-
User Guide for Cisco Security MARS Local Controller, Release 4.2.x
-
Preface
-
STM Task Flow Overview
-
Reporting and Mitigation Devices Overview
-
Configuring Router and Switch Devices
-
Configuring Firewall Devices
-
Configuring VPN Devices
-
Configuring Network-based IDS and IPS Devices
-
Configuring Host-Based IDS and IPS Devices
-
Configuring Antivirus Devices
-
Configuring Vulnerability Assessment Devices
-
Configuring Generic, Solaris, Linux, and Windows Application Hosts
-
Configuring Database Applications
-
Configuring Web Server Devices
-
Configuring Web Proxy Devices
-
Configuring AAA Devices
-
Configuring Custom Devices
-
Policy Table Lookup on Cisco Security Manager
-
Network Summary
-
Case Management
-
Incident Investigation and Mitigation
-
Queries and Reports
-
Rules
-
Sending Alerts
-
Management Tab Overview
-
System Maintenance
-
Cisco Security MARS XML API Reference
-
Regular Expression Reference
-
Date/Time Format Specfication
-
System Rules and Reports
-
Glossary
-
Index
-
Table Of Contents
Navigation within the MARS Appliance
Network Summary
This chapter describes the web interface and the components of the Summary tab of the web interface.
Navigation within the MARS Appliance
The MARS web interface runs within a single brower window. The MARS product functions are categorized with labeled tabs, each tab subdivided with subtabs.
Logging In
Step 1
To login to the Local Controller, enter its IP or DNS address into the browser address field. The login box appears.
Figure 19-1 Local Controller Login Box
Step 2
Step 3
Step 4
The first page to appear after a login is the Summary tab Dashboard page. The duration of the delay in displaying information results from a combination of the following causes:
•
•
•
•
•
For most networks, the Summary page populates shortly after configuration. Some values are only relevant after an interval of time. For example, the values in the 24 Hour Events and 24 Hour Incidents tables.
Basic Navigation
The Local Controller uses a tab-based, hyperlinked user interface. When you mouse over an alphanumeric string or an icon that is a clickable hyper-link, the mouse cursor changes to a pointing finger cursor
. Figure 19-2 shows some of the clickable objects on the Dashboard page.
Figure 19-2 Links, Icons, and Filters
-
Click any of the seven tabs to navigate to the pages relevant to the tab's sub-tabs, as shown in Figure 19-3 though Figure 19-8.
Figure 19-3 Summary Tab
Figure 19-4 Incidents Tab
Figure 19-5 Query/Reports Tab
Figure 19-6 Rules Tab
Figure 19-7 Management Tab
Figure 19-8 Administration Tab
Figure 19-9 Help Tab
Help Page
The Help page, as shown in Figure 19-10, provides URLs to online documentation and a feedback form to submit constuctive comments to the MARS development engineering team.
Figure 19-10 Help Page
Click About to display the software version number running on the MARS.
Click Documentation to display URLs to MARS documentation on the Cisco Systems, Inc. website (http://www.cisco.com).
Your Suggestions Welcomed
The Feedback button appears at the bottom of most pages, a shown in Figure 19-10.
When you click the feedback button, or navigate to the Feedback page, the feedback dialog box appears, as shown in Figure 19-11.
Figure 19-11 Feedback Dialog Box
To send your comments to the MARS development engineering team, type in your email address and comments then click Submit. When you click the Include log file a MARS log file is sent with your message.
Summary Page
From the Summary pages, you can very quickly evaluate the state of the network. The Summary pages include the Dashboard, Network Status, and My Reports, a shown in Figure 19-12.
Figure 19-12 Summary Tab
Dashboard
Note
Figure 19-13 The Working Areas on the Dashboard
Subtabs
Tabs
Case Bar (Local Controller only)
Recent incidents information
Links to Cases assigned to you.
HotSpot and Attack diagrams
Charts
Recent Incidents
The first feature to notice about the Dashboard are the recent incidents that have fired. The Local Controller comes with pre-defined rules, and these incidents are the result of those rules firing. These rules are generic, globally applicable, and should serve you well as a starting point once you begin to tune the Local Controller.
Figure 19-14 Drilling-down into Incidents
Sessions and Events
Within a given time window, a session is a collection of events that all share a common end-to-end:
•
•
•
Event sessionization aggregates event data making it easier to sort and examine. Event sessionization lets the system treat events as single units of information and helps you understand if an attack truly has materialized. It gives you the context of the attack by giving you all the events on that session.
Sessionization works across NAT (network address translation) boundaries - if a session traverses a device that does NAT on that session, the Local Controller is able to sessionize events even if they are reported by two devices on either side of that firewall.
Networks start to show immediate action in the events and sessions categories. Note that the 24 Hour Events table and the Events and Sessions chart are different ways of presenting the same information.
Data Reduction
Data Reduction is a representation of how much event data the Local Controller collapsed into sessions. For example a data reduction of 66% measures three events per session on the average - this number is dependent on many variables particular to your network.
Figure 19-15 Data Reduction
Page Refresh
The Page Refresh Rate polls the Local Controller according to the setting you assign. The default setting is fifteen minutes. The refresh setting remains the same until you log out. This setting only applies to the pages that have the Page Refresh pull-down.
Figure 19-16 Page Refresh
Note
Diagrams
The Summary page has two diagrams: the Hot Spot Graph and the Attack Diagram. Local Controller uses the configuration and topology discovery information that you provide to generate these diagrams. The following table shows you the icons used in the diagrams.
You can start drilling-down into the diagrams by clicking any of the icons listed in Table 19-1. You can start drilling-down attack paths in the Attack Diagram by clicking the Path icon
. Drilling-down into these diagrams is one of the fastest ways to uncover real-time information about your network.
Figure 19-17 Clickable Hot Spots: Brown = Attackers & Red = Compromised
Note
Table 19-1 Icons and States in Topology
Clouds
Firewall
Reporting Host
Host
IDS
Network
Router
Switch
To see the diagrams, you need the Adobe SVG viewer plug-in. The Adobe SVG viewer plug-in should automatically install.
Note
Figure 19-18 The Hot Spot Graph and Attack Diagram
Manipulating the Diagrams
•
•
•
•
•
Note
Display Devices in Topology
You can specify how to display a reporting device in the HotSpot Graph. By clicking the icon in the Device Display column, you can specify whether to display the device as an individual node on the graph or collapse it within a cloud. By having a device "hidden" in a cloud, you can cut down on the number of devices displayed in the graph, thus making it easier to read at a higher level.
A cloud identifies a collection of networks for which you do not want to define the complete physical topology. Much like when you draw a network diagram on a piece of paper, you can use a cloud to depict networks in which you have no direct interest, but which are needed to represent to complete the diagram. For example, you may want to display only gateway devices or mitigation devices, representing other reporting devices as part of a cloud.
To toggle the display status of a device, follow these steps:
Step 1
Step 2
Figure 19-19 The Device Display icons
The icon changes from a host icon to a host within a cloud or vice versa.
Step 3
Network Status
The Network Status page is where you come to get the big picture. On the Network Status page, you can see the charts for:
•
Rated by severity.
•
Rated by the highest number of incidents fired.
•
Rated by the highest numbers of events of that type.
•
Rated by the total number of events reported by each security device.
•
The top IP addresses that appear as session sources, ranked by session count.
•
The top IP addresses that appear as session destinations, ranked by session count.
For all of the charts on this page, you can set different time frames, the size of the chart, view the latest report, and so on, by clicking on the buttons in the chart's window.
Reading Charts
These are stacked charts. You can tell which severity of incident your network has most experienced for the day by looking for the dominant shade. In the figure below, low priority green incidents cover less area than high priority red incidents because they have occurred less often.
Figure 19-20 A Day's Events and Netflow with the Legend Displayed
To read the charts most efficiently, note that it is solely the thickness of a particular color that determines its value at that point - and that a spike (or drop) in any particular color could be caused by a spike (or drop) of a different color lower down in the stack.
A perfectly flat line indicates that Local Controller received no data during that time period.
Figure 19-21 A Flat Line in a Week's Top Rules Fired
In the following Incidents chart, you can see the top incidents for the week, starting eight days in the past.
Figure 19-22 Eight Days of Incidents
A more drastic spike in red is not offset by the green incident
Incident spikes are built upon each other
My Reports
The My Reports page is where you can choose the reports that you want to view. As long as you are using the Local Controller with your log in name, the reports that you have selected appear here.
To set up reports for viewing
Step 1
Step 2
Step 3
Local Controller now displays the chart that you selected on the My Reports page.
Note
You can display any number of charts on the My Reports page, however expect slower loading times for large numbers of charts.
The reports that you can select from are pre-defined. When you create your own reports, you can select those to display. See Reports, page 21-22 for more information.
