-
User Guide for Cisco Security MARS Global Controller, Release 5.2.x
-
Preface
-
Introduction
-
Configuring the Global Controller
-
Network Summary
-
Case Management
-
Incident Investigation and Mitigation
-
Queries and Reports
-
Rules
-
Sending Alerts
-
Management Tab Overview
-
System Maintenance
-
Cisco Security MARS XML API Reference
-
Regular Expression Reference
-
Date/Time Format Specfication
-
System Rules and Reports Reference
-
Glossary
-
Index
-
Table Of Contents
System Rules and Reports
This appendix presents the list of system rules and reports and provides a brief description of their intended use.
This chapter contains the following topics:
List of System Rules
This topic defines the complete list of system rules issued with this release.
•
System Rule: Backdoor: Active.
This correlation rule detects a connection to a backdoor server or a response from a backdoor server in your network accompanied by malicious follow-up activity on the server hosting the backdoor - this may indicate that a malicious backdoor service is likely running in your network. Malicious follow-up activity includes excessive scans, denied packets, installation of malicious services, local buffer overflow attacks etc. Backdoors such as Unix rootkits or Trojan horses are malicious programs that offer extensive remote control of a host and may be left by an attacker on a compromised host to maintain future remote access.
•
This correlation rule detects a connection to a backdoor server or a response from a backdoor server in your network - there may or may not be any follow-up activity on the destination host. Backdoors (e.g. Rootkits, Trojan Horse programs) and command shells provide extensive remote control of a host and may be left by an attacker on a compromised host to maintain future remote access.
•
This correlation rule detects communication over covert channels - this means DMZ services such as HTTP, DNS, ICMP, FTP, SMTP etc. are being misused to tunnel inappropriate traffic via those ports. DMZ services are chosen since firewalls permit them but may not perform deep protocol inspection. Either the source or the destination in this event may be compromised.
•
This rule detects spyware e.g. Gator, Bonzi etc. installed on hosts or requests to hosts with spyware installed. Spyware are malicious applications that can be installed on a computer without the knowledge of the user, e.g. when one visits a web site or clicks on an advertising link or installs file sharing freeware such as KaZaA, iMesh, and AudioGalaxy. Once installed, the spyware automatically runs each time the host PC is started and records URLs visited, the username, password, and credit card information used, and then sends this information to the spyware writers.
•
This rule detects a client workstation exploit - this means a workstation is either downloading executable content via Web or email or sending web requests that contain scripts or is the target of an (client side) exploit via protocols such as IRC, DHCP, DNS, P2P Worms.
•
This signature detects excessive amount of e-mail (at least 20/min) from a single host. To sharpen this rule for non-mail server hosts, create a group of mail server hosts and then create an exception by excluding these hosts in the source of this rule.
•
This correlation rule detects a successful infection spread of the Sasser worm - an attack on port 445 followed by the any of the following (a)command shell connection to the victim on port 9996, (b) an FTP connection back to the victim on port 5554, (c) excessive scans on port 445 from the victim. This indicates that both the source and the destinations are likely infected with the Sasser worm. This worm exploits the Microsoft Windows vulnerability as described in Microsoft Security Bulletin MS04-011
•
This correlation rule detects a client workstation exploit followed by the client performing anomalous activities. Client exploits include download of dynamically executable content via Web or email, web requests containing scripts, client side exploits via protocols such as IRC, DHCP, DNS, P2P Worms. Client anomalous activities include the client originating excessive denies and scans, attempting to connect to backdoors, propagating worms over the network. The presence of such activities may indicate that the client exploit is successful.
•
This correlation rule detects a Sysbug Trojan exploit on a client workstation - the workstation downloaded executable content via email and the code executed and likely opened up Sysbug Trojan service on port 5555 to which other machines attempted to connect. Here, the source represents the client workstation and the destination represents the systems to which a connection is made after the trojan is installed.
•
This rule detects configuration errors reported by a firewall - this may cause certain traffic to be dropped by the firewall.
•
This rule detects configuration errors reported by a server - this may cause certain services to be not available at the server.
•
This rule detects connectivity issues between CS-MARS and IOS - CS-MARS may not be able to dynamically turn on ACTIVE signatures on IOS.
•
This rule indicates that the current CS-MARS database partition filled up to 75% of its capacity and the next database partition will be purged soon to create space for new events. The estimated purge times are in the event message. This is normal CS-MARS activity and will result in old events and incidents to purged from CS-MARS database. Users are urged to archive CS-MARS data to prevent permanent data loss.
•
This rule triggers when CS-MARS is unable to successfully mitigate a host after having tried a few times.
•
This rule triggers when CS-MARS is able to successfully mitigate a host.
•
This correlation rule detects multiple failed attempts from the same database user to execute privileged database commands.
•
This rule detects network level denial of service (DoS) attacks along with relevant reconnaissance activity that may have preceded the attacks. Such attacks can create a dramatic increase in overall network traffic.
•
This correlation rule detects the simultaneous occurrence of network level denial of service (DoS) attacks along with related events such as traffic anomaly (e.g. ICMP echo request/reply or TCP SYN/FIN anomaly), network devices reporting high utilization, excessive scans or denies in the network etc. This may indicate that the network is under denial of service attack.
•
This correlation rule detects attacks on network devices (such as switches, routers, firewalls) along with relevant reconnaissance activity that may have preceded these attacks. Such attacks if successful, can crash the network devices and create a denial of service for the network segment containing these devices.
•
This correlation rule detects attacks on network devices (such as switches, routers, firewalls) along with (a) local high usage conditions reported by the device and (b) relevant reconnaissance activity that may have preceded these attacks.
•
This rule detects reporting devices that have not reported an event in the last hour. For chatty devices such as firewalls and IDS, this may indicate connectivity issues or an issue with the device themselves. This rule should be scoped down to only include chatty network infrastructure devices.
•
This correlation rule detects attacks on hosts by logged on users. Such attacks include local buffer overflow attacks, sym link attacks etc.
•
This correlation rule detects attacks on hosts by locally logged on users followed by the server performing anomalous activities - such activities include excessive denies and scans, connection to backdoors, attempts to propagate worms etc. The presence of such activities may indicate that the host is compromised.
•
This correlation rule detects malicious attempts to access customer data stored by web applications, preceded by reconnaissance attempts to that host, if any. Customer data typically contains sensitive information such as purchasing history, credit card numbers etc.
•
This correlation rule detects attempts by a non-administrative user to perform administrative functions for Web applications by bypassing the required authentication. Several web applications have vulnerabilities that may allow an attacker to do so. These attempts may be preceded by reconnaissance attempts to that host.
•
This correlation rule detects ARP Poisoning attacks preceded by reconnaissance attempts to that host, if any.
•
This correlation rule detects generic attempts by an attacker to bypass network IDS systems. The attempts may be preceded by reconnaissance attempts to that host.
•
This correlation rule detects attempts to used spoofed source IP addresses.
•
This correlation rule detects replay attacks on a host, preceded by reconnaissance attempts to that host, if any. Successful replay attacks may allow the attacker to gain access by bypassing authentication.
•
This correlation rule detects attempts to hijack a TCP connection to that host, preceded by reconnaissance attempts to that host, if any.
•
This correlation rule detects events that indicate errors in standard TCP/IP headers - these may be caused by broken protocol implementations on the source host or may be malicious attempts by the source host to test the robustness of protocol implementations on the destination host.
•
This correlation rule detects multiple failed attempts from the same database user to modify database objects such as tables, indices etc.
•
This correlation rule detects multiple failed attempts from the same database user to modify database user groups
•
This rule detects attempts to modify files on a host.
•
This rule detects attempts to modify log files on a host.
•
This rule detects attempts to modify windows registry entries on a host.
•
This rule detects attempts to modify the security settings on a host.
•
This rule detects attempts to modify the settings of services on a host.
•
This rule detects attempts to modify the user group definitions on a host.
•
This rule detects attempts to modify the configurations on a network device such as routers, switches, firewalls etc.
•
This rule detects attempts to modify the counters and diagnostics on a Modbus Servers. Modbus protocol is the defacto standard in industrial control communications and is the protocol of choice in a Supervisory Control and Data Acquisition (SCADA) communications network, where the Programmable logic controllers (PLCs) act as Modbus servers.
•
This rule detects person-to-person Chat or Instant Messenger protocol activity.
•
This rule detects file transfers via person-to-person Chat or Instant Messengers along with increase in network traffic if any. File transfer is not a normal use of Chat/IM and is suspicious. In addition, files shared with other IM users could contain viruses or other backdoor programs.
•
This correlation rule detects a large frequency (excess of 10/sec) of denies from a particular host to a particular destination port. This is a typical behavior of a compromised host looking to exploit hosts with a specififc vulnerability.
•
This correlation rule detects excessive Internet relay Chat (IRC) connections from the same source - this indicates that a Remote Admin Trojan (RAT) is likely running on the source and is likely compromised.
•
This rule detects person-to-person file sharing activity via applications such as KaZaa, Napster, EDonkey, Gnutella, Bearshare etc.
•
This rule detects a file transfer via a person-to-person file sharing application such as KaZaa, Napster, EDonkey, Gnutella, Bearshare etc. along with increase in network traffic if any. The programs may consume significant amount of network bandwidth and furthermore, inappropriate materials possibly containing viruses and backdoors may be distributed.
•
This rule detects recreational activities such as games, visiting adult web sites etc.
•
This rule detects traffic that are not common in modern networks, for example (a) uncommon ICMP types - ICMP Router advertisement, ICMP Timestamp request/reply etc., (b) packets with uncommon TCP/IP options such source routing, timestamp etc, (c) standard protocols such as SMTP, HTTP, POP3 running on non-standard ports, (d) uncommon protocols such as FSP.
•
This correlation detects excessive traffic (likely pop up spam) from the same source to the Windows Messenger service.
•
This rule detects a large frequency of denied packets or ICMP destination unreachable events between the same source, destination pair - this may indicate a network routing error and may be caused by periodic retransmission attempts by TCP or the application itself (e.g. DNS).
•
This rule detects that Cisco Incident Control Server (ICS) has received information about a new virus/worm/malware outbreak. ICS is going to deploy ACLs or signatures to routers and IPS devices
•
This rule detects that Cisco Incident Control Server (ICS) has successfully deployed ACLs or signatures to routers and IPS devices in an attempt to prevent a newly discovered virus/worm/malware outbreak.
•
This rule detects that Cisco Incident Control Server (ICS) has failed to deploy ACLs or signatures to routers and IPS devices for preventing a new virus/worm/malware outbreak.
•
This correlated rule detects a traffic pattern that (a) matches a worm pattern: same source to many distinct destinations and (b) matches the ACLs and signatures deployed by Cisco Incident Control Server (ICS) in response to a newly discovered virus/worm/malware outbreak.
•
This rule detects operational errors (e.g. bad network connectivity, failover errors, internal software/hardware errors) reported by a firewall - this may indicate that the firewall is not functioning properly.
•
This rule detects operational errors reported by a intrusion detection system (IDS) - this may indicate that the device is not functioning properly.
•
This rule detects operational errors reported by non-security network devices such as routers and switches.
•
This rule detects operational errors reported by a host or by applications on a host - this may indicate that either the host or the specific application on the host is not functioning properly.
•
This correlation rule detects a password guessing attack to a database server, preceded by reconnaissance attacks to the host, if any. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack on a database server followed by a successful logon. The attack may be preceded by reconnaissance attacks to the host. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This rule detects repeated failed password attempts on locked, expired or disabled accounts on a host
•
This correlation rule detects a password guessing attack to an FTP server, preceded by reconnaissance attacks to the host, if any. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack on a FTP server followed by a successful logon. The attack may be preceded by reconnaissance attacks to the host. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack on a mail server (SMTP, POP, IMAP), preceded by reconnaissance attacks to the host, if any. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack on a mail server (SMTP, POP, IMAP) followed by a successful logon. The password attack may be preceded by reconnaissance attacks to the host. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects attempts to retrieve application passwords or multiple login failures while authenticating to a particular application. These attempts can be optionally preceded by reconnaissance attempts. Authentication failures may sometimes be caused by a user forgetting the password. The applications covered by this rule exclude common ones such as Mail, FTP, SSH, Telnet, SNMP, Network/File/Print share, for which there are special rules.
•
This correlation rule detects a password guessing attack on a network share, preceded by reconnaissance attacks, if any. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack on a network share, followed by a successful logon. The password attack may be preceded by reconnaissance attacks to the host. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack while authenticating to a remote access service (e.g. Windows L2TP, PPTP based RAS, IPSec etc.), preceded by reconnaissance attacks, if any. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack while authenticating to a remote access service (e.g. Windows L2TP, PPTP based RAS, IPSec etc.), followed by a successful logon. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This correlation rule detects attempts to retrieve SNMP community strings or access SNMP information by guessing SNMP community strings. Many SNMP installations have easily guessable passwords by default. The password attack may be preceded by reconnaissance attacks to the host.
•
This correlation rule detects a likely successful SNMP community string guessing attack - such an attack consists of a community string guessing attempt followed by a SNMP modification at the target host. The attack may be preceded by reconnaissance attacks to the host.
•
This correlation rule detects attempts a to retrieve system passwords or multiple login failures while authenticating to a particular system/domain via telnet, SSH or local console/terminal logon. These attempts can be optionally preceded by reconnaissance attempts. Authentication failures may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a successful password attack to gain system level access to a host or to a windows domain- such an attack consists of a successful login occurring after attempts to retrieve passwords or guess passwords while authenticating to that host. The password attack may be preceded by reconnaissance attacks to the host. Authentication failures may sometimes be caused by a user forgetting the password.
•
This correlation rule detects a password guessing attack to a Web server, preceded by reconnaissance attacks to the host, if any. A password guessing attack consists of multiple login failures and may sometimes be caused by a user forgetting the password.
•
This rule detects repeated failed password attempts on locked, expired or disabled accounts on distinct hosts.
•
This rule detects repeated failed password attempts on distinct locked, expired or disabled accounts on a host.
•
This rule detects repeated failed password attempts on distinct hosts.
•
This rule detects repeated failed password attempts on multiple distinct accounts on the same host.
•
This rule detects resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.
•
This rule detects resource issues at a host, e.g. event log being full, disk near capacity, too many logged in users etc.
•
This rule detects that a Cisco IOS router has too little memory for running the required set of ACTIVE IPS signatures. CS-MARS was not successful in downloading the complete ACTIVE signature set.
•
This rule detects resource issues at a network device, e.g. router, switch, firewall or IDS. Such issues include high CPU usage, a firewall reaching session limit, insufficient memory etc.
•
This correlation rule detects scans targeted at Modbus servers. Modbus protocol is the defacto standard in industrial control communications and is the protocol of choice in a Supervisory Control and Data Acquisition (SCADA) communications network, where the Programmable logic controllers (PLCs) act as Modbus servers.
•
This rule detects highly suspicious scans that are performed by sending malformed TCP/IP packets with an intent to discover host and application characteristics such as OS name, OS version etc. A vulnerability assessment tool such as Nmap can generate such scans. The source of the scans, if from inside the trusted network, must be investigated to see if it is from an authorized source. A MARS appliance may be performing such a test as part of false positive analysis.
•
This rule detects scans that are either (a) targeted at a host to identify its operating environment, such as users on a host, DNS version, RPC services open etc. or (b) targeted at a well-known service to determine the set of host that offer that service.
•
This rule detects excessive number of logs indicating network wide audit server issues - the indications can come from many hosts staying in TRANSITION posture state for too long or many AAA server reporing Audit Server communication problems. These events may indicate that the audit server is having difficulty in auditing and updating the end host security posture status from TRANSITION state. A host enters the TRANSITION state when it is not running the Cisco Trust Agent (CTA) software and requires an out-of-band audit by an audit server to move it out of TRANSITION state to any one of HEALTHY, INFECTED, QUARANTINE, CHECKUP or UNKNOWN states. A host in a TRANSITION state is likely to have limited or no network access.
•
This rule detects excessive number of logs indicating audit server issues for a single host - the indications can come from the host staying in TRANSITION posture state for too long or AAA server reporing Audit Server communication problems for the same host. These events may indicate that the audit server is having difficulty in auditing and updating the end host security posture status from TRANSITION state. A host enters the TRANSITION state when it is not running the Cisco Trust Agent (CTA) software and requires an out-of-band audit by an audit server to move it out of TRANSITION state to any one of HEALTHY, INFECTED, QUARANTINE, CHECKUP or UNKNOWN states. A host in a TRANSITION state is likely to have limited or no network access.
•
This rule detects excessive network-wide NAC status query failures reported by distinct end host, Network Access Device (NAD) combinations. A Status query failure indicates a change in posture detected by the Cisco Trust Agent (CTA) after the initial authorization. Excessive status query failures may indicate a sign of end point instability caused by the user enabling or disabling agents. Excessive status query failures reported by distinct NAD and end host combinations may indicate a critical software problem..
•
This rule detects excessive NAC status query failures from the same end host. A Status query failure indicates a change in posture detected by the Cisco Trust Agent (CTA) after the initial authorization. Excessive status query failures may indicate a sign of end point instability caused by the user enabling or disabling agents. The end host may be compromised; at least this behavior is suspicious.
•
This rule detects excessive NAC status query failures from distinct hosts to the same Network Access Device (NAD). A Status query failure indicates a change in posture detected by the Cisco Trust Agent (CTA) after the initial authorization. Excessive status query failures may indicate a sign of end point instability caused by the user enabling or disabling agents. Excessive status query failures from distinct hosts reported by the same NAD may indicate a problem at the NAD.
•
This rule detects that many distinct hosts are reporting INFECTED security posture status for an excessive period of time. This implies that a significant number of hosts are having trouble getting cleaned.
•
This rule detects that a particular host is reporting INFECTED security posture status for an excessive period of time. This implies that the host is having trouble getting cleaned.
•
This rule detects that many distinct hosts are reporting QUARANTINED security posture status for an excessive period of time. This implies that a significant number of hosts are having trouble getting DAT file updates.
•
This rule detects that a particular host is reporting QUARANTINE security posture status for an excessive period of time. This implies that the host is having trouble getting DAT file updates.
•
This correlation rule detects attacks on a database server, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, denial of service attempts, SQL Injection and other remote command execution attempts using database server privileges.
•
This correlation rule detects specific attacks on a database server followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks to a database server include buffer overflows, denial of service attempts, SQL Injection and other remote command execution attempts using database server privileges.
•
This correlation rule detects specific attacks on a DNS host, preceded by reconnaissance attempts targeted to that host, if any. Attacks on a DNS host includes buffer overflow attempts, denial of service attempts.
•
This correlation rule detects likely successful attacks on a DNS host - an attack is successful if it is followed by suspicious activity on the targeted DNS server. Suspicious activity includes the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host.
•
This correlation rule detects attacks on a FTP server, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, remote command execution attempts using FTP server privileges, denial of service attempts.
•
This correlation rule detects specific attacks on a FTP server followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks to a FTP server include buffer overflows, remote command execution attempts using FTP server privileges, denial of service attempts.
•
This correlation rule detects attacks on login services on a host, preceded by reconnaissance attempts targeted to that host, if any. Login services include Telnet, SSH, R-protocols such as Rsh, Rlogin, Rexec etc. The attacks include buffer overflows, privilege escalation attempts to become root, denial of service attempts etc.
•
This correlation rule detects specific attacks on login services on a host (e.g. Telnet, SSH, R-protocols such as Rsh, Rlogin, Rexec etc.) followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks to a login server include buffer overflows, remote command execution attempts using the server privileges, denial of service attempts.
•
This correlation rule detects attacks on mail services (SMTP, POP, IMAP) on a host, preceded by reconnaissance attempts targeted to that host, if any. The attacks to mail services include buffer overflows, remote command execution attempts, privilege escalation attempts to become root, denial of service attempts etc.
•
This correlation rule detects specific attacks on mail services (SMTP, POP, IMAP) on a host followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks to a mail server include buffer overflows, remote command execution attempts using server privileges, denial of service attempts.
•
This correlation rule detects attacks on miscellaneous services (i.e. other than DNS, FTP, HTTP, Mail, FTP, RPC, Telnet, SSH, R-protocols) on a host, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, remote command execution attempts, privilege escalation attempts to become root, denial of service attempts etc.
•
This correlation rule detects specific attacks on miscellaneous services (i.e. other than DNS, FTP, HTTP, Mail, FTP, RPC, Telnet, SSH, R-protocols) on a host followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks include buffer overflows, remote command execution attempts using server privileges, denial of service attempts etc.
•
This correlation rule detects attacks on RPC services on a host, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, remote command execution attempts, privilege escalation attempts to become root, denial of service attempts etc.
•
This correlation rule detects specific attacks on RPC services on a host followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks to RPC services include buffer overflows, remote command execution attempts using system privileges, denial of service attempts.
•
This correlation rule detects attacks on Modbus servers, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, denial of service attempts etc. Modbus protocol is the defacto standard in industrial control communications and is the protocol of choice in a Supervisory Control and Data Acquisition (SCADA) communications network, where the Programmable logic controllers (PLCs) act as Modbus servers.
•
This correlation rule detects denial of service attacks on a host in promiscuous host (e.g. a network IDS host).
•
This correlation rule detects denial of service attacks on a host in promiscuous host (e.g. a network IDS host) followed by the destination host reporting functionally anomalous behavior.
•
This correlation rule detects attacks on SNMP implementation on a host, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, privilege escalation attempts to become root, etc.
•
This correlation rule detects specific attacks on SNMP implementation on a host followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks to RPC services include buffer overflows, remote command execution attempts using system privileges, denial of service attempts.
•
This correlation rule detects attacks on a web server, preceded by reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, remote command execution attempts, denial of service attempts etc.
•
This correlation rule detects specific attacks on a web server followed by suspicious activity on the targeted host. Suspicious activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by reconnaissance attempts targeted to that host. The attacks include buffer overflows, remote command execution attempts, denial of service attempts etc.
•
This correlation rule detects significant host status change events such as system failing, rebooting, interface cards coming up and down, audit log filling up or getting deleted etc...
•
This correlation rule detects significant network status state change events such as system failing, failover occuring, interface cards coming up and down etc.
•
This rule detects Modbus servers restarting. Modbus protocol is the defacto standard in industrial control communications and is the protocol of choice in a Supervisory Control and Data Acquisition (SCADA) communications network, where the Programmable logic controllers (PLCs) act as Modbus servers.
•
This rule detects scans statistically significant increase in traffic to a particular port.
•
This rule indicates that virus scanning software detected and was able to clean a virus.
•
This rule indicates that virus scanning software detected but was unable to clean a virus.
•
This rule detects a vulnerable host in the network - such hosts typically run old vulnerable protocols (e.g. SSH version 1, Rexec) or authenticate using plaintext passwords.
•
This correlation rule detects worm propagation via means such as SMTP, TFTP, and network shares.
•
This correlation rule detects worm propagation via means such as SMTP, TFTP, and network shares accompanied by suspicious follow-up activity at the target destination host. Suspicious follow-up activity may include the host scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server etc.
List of System Reports
This topic defines the complete list of system reports issued with this release.
•
This report ranks the destination ports in events seen by MARS. This is for internal use only.
•
[MARS Internal: Netflow: Top Destination Ports]
•
This report ranks the destination ports in events seen by MARS. This is for internal use only.
•
[MARS Internal: Netflow: Top Hosts/Destination Ports Byte Count]
•
This report ranks the destination ports in events seen by MARS. This is for internal use only.
•
[MARS Internal: Netflow: Top Hosts/Destination Ports Flow Count]
•
This report details AAA based access (e.g. to the network or to specific devices).
•
Activity: AAA Based Access - All Events
•
This report details all failed AAA (e.g. RADIUS, TACACS) based access attempts. Typically mechanisms such as 802.1x, network device access, Cisco NAC use AAA servers for access control.
•
Activity: AAA Based Access Failure - All Events
•
This report displays event details on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.
•
This report displays event details on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.
•
This report ranks the Network Access Devices (NADs) based on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.
•
This report ranks the Network Access Devices (NADs) based on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credenti
•
This report ranks the users based on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.
•
This report ranks the users based on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.
•
This report details events that indicate locked computer accounts because of excessive login failures.
•
Activity: Accounts Locked - All Events
•
This report ranks the hosts by the accounts locked.
•
Activity: Accounts Locked - Top Hosts
•
This report lists Network Address Translations performed on non-denied sessions as reported to MARS.
•
This report lists Network Address Translations performed on non-denied sessions as reported to MARS.
•
This report ranks the UDP and TCP destination ports of all events seen by MARS over the past hour. This report is used by pages in the Summary tab.
•
Activity: All - Top Destination Ports
•
This report ranks the session destinations of all events seen by MARS over the past hour. This report is used by pages in the Summary tab.
•
Activity: All - Top Destinations
•
This report ranks event type groups by reported events that belong to each group. The event type groups give a general feeling about the type of network activity reported to MARS.
•
Activity: All - Top Event Type Groups
•
This report ranks the event types of all events seen by MARS over the past hour. This report is used by pages in the Summary tab.
•
Activity: All - Top Event Types
•
This report ranks security device types by the number events reported by devices of each particular type.
•
Activity: All - Top Reporting Device Types
•
This report ranks security devices by the total number of events reported by each device. This report is used by pages in the Summary tab.
•
Activity: All - Top Reporting Devices
•
This report ranks the session sources of all events seen by MARS over the past hour. This report is used by pages in the Summary tab.
•
Activity: All - Top Sources
•
This report tracks the most frequent logins and other user activity by showing the most active user names.
•
Activity: All - Top Users
•
This report ranks the UDP and TCP destination ports of all events (including Netflow events) seen by MARS over the past hour. This report is used by pages in the Summary tab.
•
Activity: All Events and Netflow - Top Destination Ports
•
This report ranks all destination ports by bytes transferred.
•
Activity: All Sessions - Top Destination Ports by Bytes
•
This report ranks all destinations by bytes transferred.
•
Activity: All Sessions - Top Destinations by Bytes
•
This report ranks security devices by the number of attacks prevented.
•
Activity: Attacks Prevented - Top Reporting Devices
•
This report ranks the top attack event types.
•
Activity: Attacks Seen - Top Event Types
•
This report ranks security devices by the number of attack events logged. The security devices can be firewalls, NIDS and HIDS.
•
Activity: Attacks Seen - Top Reporting Devices
•
This report ranks the hosts that respond to backdoor connection attempts.
•
Activity: Backdoor - Top Destinations
•
This report ranks the events that detect some form of backdoor activity. A backdoor may be created by an attacker on a compromised host. A backdoor event can be either an attempt to connect to a backdoor or a response from a server running a backdoor.
•
Activity: Backdoor - Top Event Types
•
This report ranks the hosts that respond to backdoor connection attempts. This means that the hosts are likely infected and running backdoors.
•
Activity: Backdoor - Top Hosts
•
This report lists failed CS-MARS mitigation attempts - these can result from improper network connectivity or device access credentials.
•
This report lists failed CS-MARS mitigation attempts - these can result from improper network connectivity or device access credentials.
•
This report lists successful mitigations from CS-MARS.
•
This report lists successful mitigations from CS-MARS.
•
This report lists the event details for all database login failure events.
•
Activity: Database Login Failures - All Events
•
This report ranks the database servers by the number of login failures.
•
Activity: Database Login Failures - Top Servers
•
This report ranks the users by the number of login failures.
•
Activity: Database Login Failures - Top Users
•
This report lists event details for all successful database login events.
•
Activity: Database Login Successes - All Events
•
This report ranks the database server hosts by the number of successful logins.
•
Activity: Database Login Successes - Top Servers
•
This report ranks the database users by the number of successful logins.
•
Activity: Database Login Successes - Top Users
•
This report lists the event details for all failed database object modification attempts.
•
Activity: Database Object Modification Failures - All Events
•
This report ranks the users by the number of failed database object modification attempts.
•
Activity: Database Object Modification Failures - Top Users
•
This report lists the event details for all successful database object modification attempts.
•
Activity: Database Object Modification Successes - All Events
•
This report ranks the number of users by the number of successful database object modifications.
•
Activity: Database Object Modification Successes - Top Users
•
This report lists event details for all privileged database command execution failures.
•
Activity: Database Privileged Command Failures - All Events
•
This report ranks the users by failed privileged database command execution attempts.
•
Activity: Database Privileged Command Failures - Top Users
•
This report lists the event details for all successful privileged database commands executed.
•
Activity: Database Privileged Command Successes - All Events
•
This report ranks the users by successful privileged database commands executed.
•
Activity: Database Privileged Command Successes - Top Users
•
This report lists the event details for all failed non-privileged database command execution attempts.
•
Activity: Database Regular Command Failures - All Events
•
This report ranks the users by the number of non-privileged database command execution attempts.
•
Activity: Database Regular Command Failures - Top Users
•
This report lists the event details for all successful non-privileged database command executions.
•
Activity: Database Regular Command Successes - All Events
•
This report ranks the users by successful non-privileged database command executions.
•
Activity: Database Regular Command Successes - Top Users
•
This report lists the event details for all failed database user/group modification attempts.
•
Activity: Database User/Group Change Failures - All Events
•
This report ranks the users by the number of failed database user/group modification attempts.
•
Activity: Database User/Group Change Failures - Top Users
•
This report lists the event details for all successful database user/group modifications.
•
Activity: Database User/Group Change Successes - All Events
•
This report ranks the users by the successful database user/group modifications performed.
•
Activity: Database User/Group Change Successes - Top Users
•
This report ranks the destination ports to which attacks have been targetted but denied.
•
Activity: Denies - Top Destination Ports
•
This report ranks the destination hosts to which attacks have been targeted but denied.
•
Activity: Denies - Top Destinations
•
This report ranks attack sources by the number of denied connection attempts.
•
Activity: Denies - Top Sources
•
This report details successful administrative login events to hosts.
•
This report details successful administrative login events to hosts.
•
This report records all host login failure details.
•
Activity: Host Login Failures - All Events
•
This report ranks hosts by the number of logon failures recorded.
•
Activity: Host Login Failures - Top Destinations
•
This report ranks host users by failed login attempts.
•
Activity: Host Login Failures - Top Users
•
This report details all host login success event details
•
Activity: Host Login Success - All Events
•
This report ranks hosts by successful logins.
•
Activity: Host Login Success - Top Host
•
This report records all Microsoft Windows Object Access events from Windows Event Logs.
•
Activity: Host Object Access - All Events
•
This report provides details for events that represent an user attempting to increase access rights on a particular host. Such attempts can happen remotely or from the local console and can be reported by Network or Host IDS devices or the hosts themselves
•
This report provides details for events that represent an user attempting to increase access rights on a particular host. Such attempts can happen remotely or from the local console and can be reported by Network or Host IDS devices or the hosts themselves
•
This report records ranks the hosts by access privilege escalation attempts attempted against them. Such attempts can happen remotely or from the local console and can be reported by Network or Host IDS devices or the hosts themselves
•
Activity: Host Privilege Escalation - Top Hosts
•
This report records all Microsoft Windows Host Privileged Access events from Windows Event Logs.
•
Activity: Host Privileged Access - All Events
•
This report records all Microsoft Windows Detailed Process Tracking events from Windows Event Logs.
•
Activity: Host Process Tracking - All Events
•
This report records the events signalling Microsoft Windows registry changes.
•
Activity: Host Registry Changes - All Events
•
This report ranks hosts by the number of Microsoft Windows registry changes reported.
•
Activity: Host Registry Changes - Top Host
•
This report lists all policy changes on a host affecting host security. These events are typically reported by Host IDS and host agents.
•
This report lists all policy changes on a host affecting host security. These events are typically reported by Host IDS and host agents.
•
This report ranks hosts by the number of security policy changes on that host.
•
Activity: Host Security Policy Changes - Top Host
•
This report records the Microsoft Windows system events, e.g. startup, shutdown, LSA registration, audit event discards, etc.
•
Activity: Host System Events - All Events
•
This report recordss user group management events reported by hosts.
•
Activity: Host User/Group Management - All Events
•
This report ranks hosts by user group management events reported.
•
Activity: Host User/Group Management - Top hosts
•
This report ranks the events that detect an attempt by an attacker to evade detection by Network IDS systems. This may be web-based obfuscation attacks, fragmentation attacks or TCP/IP based attacks.
•
Activity: IDS Evasion - Top Event Types
•
This report lists devices that are configured to be reporting to CS-MARS bt haven't reported any event in the last hour.
•
This report lists devices that are configured to be reporting to CS-MARS bt haven't reported any event in the last hour.
•
This report lists all successful IOS IPS signature download activities - both adition and deletion. CS-MARS Distributed Threat Mitigation (DTM) turns on ACTIVE IPS signatures on IOS routers.
•
This report lists all successful IOS IPS signature download activities - both adition and deletion. CS-MARS Distributed Threat Mitigation (DTM) turns on ACTIVE IPS signatures on IOS routers.
•
This report lists all IRC activities. Typically, worms deposit executables on infected hosts that initiate IRC connections.
•
This report lists all IRC activities. Typically, worms deposit executables on infected hosts that initiate IRC connections.
•
This report ranks the top destination ports by bytes sent and transmitted.
•
This report ranks the top destination ports by bytes sent and transmitted.
•
This report ranks destination ports by number of network sessions. This report requires that the syslog level of routers or firewalls be set to high to be able to capture session events. This report provides a general usage pattern of the network.
•
Activity: Network Usage - Top Destination Ports
•
This report lists all the new virus/worm/malware outbreaks discovered by Cisco Incident Control Server.
•
This report lists all the new virus/worm/malware outbreaks discovered by Cisco Incident Control Server.
•
This report lists all devices to which ACL and signature deployment attempts by a Cisco Incident Control Server, in response to a new virus/worm/malware outbreak, failed.
•
This report lists all devices to which ACL and signature deployment attempts by a Cisco Incident Control Server, in response to a new virus/worm/malware outbreak, failed.
•
This report lists all destinations (Cisco IOS IPS devices and IPS appliances) to which Cisco Incident Control Server has deployed new ACLs and signatures in respond to a new virus/worm/malware outbreak.
•
This report lists all destinations (Cisco IOS IPS devices and IPS appliances) to which Cisco Incident Control Server has deployed new ACLs and signatures in respond to a new virus/worm/malware outbreak.
•
This report details the traffic sources and the enforcing devices that match the ACLs and signatures deployed by the Cisco Incident Control Server in response to a newly discovered malware outbreak.
•
This report details the traffic sources and the enforcing devices that match the ACLs and signatures deployed by the Cisco Incident Control Server in response to a newly discovered malware outbreak.
•
This report lists the top sources that match the ACLs or signatures dynamically deployed by Cisco Incident Control Server in response to a new virus/worm/malware outbreak. This indicates that these sources are likely infected.
•
This report lists the top sources that match the ACLs or signatures dynamically deployed by Cisco Incident Control Server in response to a new virus/worm/malware outbreak. This indicates that these sources are likely infected.
•
This event details all P2P File sharing or Chat event details.
•
This event details all P2P File sharing or Chat event details.
•
This event ranks events detecting person-to-person file sharing protocol and chat protocol activity. File sharing protocols such as KaZaa, Napster, EDonkey and chat protocols such as IRC, Hotline and instant messaging protocols may not be suitable in business environments.
•
Activity: P2P Filesharing/Chat - Top Event Types
•
This report ranks hosts involved in P2P Filesharing and chat protocol activity. Such protocols may not be suitable in business environments.
•
Activity: P2P Filesharing/Chat - Top Hosts
•
This event details all users involved in recreational activities such as games, specific web sites such as gambling etc.
•
This event details all users involved in recreational activities such as games, specific web sites such as gambling etc.
•
This report ranks the source addesses involved in recreational activities such as games, adult web sites, stock sites etc.
•
Activity: Recreational - Top Sources
•
This report details of remote access login events (IPSec, SSLVPN, PPP, L2TP etc)
•
This report details of remote access login events (IPSec, SSLVPN, PPP, L2TP etc)
•
This report ranks users by remote access logins (PPP, L2TP, PPTP, IPSec).
•
This report ranks users by remote access logins (PPP, L2TP, PPTP, IPSec).
•
This event details all failed remote access login event details.
•
This event details all failed remote access login event details.
•
This report ranks destination ports by the total number of events detecting scanning activity for that port. Scans involve activities such as searching for alive hosts, open services on such hosts and detecting host configuration and application settings.
•
Activity: Scans - Top Destination Ports
•
This report ranks hosts by the total number of events detecting scanning activity directed to that host. Scans involve activities such as searching for alive hosts, open services on such hosts and detecting host configuration and application settings.
•
Activity: Scans - Top Destinations
•
This report ranks an attack sources by the total number of events detecting scanning activity for certain services. Scans involve activities such as searching for alive hosts, open services on such hosts and detecting host configuration and application settings.
•
Activity: Scans - Top Sources
•
This report lists the users in a HEALTHY Security Posture State. A Healthy security posture implies that the posture of the host is up to date, policy compliant and does not need attention.
•
Activity: Security Posture: Healthy - Top Users
•
This report displays the Network Access Devices (NADs) handling Network Admission Control transcations along with the tokens assigned by each of them.
•
This report displays the Network Access Devices (NADs) handling Network Admission Control transcations along with the tokens assigned by each of them.
•
This report ranks the network access devices (NADs) handling Network Admission Control transcations.
•
This report ranks the network access devices (NADs) handling Network Admission Control transcations.
•
This report shows the network wide distribution of NAC tokens. The possible token values are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report shows the network wide distribution of NAC tokens. The possible token values are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server. The possible NAC tokens values in this report are HEALTHY, CHECKUP, I
•
This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server. The possible NAC tokens values in this report are HEALTHY, CHECKUP, I
•
This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that do not have Cisco Trust Agent (CTA) software. In this case, the posture validation is done either locally by the Network Access Device or via the Audit Server. The possible NAC tokens values in this report are HEALTHY, CHECKUP, I
•
This report ranks the end hosts for which the AAA server is having an issue with obtaining the right security posture token from the audit server. These hoend sts do not have the Cisco Trust Agent (CTA) running and they depend on an Audit Server for obtaining the proper Security Posture Token.
•
This report ranks the end hosts for which the AAA server is having an issue with obtaining the right security posture token from the audit server. These hoend sts do not have the Cisco Trust Agent (CTA) running and they depend on an Audit Server for obtaining the proper Security Posture Token.
•
This report details all the NAC related messages from the Network Access Devices (NAD) and AAA servers. Choose a source IP address or user to see the messages for one end host.
•
This report details all the NAC related messages from the Network Access Devices (NAD) and AAA servers. Choose a source IP address or user to see the messages for one end host.
•
This report reports the event details for the hosts that are in an INFECTED or QUARANTINE state. The QUARANTINE hosts must do Anti-virus DAT file updates before network access and the INFECTED hosts must be cleaned before network access.
•
This report reports the event details for the hosts that are in an INFECTED or QUARANTINE state. The QUARANTINE hosts must do Anti-virus DAT file updates before network access and the INFECTED hosts must be cleaned before network access.
•
This report details the hosts that are in an INFECTED or QUARANTINE state. The QUARANTINE hosts must do Anti-virus DAT file updates before network access and the INFECTED hosts must be cleaned before network access.
•
This report details the hosts that are in an INFECTED or QUARANTINE state. The QUARANTINE hosts must do Anti-virus DAT file updates before network access and the INFECTED hosts must be cleaned before network access.
•
This report captures the distribution of NAC tokens for end hosts that use Layer 2 IEEE 802.1x method to validate their posture. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that use Layer 2 IEEE 802.1x method to validate their posture. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that use Layer 2 IP method to validate their posture. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the distribution of NAC tokens for end hosts that use Layer 2 IP method to validate their posture. The possible NAC tokens values in this report are HEALTHY, CHECKUP, INFECTED, QUARANTINE, UNKNOWN. The TRANSITION token is excluded since it is an intermediate state.
•
This report captures the hosts that are configured as static exceptions on the Network Access Device (NAD). For these hosts, the NAD directly permits network access without consulting the posture validation server.
•
This report captures the hosts that are configured as static exceptions on the Network Access Device (NAD). For these hosts, the NAD directly permits network access without consulting the posture validation server.
•
This report captures the Network Access Device (NAD) that are permitting end hosts into the network as static exceptions. For these end hosts, the NAD directly permits network access without consulting the posture validation server.
•
This report captures the Network Access Device (NAD) that are permitting end hosts into the network as static exceptions. For these end hosts, the NAD directly permits network access without consulting the posture validation server.
•
This report details the top hosts that failed the status queries from the Network Access Devices (NAD). Such failures occur after initial authorization whenever there is a change in posture detected by the Cisco Trust Agent (CTA) on the end host. Such failures may be caused by user frequently enabling or disabling CTA agents.
•
This report details the top hosts that failed the status queries from the Network Access Devices (NAD). Such failures occur after initial authorization whenever there is a change in posture detected by the Cisco Trust Agent (CTA) on the end host. Such failures may be caused by user frequently enabli
•
This report lists the detailed events for users whose security posture is not up to date, ie. in either a CHECKUP, QUARANTINE or INFECTED state. The software on these hosts need to be upgraded. The CHECKUP hosts may need DAT file updates, the QUARANTINE hosts must do DAT file updates before network access and the INFECTED hosts must be remediated before network access.
•
This report lists the detailed events for users whose security posture is not up to date, ie. in either a CHECKUP, QUARANTINE or INFECTED state. The software on these hosts need to be upgraded. The CHECKUP hosts may need DAT file updates, the QUARANTINE hosts must do DAT file updates before network
•
This event details all spyware events.
•
This event details all spyware events.
•
This report ranks the hosts running spyware applications. Spywares are malicious applications that installs and runs on hosts, collect the username, passwords, and credit card information and send this information to the spyware writers.
•
Activity: Spyware - Top Hosts
•
This report ranks attackers by the amount of stealth scanning activity. Such activities include sending crafted packets to detect host operating systems and other vulnerabilities. Vulnerability scanners may generate such events.
•
Activity: Stealth Scans - Top Sources
•
This report lists hosts that exhibit anomalous behavior by suddenly receiving statistically significant volume on a TCP/UDP port or ICMP traffic.
•
This report lists hosts that exhibit anomalous behavior by suddenly receiving statistically significant volume on a TCP/UDP port or ICMP traffic.
•
This report lists hosts that exhibit anomalous behavior by suddenly sending statistically significant volume on a TCP/UDP port or ICMP traffic.
•
This report lists hosts that exhibit anomalous behavior by suddenly sending statistically significant volume on a TCP/UDP port or ICMP traffic.
•
This report details uncommon or anomalous traffic such as unused TCP options, uncommon ICMP traffic, non-standard traffic on standard port, tunneled traffic etc.
•
This report details uncommon or anomalous traffic such as unused TCP options, uncommon ICMP traffic, non-standard traffic on standard port, tunneled traffic etc.
•
This report tracks the events that are unknown to MARS.
•
Activity: Unknown Events - All Events
•
This report ranks the events that detect virus or worm activity in the network.
•
Activity: Virus/Worms - Top Event Types
•
This report ranks hosts that are propagating virus and worms via SMTP, POP, IMAP, network shares etc.
•
Activity: Virus/Worms - Top Infected Hosts
•
This report ranks users/workstations by viruses detected.
•
Activity: Virus: Detected - Top Users
•
This report ranks users/workstations by viruses detected and not cleaned.
•
Activity: Virus: Infections - Top Users
•
This report lists vulnerable hosts and associated vulnerabilities found by importing information from Vulnerability Analysis (VA) scanners.
•
This report lists vulnerable hosts and associated vulnerabilities found by importing information from Vulnerability Analysis (VA) scanners.
•
This host lists all vulnerable hosts found by IDS or VA scanners
•
This host lists all vulnerable hosts found by IDS or VA scanners
•
This report ranks the web servers by bytes transferred.
•
Activity: Web Usage - Top Destinations by Bytes
•
This report ranks the top web destinations by session count.
•
Activity: Web Usage - Top Destinations by Sessions
•
This signature ranks source addresses based on web use.
•
Activity: Web Usage - Top Sources
•
This event details details (event type, destination, source) for all attack events.
•
This event details details (event type, destination, source) for all attack events.
•
This report ranks hosts by the number of attacks targetted at each host.
•
Attacks: All - Top Destinations
•
This report ranks event type groups that appear in fired correlation rules. The event type groups give a general feeling about the network activity classified as part of an attack by MARS.
•
Attacks: All - Top Event Type Groups
•
This report ranks rules fired over the past hour by number of incidents. This provides a general feeling about the attack activity in the network. This report is used by pages in the Summary tab.
•
Attacks: All - Top Rules Fired
•
This report ranks the sources of attack events seen by MARS over the past hour.
•
Attacks: All - Top Sources
•
This report ranks hosts by the number of exploits originating from each host.
•
Attacks: Client Exploits - Top Sources
•
This report ranks attacks on database servers such as MS SQL Server, Oracle and Sybase.
•
Attacks: Database Server - Top Event Types
•
This report ranks attacks on FTP servers.
•
Attacks: FTP Server - Top Event Types
•
This report ranks events that represent attempts by an attacker to spoof his/her identity over the past hour.
•
Attacks: Identity Spoofing - Top Event Types
•
This report ranks attacks on servers providing login services and remote shells. Examples include Telnet, SSH and Berkeley r-protocols.
•
Attacks: Login Services - Top Event Types
•
This report ranks attacks on Mail servers (SMTP, POP, IMAP).
•
Attacks: Mail Server - Top Event Types
•
This report ranks attacks that represent network wide denial of service attempts. Such attacks may include crashing or rebooting an inline network device such as router, firewall or switch or increasing network load by creating TCP, UDP or ICMP traffic.
•
Attacks: Network DoS - Top Event Types
•
This report details all password attack events.
•
This report details all password attack events.
•
This report ranks hosts by the number of password attacks attempted on them. Passwords attacks include attempts to (a) capture passwords, either remotely or locally and (b) guess passwords. Password guessing attempts are recorded as authentication failures by IDS and hosts.
•
Attacks: Password - Top Destinations
•
This report ranks password retrieving and guessing attacks. The password can be system passwords or application passwords.
•
Attacks: Password - Top Event Types
•
This report details password attacks on locked/disabled/expired accounts.
•
Attacks: Password: Locked Accounts - All Events
•
This report details all events that indicate login failures at restricted times - the hosts are specifically configured to disallow access at these hours.
•
Attacks: Password: Restricted Times - All Events
•
This report ranks attacks on RPC based applications.
•
Attacks: RPC Services - Top Event Types
•
This report ranks the attacks that have been included in SANS Top 20 list.
•
Attacks: SANS Top 20 - Top Event Types
•
This report ranks SNMP based attacks over the past hour.
•
Attacks: SNMP - Top Event Types
•
This report ranks the events that represent uncommon or anomalous traffic. Uncommon traffic involves ICMP types and TCP/IP options not in common usage or standard traffic on non-standard ports. Anomalous traffic includes traffic that violate IETF or other well known protocol specifications.
•
Attacks: Uncommon or Anomalous Traffic - Top Event Types
•
This report ranks addresses that are the source of virus/worm propagation attempts.
•
Attacks: Virus/Worms - Top Sources
•
This report ranks attacks on web servers or applications built on top of web servers over the past hour.
•
Attacks: Web Server/App - Top Event Types
•
This event details all the configuration changes in network devices.
•
This event details all the configuration changes in network devices.
•
This report summarizes configuration changes to network devices such as firewalls, routers and switches over the past hour.
•
Configuration Changes: Network - Top Event Types
•
This event details all configuration changes on hosts (reported by OS or Host IDS agents)
•
This event details all configuration changes on hosts (reported by OS or Host IDS agents)
•
This report summarizes configuration changes to servers over the past hour.
•
Configuration Changes: Server - Top Event Types
•
This report summarizes the configuration changes per server over the past hour.
•
Configuration Changes: Server - Top Reporting Devices
•
This report lists details for events that indicate configuration error on network devices.
•
This report lists details for events that indicate configuration error on network devices.
•
This report summarizes the events that may indicate certain configuration related problems in network devices such as firewalls, routers and switches.
•
Configuration Issues: Network - Top Reporting Devices
•
This report lists details for all events that indicate configuration errors on hosts or host applications.
•
This report lists details for all events that indicate configuration errors on hosts or host applications.
•
This report summarizes the events that may indicate certain configuration related problems in servers. These are likely to be Host IDS events.
•
Configuration Issues: Server - Top Reporting Devices
•
This report lists connectivity issues between CS-MARS and IOS IPS devices. Connectivity issues may prevent CS-MARS from turning on ACTIVE signatures on IOS IPS.
•
This report lists connectivity issues between CS-MARS and IOS IPS devices. Connectivity issues may prevent CS-MARS from turning on ACTIVE signatures on IOS IPS.
•
Detailed NAC Report
•
Detailed NAC Report
•
This report lists details about all operational issues on network devices.
•
This report lists details about all operational issues on network devices.
•
This report summarizes the events that may indicate operational issues with network devices such as routers, firewalls and Network IDS systems.
•
Operational Issues: Network - Top Reporting Devices
•
This report lists details about events that indicate operational errors on hosts or host applications.
•
This report lists details about events that indicate operational errors on hosts or host applications.
•
This report summarizes the events that may indicate operational issues with servers.
•
Operational Issues: Server - Top Reporting Devices
•
This report lists event details for all events related to resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.
•
This report lists event details for all events related to resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.
•
This report lists event details that indicate certin IOS IPS routers running low on memory for CS-MARS Distributed Threat Mitigation (DTM). Because of low memory, CS-MARS may not be able to download and activate the complete set of ACTIVE IPS signatures to those IOS IPS devices.
•
This report lists event details that indicate certin IOS IPS routers running low on memory for CS-MARS Distributed Threat Mitigation (DTM). Because of low memory, CS-MARS may not be able to download and activate the complete set of ACTIVE IPS signatures to those IOS IPS devices.
•
This report lists IOS IPS routers that are running low on memory for CS-MARS Distributed Threat Mitigation (DTM). Because of low memory, CS-MARS may not be able to download and activate the complete set of ACTIVE IPS signatures to IOS IPS devices.
•
This report lists IOS IPS routers that are running low on memory for CS-MARS Distributed Threat Mitigation (DTM). Because of low memory, CS-MARS may not be able to download and activate the complete set of ACTIVE IPS signatures to IOS IPS devices.
•
This report lists event details for all events related to resource issues on network devices such as IDS, routers, firewalls etc.
•
This report lists event details for all events related to resource issues on network devices such as IDS, routers, firewalls etc.
•
This report summarizes the events that represent resource issues with network devices such as firewalls, routers and switches.
•
Resource Issues: Network - Top Reporting Devices
•
This report lists event details for all resource issues on hosts. These are reported by Host IDS or Operating System logs.
•
This report lists event details for all resource issues on hosts. These are reported by Host IDS or Operating System logs.
•
This report summarizes the events that represent resource issues with servers. These are likely to be Host IDS events.
•
Resource Issues: Server - Top Reporting Devices
•
This report ranks the inbound bandwidth utilization of the interfaces on the devices managed by PN-MARS.
•
Resource Utilization: Bandwidth: Inbound - Top Interfaces
•
This report ranks the outbound bandwidth utilization of interfaces on devices managed by Pn-MARS.
•
Resource Utilization: Bandwidth: Outbound - Top Interfaces
•
This report ranks the number of concurrent connections established through the devices managed by PN-MARS.
•
Resource Utilization: Concurrent Connections - Top Devices
•
This report ranks the CPU utilization of the devices managed by PN-MARS.
•
Resource Utilization: CPU - Top Devices
•
This report lists event details for all events related to CS-MARS resource utilization, e.g. database partitions, etc.
•
This report lists event details for all events related to CS-MARS resource utilization, e.g. database partitions, etc.
•
This report ranks by error rate on the inbound interfaces of the devices managed by PN-MARS.
•
Resource Utilization: Errors: Inbound - Top Interfaces
•
This report ranks by error rate on the outbound interfaces of the devices managed by PN-MARS.
•
Resource Utilization: Errors: Outbound - Top Interfaces
•
This report ranks the memory utilization of the devices managed by PN-MARS.
•
Resource Utilization: Memory - Top Devices