISS daemon. •For sensors installed on Microsoft Windows, restart it in the Services menu. •For sensors installed on Linux, run: /etc/init.d/RealSecure stop /etc/init.d/RealSecure start Add an ISS RealSecure Device as a NIDS Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name. Step 4 Click Apply. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 7 Click Add. Step 8 Click the NIDS radio button, if it is not already selected. Figure 6-9 Configure ISS Real Secure NIDS Step 9 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 10 To save your changes, click Submit. Step 11 To enable MARS to start sessionizing events from this module, click Activate. Add an ISS RealSecure Device as a HIDS Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name. Step 4 Click Apply. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 7 Click Add. Step 8 Click the HIDS radio button. Figure 6-10 Configure ISS Real Secure HIDS Step 9 Click Submit. Step 10 For multiple interfaces, click on General Tab, and add the new interfaces' name, IP address, and network mask. Figure 6-11 Adding Multiple Interfaces Step 11 Click Apply. IntruVert IntruShield To configure IntruVert IntruShield in MARS, you must perform the following tasks: 1. Generate CSV file that identifies each of the IntruShield senor hosts by logging into the database to which IntruShield Manager writes and performing and saving a database query. 2. Configure the IntruShield Manager to send SNMP traps to the MARS Appliance 3. Define a host that represents the management console (IntruVert Manger) in MARS web interface. 4. From that host in the MARS web interface, import the IntruShield sensor seed file to identify the IntruVert sensors running on other hosts. The following sections provide details on performing each of these tasks: •Extracting Intruvert Sensor Information from the IntruShield Manager •Configure IntruShield Version 1.5 to Send SNMP traps to MARS •Configure IntruShield Version 1.8 to Send SNMP Traps to MARS •Add and Configure an IntruShield Manager and its Sensors in MARS Extracting Intruvert Sensor Information from the IntruShield Manager IntruVert sensor information is saved in a database on the IntruShield Manager host. When you configure the MARS to add Intruvert sensors, you can manually add the mapping of each Intruvert sensor name or you can extract them as a seed file from the database on the Intruvert Manager. Note The instructions apply for Intruvert IntruShield version 1.5. IntruVert supports both MySQL and Oracle. To create a CSV file for IntruVert IntruShield 1.5, follow these steps: Step 1 Log in to the database. Step 2 Perform the query: use lf; select name, ip_address from iv_sensor where ip_address is not NULL; Step 3 Store the query result into a file, remove the header, trailer, and separator lines, and edit the result to a CSV format. For example, the query result could be: +------------+------------+ \| name \| ip_address \| +------------+------------+ \| intruvert \| 0A010134 \| \| intruvert1 \| 0A010135 \| +------------+------------+ 2 row in set (0.00 sec) You would then edit the above file to appear as: intruvert,0A010134 intruvert1,0A010135 Step 4 Save the edited CSV file, move the file to an FTP server from which you can load the seed file using the MARS web interface. Configure IntruShield Version 1.5 to Send SNMP traps to MARS Step 1 Log in to the IntruShield Manager version 1.5. Step 2 Click Configure. Step 3 In the Resource Tree, click My Company. Step 4 Click the Forwarding tab. Step 5 In the Add SNMP Server field, enter: a. Target Server IP Address: Enter MARS's IP address as it appears to IntruShield. b. Target Server Port Number: Enter MARS's port number 162. c. SNMP Version: 1 d. Check the Forward Alerts box. e. Select the For this and child admin domains radio button. f. Select the severity from the list. Cisco recommends selecting High and Medium severity. g. Check the Forward Faults box. h. Select the severity from the list. Cisco recommends selecting Error and above severity. Step 6 Click Save and exit the program. Configure IntruShield Version 1.8 to Send SNMP Traps to MARS Step 1 Log in to the IntruShield Manager version 1.8. Step 2 Click Configure. Step 3 In the Resource Tree, click My Company. Step 4 Click the Alert Notification tab. Step 5 Click the SNMP Forwarder sub-tab. Figure 6-12 IntruShield SNMP Forwarder Configuration Step 6 Click the Add button. Figure 6-13 IntruShield Target SNMP Server Step 7 On the SNMP Forwarder page, enter: a. Enable SNMP Forwarder: Select the Yes radio button. b. Target Server (IP Address): Enter MARS's IP address as it appears to IntruShield. c. Target Server Port Number: Enter MARS's port number 162. d. SNMP Version: 1 e. Forward Alerts f. Select the severity from the list. Cisco recommends selecting Informational and above severity. g. Customize Community: Enter the community string that you want to use. Step 8 Click Apply and exit the program. Add and Configure an IntruShield Manager and its Sensors in MARS Adding an IntruVert device has two distinct steps. First, you add configuration information for the for the IntruShield Manager host. Second, you add the sensors managed by that host. •Add the IntruShield Manager Host to MARS •Add IntruShield Sensors Manually •Add IntruShield Sensors Using a Seed File Add the IntruShield Manager Host to MARS To define the host and represent the management console for IntruShield, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 Click Reporting Applications tab. Step 6 Select IntruVert IntruShield 1.5 from the Select Application list. Step 7 To complete the definition of this console, click Add. Figure 6-14 Add IntruShield Sensors Step 8 Continue defining the sensors that the console manages using one of two methods: •Add IntruShield Sensors Manually •Add IntruShield Sensors Using a Seed File Add IntruShield Sensors Manually To add sensors manually, follow these steps: Step 1 Click Add Sensor. Step 2 Enter the Device Name, Sensor Name, and its Reporting IP address. •Device Name - the DNS entry for this device •Sensor Name - the name as it appears in the console •Reporting IP - the IP address that the agent uses to send logs to the console Step 3 Add the interface information. Step 4 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 5 To save your changes, click Submit. Step 6 To enable MARS to start sessionizing events from this module, click Activate. Add IntruShield Sensors Using a Seed File To add sensors using a seed file, follow these steps: Step 1 Click Load From CSV. Step 2 Enter the FTP server information and location of the CSV (comma separated values) file. •If you need to generate the IntruShield sensors CSV file, Extracting Intruvert Sensor Information from the IntruShield Manager. Step 3 Click Submit. The list of sensors appears on the management console page. Step 4 For each sensor that appears in the management console page, select the check box next to the sensor and click Edit Sensor. Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 6 To save your changes, click Submit. Step 7 To save the changes made to this management console and the sensors it manages, click Submit. Step 8 To enable MARS to start sessionizing events from this module, click Activate. Snort 2.0 Configure Snort to Send Syslogs to MARS For Snort, use the syslog as your output plugin. Configure your syslogd to send copies to another host. On most older-style systems (Solaris/Linux), you need to edit /etc/syslog.conf. (Assuming that the system is based on syslogd, and not any of the newer system logging facilities. The newer logging facilities are not supported by Snort.) To configure Snort to send syslog messages to the MARS Appliance, follow these steps: Step 1 Make Snort's output go to syslog with log facility local4 in snort.conf (you can pick any local facility that's unused.) output alert_syslog: LOG_LOCAL4 LOG_ALERT snort.conf is normally in /etc/snort. Step 2 Add a redirector in your /etc/syslog.conf on your Snort box to send syslog to MARS. local4.alert @IPAddrOffMarsbox Step 3 Restart the Snort daemon and the syslogd daemon on your Snort box. Add the Snort Device to MARS To add the Snort device to MARS, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices > Add Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply Step 5 Click Reporting Applications tab Step 6 From the Select Application list, select Snort Snort 2.0 Step 7 Click Add Step 8 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 9 To save your changes, click Submit. Step 10 To enable MARS to start sessionizing events from this module, click Activate. Symantec ManHunt Symantec ManHunt Side Configuration Step 1 Login to the Symantec ManHunt with appropriate username and password. Step 2 In the main screen, click Setup > Policy > Response Rules, then Response Rules window will appear. Figure 6-15 ManHunt Configuration Step 3 In the Response Rules window, click Action > Add response Rules. Step 4 Click in the field of Response Action Figure 6-16 ManHunt Response Rule Config Step 5 In the left menu, click SNMP Notification and enter the following information: a. SNMP Manager IP address: Reporting IP address of MARS b. Maximum number of SNMP notification: (Example: 100000). c. Delay between SNMP notification (mins): (Example: 1 min) Step 6 Click OK to return to main screen. MARS Side Configuration Add Configuration Information for Symantec ManHunt 3.x Step 1 Click Admin > System Setup > Security and Monitor Devices > Add Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply Step 5 Click Reporting Applications tab Step 6 From the Select Application list, select Symantec ManHunt 3.x Step 7 Click Add Step 8 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 9 To save your changes, click Submit. Step 10 To enable MARS to start sessionizing events from this module, click Activate. NetScreen IDP 2.1 IDP-side Configuration Step 1 Click NetScreen-Global Pro > IDP Manager > IDP. Step 2 Log in to the IDP Manager. Step 3 From the main menu, click Tools > Preferences. Step 4 In the tree on the left, click Management Server, enter the Local Controller's address in the Syslog host field, and click OK. Step 5 Click Security Policies, and the name of your policy. Step 6 In the Notification column, right-click anywhere in the cell in the field and select Configure. Step 7 Check enable logging and syslog for each policy, and click OK. Repeat for all of your policies. Step 8 From the main menu, click Policy > Install. MARS-side Configuration Add Configuration Information for the IDP Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP Addresses if adding a new host. Step 4 Click Apply. Step 5 Click Reporting Applications tab. Step 6 From the Select Application list, select NetScreen IDP 2.1. Step 7 Click Add. Figure 6-17 Add NetScreen IDP 2.1 Sensors Add NetScreen IDP 2.1 Sensors Manually Step 1 Click Add Sensor. Step 2 Select existing device or Add New device. Step 3 Enter the Device Name, Sensor Name, and its Reporting IP address. •Device Name - the DNS entry for this device •Sensor Name - the name as it appears in the console •Reporting IP - the IP address that the agent uses to send logs to the console Step 4 Add the interfaces, which important information for attack path calculation. •For multiple interfaces, click Add Interface, and add the new interfaces's name, IP address and mask. Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 6 To save your changes, click Submit. Step 7 To enable MARS to start sessionizing events from this module, click Activate. Enterasys Dragon 6.x To configure the Enterasys Dragon devices, you must: •Configure the Dragon Policy Manager (DPM) or Event Flow Processor (EFP). •Configure the syslog daemon running on the same system as the DPM or EFP. •Configure the MARS. DPM/EFP Configuration Before you configure the DPM or EFP, you must install and enable the Alarmtool. Configure the DPM or EFP Step 1 Log into the DPM or EFP. Step 2 Click Alarmtool. Step 3 In the left menu, click Notification Rules. Step 4 In the right window, select syslog if it exists. If not, you need to create it: a. Click New Notification Rules and select syslog. b. Facility - Make sure the localn you select is not in use by the syslog daemon c. Level - Select Debug d. Message - Make sure its in such format: %TIME% %DATE% SigName=%NAME% from Sensor=%SENSOR% SrcIP=%SIP% DstIP=%DIP% SrcPort=%SPORT% DstPort=%DPORT% Protocol=%PROTO% Step 5 Click Save. Step 6 In the left menu, click Alarm. Step 7 Set the Type to Real-time and the Notification Rule to syslog. Step 8 Click Save. Step 9 In the left menu, click Deployment. Step 10 In the main screen, click View Configuration. Make sure the localn set in both notify syslog and alarm syslog match. Step 11 In the main screen, click Deploy and Reset to confirm the configuration change. Host-side Configuration Configure the syslog on the UNIX host Step 1 Log into the host as the root user. Step 2 On the same system running the DPM or EFP, edit the file /etc/syslog.conf. Step 3 Make sure n in localn matches the syslog entry you used on the DPM or EFP. Step 4 Add the line localn.* @<mars ip address> Replacing n with the value used in Step 3 and replacing <mars ip address> with the IP address of the MARS Appliance. Step 5 Restart the syslog daemon by entering: /etc/rc.d/rc.syslog restart MARS-side Configuration Add Configuration Information for the Enterasys Dragon Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host Step 3 Enter the Device Name and IP Addresses if adding a new host. Step 4 Click Apply Step 5 Click Reporting Applications tab Step 6 From the Select Application list, select Enterasys Dragon 6.x Step 7 Click Add. Add a Dragon NIDS Device Step 1 Click Add Sensor. Step 2 Select existing device or Add New device. Step 3 Enter the Device Name, Sensor Name, and its Reporting IP address. •Device Name - the DNS entry for this device •Sensor Name - the name as it appears in the console •Reporting IP - the IP address that the agent uses to send logs to the console Step 4 Add the interfaces, which important information for attack path calculation. •For multiple interfaces, click Add Interface, and add the new interfaces's name, IP address and mask. Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field. c. Repeat as needed. Step 6 To save your changes, click Submit. Step 7 Click Done when you are done adding the sensor. Step 8 To enable MARS to start sessionizing events from this module, click Activate.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.