Glossary

Available Languages

Download Options

PDF (343.4 KB)
View with Adobe Reader on a variety of devices

Updated:April 15, 2008

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Glossary

Table Of Contents

Glossary

#

5-tuple

(Quintuple) The five pieces of data found within all IP-based network packets: source IP address, source port, destination IP address, destination port, and protocol. You can define inspection rules, queries, and reports using the data found in the 5-tuple.

A

Access IP Address

This is the IP address that MARS uses to connect to the device and to get its configuration information. MARS needs this address for NAT-related session correlation, attack path calculation, and mitigation enter access information.

Activate

Making changes or edits known to the MARS after submitting changes.

D

Devices

The hosts and reporting devices present in the system.

Discovery

The act of identifying, either automatically or manually, devices in networks.

Dynamic Vulnerability Scanning

The MARS STM probes selected networks, and their components, for vulnerabilities.

E

Event

A security event reported to the MARS STM appliance. Events have: types, sources, destinations, reporting devices, etc.

Event Types

Groups of similar security events. An event type is the normalized signature from a reporting device.

F

False Positive

An event that resembles a valid security threat, but is not.

Firing Events

An event that contributed to a rule firing.

I

Incident

Incidents are collections of events and sessions that meet the criteria for a rule, having helped to cause it to fire.

Incident Instances

An instance of an incident.

M

MI B

management information base

mitigate

To stop a detected attack or anomaly. The method of mitigation varies based on network composition and configuration.

O

Offset

The offset of a firing event is the line number of the rule criteria that this firing event matches.

P

Pre NAT Source Address

Session endpoints.

Post NAT Source Address

The source as appearing at the destination.

Post NAT Destination Address

Session endpoints.

Pre NAT Destination Address

The destination as appearing at the source.

Q

Query

A user-defined request to the database for information.

R

Report

A user-defined request to the database on an automatic or on-demand basis.

Reporting Device

A discovered device that reports information - usually in the form of logs - to a MARS STM appliance.

Reporting IP Address

This is the IP address as it appears to MARS. This address is where the logs (syslog, SNMP traps, LEA) come from.

Rule

The sub-set of events that contributed to the incidents of the specified rules firing.

S

Service

A protocol and range of IP addresses.

Session

A session is a collection of events that all share a common source and destination, which were reported within a given time window. For example, usually the events in a session map well to the events generated between the opening and closing of a TCP/IP connection.

Sessionize

Combining event data from multiple reporting devices to reconstruct the occurrence of a session. Sessionizing takes two forms: reconstructing a session-oriented protocol, such as TCP, where the initial handshake and the session tear down and reconstructing a sessionless protocol, such as UDP, where the initial start and session end times are defined more based on first and last packets tracked within a restricted time period. In other words, packets that fall outside of the time period are considered part of different sessions.

T

True Positive

A valid security threat.

U

Unreported device

A device from which the MARS Appliance receives events, such as syslog messages, SNMP notifications, or NetFlow events, but the device is not defined in the appliance. Without a definition, MARS is unable to correlate events correctly as it needs to know which message format to use in parsing.

T

True Positive

A valid security threat.

#
5-tuple	(Quintuple) The five pieces of data found within all IP-based network packets: source IP address, source port, destination IP address, destination port, and protocol. You can define inspection rules, queries, and reports using the data found in the 5-tuple.

A
Access IP Address	This is the IP address that MARS uses to connect to the device and to get its configuration information. MARS needs this address for NAT-related session correlation, attack path calculation, and mitigation enter access information.
Activate	Making changes or edits known to the MARS after submitting changes.

D
Devices	The hosts and reporting devices present in the system.
Discovery	The act of identifying, either automatically or manually, devices in networks.
Dynamic Vulnerability Scanning	The MARS STM probes selected networks, and their components, for vulnerabilities.

E
Event	A security event reported to the MARS STM appliance. Events have: types, sources, destinations, reporting devices, etc.
Event Types	Groups of similar security events. An event type is the normalized signature from a reporting device.

F
False Positive	An event that resembles a valid security threat, but is not.
Firing Events	An event that contributed to a rule firing.

I
Incident	Incidents are collections of events and sessions that meet the criteria for a rule, having helped to cause it to fire.
Incident Instances	An instance of an incident.

M
MI B	management information base
mitigate	To stop a detected attack or anomaly. The method of mitigation varies based on network composition and configuration.

O
Offset	The offset of a firing event is the line number of the rule criteria that this firing event matches.

P
Pre NAT Source Address	Session endpoints.
Post NAT Source Address	The source as appearing at the destination.
Post NAT Destination Address	Session endpoints.
Pre NAT Destination Address	The destination as appearing at the source.

Q
Query	A user-defined request to the database for information.

R
Report	A user-defined request to the database on an automatic or on-demand basis.
Reporting Device	A discovered device that reports information - usually in the form of logs - to a MARS STM appliance.
Reporting IP Address	This is the IP address as it appears to MARS. This address is where the logs (syslog, SNMP traps, LEA) come from.
Rule	The sub-set of events that contributed to the incidents of the specified rules firing.

S
Service	A protocol and range of IP addresses.
Session	A session is a collection of events that all share a common source and destination, which were reported within a given time window. For example, usually the events in a session map well to the events generated between the opening and closing of a TCP/IP connection.
Sessionize	Combining event data from multiple reporting devices to reconstruct the occurrence of a session. Sessionizing takes two forms: reconstructing a session-oriented protocol, such as TCP, where the initial handshake and the session tear down and reconstructing a sessionless protocol, such as UDP, where the initial start and session end times are defined more based on first and last packets tracked within a restricted time period. In other words, packets that fall outside of the time period are considered part of different sessions.

T
True Positive	A valid security threat.

U
Unreported device	A device from which the MARS Appliance receives events, such as syslog messages, SNMP notifications, or NetFlow events, but the device is not defined in the appliance. Without a definition, MARS is unable to correlate events correctly as it needs to know which message format to use in parsing.