User Guide for Cisco Security MARS Local Controller, Release 5.3.x - Index [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4.3.2

MARS version

read-only policy lookup 17-8

4.3.4

MARS version

policy lookup, read-write 17-8

5.3.4

MARS version

policy lookup, read-write 17-8

5-tuple data

access rule lookup from MARS and 17-3

low-latency event query 17-11

parsing during access rule lookup 17-5

policy table lookup from MARS and 17-3

802.1x, logging in Cisco Secure ACS 15-5

A

AAA authentication

and Cisco Secure ACS

for policy lookup 17-15

AAA devices 15-1

AAA server

add 3-8

delete 3-15

servers supported 3-1

access rule events

in MARS

looking up policy table 17-3

access rule lookup

authentication failure

during connection from MARS 17-2

communication

between MARS and Security Manager 17-14

deployed changes

synchronization with 17-11

device lookup query

sequence of actions 17-4

with a unique hostname 17-4

without any domain and hostname 17-4

device lookup results and 17-4

device software versions

supported for 17-15

devices with multiple contexts

prerequisites for 17-4

error message 17-12

expanding

network/host objects 17-12

service objects 17-12

for syslog messages

on IOS routers 17-7

for the selected MARS event

with multiple device matches 17-3

with no device match 17-3

from MARS

in read-only mode 17-1

in read-write mode 17-1

overview 17-4

sample case 17-1

taskflow 17-2

without Security Manager client running 17-3

from MARS events

in Security Manager 3.1.1 through 3.0.1 17-5

in Security Manager 3.2 17-5

guidelines for working 17-8

in MARS 4.3.4 and 5.3.4 17-5

parsing raw syslogs 17-5

in read-only mode

supported MARS versions 17-4

supported Security Manager versions 17-5

in read-write mode

improved rule matching accuracy 17-5

supported MARS versions 17-4

supported Security Manager versions 17-5

looking up device in MARS 17-4

MARS session object 17-5

multiple matches

for syslogs with insufficient details for parsing 17-6

starting a new client session 17-10

supported syslog IDs

for firewall devices 17-6

syslog messages supported

by IOS routers 17-6

by security appliances 17-6

syslogs supported for

by firewall devices 17-6

with multiple hostname matches 17-4

with Security Manager client active

in non-Workflow mode 17-3

in Workflow mode 17-3

with Security Manager client timed out 17-10

access rules

empty

policy lookup from MARS 17-12

hyperlink in rule number

read-only policy table 17-32

looking up

from MARS events (prerequisites) 17-20

from MARS events (procedure) 17-19

modified

after read-only policy display 17-13

not synchronized with device 17-13

on higher security interface, inbound

policy lookup 17-13

on lower security interface, inbound

policy lookup 17-13

policy query icon 17-12

on lower security interface, outbound

policy lookup 17-13

unavailable on the device

for MARS syslogs 17-13

Access Rules page

expanding objects

lookup from MARS events 17-23

highlighted row

after policy lookup from MARS 17-23

looking up

from MARS events 17-23

with Security Manager not installed 17-23

with Security Manager running 17-23

with Security Manager timed out 17-23

Accounts

expired

unlocking 3-4

ACS

configuring user names 3-8

Action 20-3

Activate button 22-18, 22-19, 22-21, 22-23, 24-1

activating reporting devices 2-28

explanation 18-7

what it does 2-28

when multiple users are logged in 18-8

when to use 2-28

Activation Settings page 18-9

activities

in an editable state

and policy table lookup from MARS 17-3

policy table lookup

with Security Manager client active 17-10

Add Event Action Filter dialog box

fields with

default values 17-29

values from MARS events 17-29

read-only signature policy page

in the MARS GUI 17-29

adding

cell phone number 23-11, 24-11

CSV file 2-21

devices 2-18

manually 2-18

seed file 2-21

drop rules 22-22

event groups 24-3

inspection rules 22-19

pager number 23-11, 24-11

seed file 2-21

service 24-8

user 23-10, 24-9

user group 24-12

adding IP groups 24-4

adding service provider 23-11, 24-11

Admin role

adding Security Manager

to MARS 17-16

admin roles, see user management 24-9

Adobe SVG 18-15

alert

action 22-15

Distributed Threat Management 22-15

Email 22-15

NONE 22-15

Page 22-15

SMS 22-15

SNMP 22-15

Syslog 22-15

hard drive 25-21

alerts 23-1

all matching event raw messages 21-7

all matching events 21-7

all matching sessions 21-7

anomaly detection, see NetFlow 2-32

approvers

associating with user account

for policy lookup from MARS 17-15

archive server

retrieving raw messages 25-3

ASA devices

supported software versions

for policy and events lookup 17-15

with multiple contexts

and policy lookup from MARS 17-4

prerequisite for policy table lookup 17-4

attack diagram 18-14

attack paths

L2 20-5

L3 20-5

audit trail 25-3

authentication

of MARS for policy lookup

Security Manager deleted from MARS 17-10

authentication settings

for MARS to access

Security Manager 17-15

policy table lookup

allow saving of credentials 17-19

using MARS credentials 17-18

using Security Manager credentials 17-18

B

backward compatibility

of policy table lookup

with Security Manager 3.0.x, 3.1.x 17-8

beep code 25-32

boostrap

devices 1-5

bootstrapping

devices

for policy lookup 17-14

Security Manager server

for communication with MARS 17-15

bootstrapping devices

managed by MARS 17-14

browser settings

File Download dialog box 17-23

bytes transmitted 21-8

C

caching

MARS events

sessionization 17-11

policy rules

in read-only policy window 17-11

reusing query results 17-11

Security Manager credentials

until MARS session is active 17-9

Catalyst 6500 Series switches

supported software versions

for policy and events lookup 17-15

cell phone paging 23-11, 24-11

certificate

monitor status 25-11

upgrading from expired or fingerprint 25-11

certificate comparison

by MARS

conflict detection 17-9

storing a fresh copy after prompting 17-9

storing a fresh copy automatically 17-9

certificates

presented by Security Manager

compared by MARS during policy lookup 17-9

changing

drop rule status 22-21

inspection rule status 22-17

Cisco Adaptive Security Appliance, see CiscoASA 5-1

Cisco ASA

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

Cisco Firewall Services Modules, see Cisco FWSM 5-1

Cisco FWSM

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

Cisco IOS routers

access lists with

log-input keyword 17-7

log keyword 17-7

access rule lookup

from MARS 17-2

supported software versions

for policy and events lookup 17-15

supported syslog IDs

for policy lookup 17-7

Cisco Network Security Database

See NSDB

Cisco Secure ACS

access settings for

MARS appliance 17-15

configuring user names 3-8

roles for

policy table lookup 17-16

Cisco Secure ACS, 802.1x feature support 15-5

Cisco Secure ACS, 802.1x support 15-1

Cisco Secure ACS, audit logs required by MARS 15-3

Cisco Secure ACS, bootstrap 15-3

Cisco Secure ACS, event logs studied by MARS 15-1

Cisco Secure ACS, MARS agent 15-7

Cisco Secure ACS, NAC support 15-1

Cisco Secure ACS, representing in MARS 15-12

Cisco Secure ACS, sever support 15-2

Cisco Secure ACS, solution engine support 15-2

Cisco Secure ACS, supported versions 15-1

Cisco Secure ACS, TACACS+ command authorization 15-7

Cisco Security Manager Policy Query page

See read-only policy table

Cisco Security MARS

See MARS

Collapse All 20-5

columns

seed file 2-23

Common Services

AAA authentication for

MARS appliance 17-15

MARS user account, creating 17-16

MARS user not defined in

policy lookup 17-10

user account not defined in

logging in to MARS 17-10

Common Services roles

policy table lookup from MARS

Help Desk role 17-8

Common Vulneratbilities and Exposures 24-2

community strings 2-38

configuration

NetFlow 2-31

connection establishment messages

looking up access rules from MARS 17-2

connection protocol

between MARS and Security Manager

for policy table lookup 17-2

with MARS 17-18

connection-related messages

access rule lookup from MARS 17-3

generated by

outbound traffic, policy lookup 17-13

ICMP

access rule lookup from MARS events 17-5

management traffic

NP Identity Ifc keyword 17-5

number of matches

for access rule lookup 17-5

TCP

access rule lookup from MARS events 17-5

UDP

access rule lookup from MARS events 17-5

connection setup message

and session termination 17-5

common ID with teardown message 17-5

defining 17-5

connection teardown messages

2-minute gap with

connection setup 17-12

and corresponding setup syslog 17-5

direction details 17-5

in a different session from setup 17-12

looking up access rules from MARS 17-2

pre-NATed address 17-5

realtime event viewer 17-12

connectivity failure

from MARS to Security Manager

error message 17-9

connectivity test

between MARS and Security Manager

configuring administrative host 17-19

correct credentials 17-19

error message 17-19

failure due to incorrect credentials 17-9

success 17-19

Context Data events

on IPS and IDS sensors

policy query icon and 17-7

creating

report 21-25

cross-launch authentication settings

for policy lookup

allow saving of credentials 17-18

prompting user for credentials 17-18

using MARS credentials 17-18

modifying

to disable saving of Security Manager credentials 17-10

saving in MARS

for Security Manager not added 17-16

cross-launching

Security Manager client

from MARS events 17-1

without secure connection 17-9

CsmContentProvider file

downloading

during policy lookup 17-23

File Download dialog box

preventing from appearing 17-23

CSV files 2-21

custom log parser

selecting traffic type 16-14

custom signatures

policy lookup for 17-8

unknown device event type 17-27

CVE 24-2

D

Daemon Manager

not running on Security Manager

policy table lookup 17-9

data reduction 18-14

default certificate response

change 25-10

default fingerprint response

change 25-10

default password

change 25-8

deleting service 24-8

deployment

of access rule changes

synchronization with device 17-11

destination IP address ranking 21-6

destination network group ranking 21-6

destination network ranking 21-6

destination ranking 21-6

device,re-add 2-20

device lookup

for policy query from MARS

discovered devices 17-4

multiple matching hostnames 17-4

parameters passed 17-4

renaming device name 17-4

reporting IP address 17-4

single matching hostname 17-4

without domain name 17-4

devices

access rule lookup

from MARS 17-2

added to MARS only

policy lookup 17-12

adding to MARS 17-14

bootstrap overview 1-5

bootstrapping

for policy lookup 17-14

managed by MARS 17-14

define

overview 1-6

deleting 2-20

deleting all displayed 2-20

discovered but not submitted

policy lookup, error 17-12

edit 2-19

in MARS

multiple matches during policy lookup 17-3

no match during policy lookup 17-3

time synchronization, recommendation 17-14

managed by MARS and Security Manager

running compatible software version 17-13

managed by Security Manager

preparing for policy lookup 17-14

management traffic

between MARS and 17-14

mitigation

monitored by MARS 17-13

notification traffic

between MARS and 17-14

reporting

monitored by MARS 17-13

software versions

supported by MARS and Security Manager 17-15

synchronization with

changed policies 17-11

versions supported for policy lookup

by MARS and Security Manager 17-11

with matching hostname

policy lookup from MARS 17-4

with matching IP address

policy lookup from MARS 17-4

with multiple contexts

Device Properties page 17-4

differing host and context names 17-4

logging configuration 17-6

policy query icon 17-8

reporting IP address in MARS 17-8

setting hostname for policy lookup from MARS 17-4

without a unique match

policy lookup from MARS 17-4

without matching host and domain names

policy lookup from MARS 17-4

diagnostics

beep codes 25-32

diagrams

attack 18-14

discovering networks

automatic 2-40

discovery

in MARS

devices that do not allow 17-4

devices that support 17-4

scheduling 2-40

updating 2-40

display format

query 21-5

drop rule

activate and inactive 22-21

drop rules

adding 22-22

editing 22-22

drop rule status

changing 22-21

dynamic information 20-10

dynamic vulnerability scanning 2-30

E

editing

drop rules 22-22

host information 24-6

inspection rules 22-18

IP groups 24-4

service 24-8

user 24-12

error message

testing connectivity

between MARS and Security Manager 17-19

error messages

policy table lookup from MARS

access rules not on device 17-12

addition of multiple Security Managers to Local Controller 17-8

changed Security Manager credentials not updated in MARS 17-9

connection setup syslog unavailable 17-12

connection teardown events in realtime viewer 17-12

connectivity to Security Manager 17-9

Daemon Manager not running on Security Manager 17-9

device added to MARS only 17-12

discovered but unsubmitted devices 17-12

empty access rules 17-12

HTTPS not enabled on Security Manager 17-9

implicit permit statement in access rules 17-13

incorrect Security manager login credentials 17-9

management traffic events 17-12

modal dialog box open 17-10

modified signature on device 17-13

RPC connection failure 17-11

unsynchronized changes 17-11

event action filter

configuring

during policy table lookup from MARS 17-3

saving as a local policy 17-29

event groups 24-3

event log

changing pulling time interval for Windows 11-11

event management 24-1

editing 24-2

events

in MARS

caching, sessionization 17-11

in MARS, generated by

access rules 17-3

connection setup/teardown 17-3

IPS signatures 17-3

management traffic 17-12

in MARS, identifying

for access rule lookup 17-20

events lookup

device software versions

supported for 17-15

Event Type 20-3

event type group ranking 21-6

event type ranking 21-5

Expand All 20-5

expired

accounts 3-4

expired certificate 25-11

F

false positive

system determined 20-8

unconfirmed 20-8

user confirmed

false positive 20-8

positive 20-8

false positives

minimizing

signature tuning 17-7

tuning 20-5

tuning signatures 17-7

File Download dialog box

policy table lookup

from MARS events 17-23

preventing from appearing 17-23

filter

modem 25-31

fingerprint validation 25-9

FWSM

access rule lookup

from MARS 17-2

supported software versions

for policy and events lookup 17-15

with multiple contexts

and policy lookup from MARS 17-4

prerequisite for policy table lookup 17-4

G

gateways

intermediate

allowing flows between MARS and devices 17-14

Global Controller

policy query icon for events 17-8

policy table lookup and 17-8

viewing Security Manager server from 17-8

zone planning for

Security Manager mapping 17-16

H

hard drive

failure alert 25-21

hotswap procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 25-26

raidstatus command 25-20

replacing in carrier 25-29

slot number diagram, MARS 55, 110R, 110, 210, GC2R, and GC2 25-25

hardware maintenance

MARS 55, 110, 110R, 210, GC2R, GC2 25-18

Help Desk role

modifying policy

from read-only policy table 17-16

historical events

policy lookup

error message 17-11

historical events lookup

device versions

supported for 17-15

hosts

adding 24-5

adding Security Manager on

a new one 17-17

an existing one 17-17

editing 24-6

Hot Spot Graph 18-14

hotswap

hard drives 25-20

power supply 25-30

procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 25-26

I

ICMP connection-related messages

absence of necessary parameters 17-5

access rule lookup from MARS 17-5

accuracy of matching policies 17-5

example

for an ASA device 17-6

management traffic

access rule lookup 17-5

identifying 17-13

idle session timeout

of Security Manager

authentication of MARS 17-9

login credentials prompt during policy lookup 17-9

policy table lookup 17-9

idle timeout

exceeded for MARS session

without Security Manager client open before lookup 17-9

with Security Manager login credentials for lookup 17-9

IDSM-2 modules

supported software versions

for policy and events lookup 17-15

IDS sensors

Context Data events

and signature policy lookup 17-7

Packet Data events

and signature policy lookup 17-7

signature policy lookup

from MARS events 17-7

IIS

adding Security Manager

on an existing host 17-17

implicit permit

configured in access rules

lookup from MARS events 17-13

incident count 21-8

Incident Details page 20-4

accessing from

a search 17-20

Dashboard 17-20

Incidents page 17-20

Query/Reports tab 17-20

navigating to

read-only policy page 17-20

read-only signature policy page 17-24

policy query icon

for access rule lookup 17-20

for signature lookup 17-24

Incident ID 20-3

incident ID

Dashboard 17-20

Incidents page 17-20

locating using a search 17-20

Query Results page 17-20

Incident Path 20-3

incidents 18-13

action 20-3

correlation to events 17-19

description 17-19

event type 20-3

incident ID 20-3

incident path 20-3

incident vector 20-3

in MARS

policy table lookup and 17-2

instances 20-6

looking up access rule

and editing 17-20

matched rule 20-3

ranked by bytes transmitted 17-20

ranked by sessions 17-20

severity 20-3

time 20-3

time ranges 20-4

Incidents page

detecting incidents 17-19

viewing rules, events 17-19

incident table 20-5

Incident Vector 20-3

inspection rule

activate and inactive 22-17

inspection rules

adding 22-19

editing 22-18

inspection rule status

changing 22-17

instances

incidents 20-6

interface objects

read-only access rule table

displayed in MARS 17-33

viewing contents

from read-only policy table 17-23

Internet Explorer

accessing MARS GUI using

for access rule lookup 17-21

for signature policy lookup 17-29

cached passwords

policy table lookup 17-21

File Download dialog box 17-23

remembered passwords

policy table lookup 17-21

Internet Information Services

See IIS

interoperation

of MARS and Security Manager

for policy lookup 17-1

IOS IPS devices

signature policy lookup

from MARS 17-2

IOS IPS sensors

supported software versions

for policy and events lookup 17-15

IP groups

adding 24-4

editing 24-4

IP management 24-3

adding

hosts 24-5

IP range 24-4

network 24-4

variable 24-4

IPS events

error message

invalid details 17-13

in MARS

fired by a signature 17-7

signature policy lookup 17-3

IPS sensors

Context Data events

and signature policy lookup 17-7

Packet Data events

and signature policy lookup 17-7

signature policy lookup

from MARS 17-2

supported software versions

for policy and events lookup 17-15

IPS signature policy lookup

authentication failure

during connection from MARS 17-2

communication

between MARS and Security Manager 17-14

device lookup query

sequence of actions 17-4

device software versions

supported for 17-15

error message, invalid events 17-13

error message, modified signature 17-13

event action filter, configuring 17-3

fields parsed from raw syslogs

for IPS events in MARS 17-7

for MARS events of type

Context Data 17-7

Packet Data 17-7

from MARS

for virtual sensors, error message 17-3

sample case 17-1

taskflow 17-2

without Security Manager client running 17-3

guidelines for working 17-8

looking up devices in MARS 17-4

overview 17-7

signature ID, using 17-7

starting a new client session 17-10

subsignature ID, using 17-7

with Security Manager client active

in non-Workflow mode 17-3

in Workflow mode 17-3

with Security Manager client timed out 17-10

IPS virtual sensors

signature policy lookup

from MARS events 17-7

L

L2 attack path 20-5

L3 attack path 20-5

Linux host, bootstrap 11-2

loading

MARS

seed file 2-25

Local Controller

adding

multiple Security Manager servers to 17-8

one Security Manager server to 17-8

adding Security Manager to

prerequisites 17-16

procedure 17-16

supported versions 17-16

using Admin role 17-16

defining for Security Manager

access IP address 17-17

credentials for discovery 17-18

hostname 17-17

interface details 17-17

operating system 17-17

reporting IP address 17-17

mapping to Security Manager 17-16

policy lookup

for managed devices 17-16

querying one Security Manager 17-16

same Security Manager on multiple

defining 17-16

Security Manager not added to

user credential fields 17-16

zone planning for multiple

mapping to Security Manager 17-16

Local User Setup page

defining

MARS user account 17-18

log files 25-2

logging in to

MARS

using an account not in Common Services 17-10

using read/write privileges 17-10

Security Manager

after error during policy lookup 17-11

using a different account from the one in MARS 17-10

logging level

changing for firewalls

and syslogs in MARS 17-6

default

large number of events 17-7

logging message command 17-7

logging traffic

between MARS and monitored devices

enabling 17-14

login credentials

of Security Manager

saved in MARS during policy lookup 17-9

login credentials, Security Manager

authenticating MARS

Security Manager deleted from MARS 17-10

deleting

from User Configuration page 17-10

editing

from User Configuration page in MARS 17-10

read-only signature policy table 17-34

saving during policy lookup 17-18

using a different account from the one in MARS

for policy lookup 17-10

login dialog box

read-only policy page

disabling saving of credentials 17-19

enabling saving of credentials 17-19

Login Failure

procedure to unlock 3-15

log-input keyword

access lists on IOS routers 17-7

output details 17-7

login username, Security Manager

read-only access rule table 17-31

read-only signature policy table 17-34

log keyword

access lists on IOS routers 17-7

output details 17-7

looking up

access rules

from MARS, overview 17-4

from MARS, procedure 17-19

from MARS events (prerequisites) 17-20

from Multiple Devices window 17-21

from Multiple Events window 17-21

from Policy Table window 17-21

devices in MARS

for policy table query 17-4

signature policies

from MARS events (overview) 17-24

from MARS events (procedure) 17-24

low-latency query

for MARS events

display of policy query icon 17-11

parsing 17-11

M

MAC address report 21-7

management

events 24-1

IP 24-3

service 24-7

user 24-8

management traffic

between MARS and monitored devices

enabling 17-14

connection-related messages

access rule lookup from MARS 17-5

policy lookup

error message 17-12

mapping

Local Controller

to Security Manager 17-16

MARS

access rule lookup

overview 17-4

adding devices to 17-14

adding Security Manager to

users with admin privileges 17-9

audit trail 25-3

bootstrapping managed devices 17-14

checklist for

policy table lookup 17-13

committed view

of Security Manager policy 17-11

deployed view

of Security Manager policy 17-11

device lookup for policy query 17-4

devices

identifying for policy lookup 17-13

running supported software for lookup 17-13

device software versions

supported for policy lookup 17-11

downloading Security Manager 17-10

easily-readable event data 17-1

integration with Security Manager

for access rule lookup 17-1

for signature lookup 17-1

Local Controller

mapping to Security Manager 17-16

log files 25-2

mitigation of security threats

and policy changes 17-1

navigating to Incident Details page

from Incidents page 17-2

from Query page 17-2

from Summary page 17-2

policy table lookup

more accurate mapping of events in 4.3.4 and 5.3.4 17-5

read-only rule table, matched rules 17-3

reusing an existing Security Manager instance 17-3

time taken for 17-10

with Security Manager client not installed 17-3

with Security Manager client not running 17-3

with Security Manager in non-Workflow mode 17-3

with Security Manager in Workflow mode 17-3

with Security Manager session timed out 17-3

reusing Security Manager instance 17-10

sessionized events

access rule lookup 17-5

starting a new instance of Security Manager

with client session active 17-10

starting Security Manager client

for modifying policies 17-1

starting Security Manager for policy lookup

using Security Manager credentials 17-10

taskflow

for policy table query 17-2

User Configuration page

Security Manager credentials 17-10

versions 4.2.1 through 5.3.1

access rule lookup 17-5

versions 4.3.4 and 5.3.4

access rule lookup 17-5

versions supported

for read-only policy lookup 17-1

for read-write policy lookup 17-1

viewing security incidents 17-1

MARS appliance

activating 17-19

adding Security Manager to

with admin user privileges 17-9

without admin user privileges 17-9

adding Security Manager to (procedure) 17-16

comparing certificate from Security Manager

during policy lookup 17-9

configuring access to

Security Manager 17-15

solving conflict with stored certificate

during policy lookup 17-9

testing connectivity

with Security Manager 17-19

time synchronization

recommendation 17-14

MARS authentication

with Security Manager for policy lookup

credentials, caching of 17-9

deleting Security Manager from MARS 17-10

editing Security Manager credentials in MARS 17-10

MARS database

deleting

Security Manager credentials 17-10

Security Manager server from 17-10

saving Security Manager credentials

during policy lookup 17-18

submitting to

Security Manager addition 17-19

MARS events

for connection teardown

in realtime event viewer 17-12

generated by

management traffic 17-12

generated by custom signatures

and policy lookup 17-8

improved mapping of

to Security Manager policies 17-5

IPS

invalid details, policy lookup 17-13

looking up access rule

and editing 17-20

navigating from

to access rule policy 17-19

to IPS signature policy 17-24

of type

Context Data 17-7

NetFlow 17-8

Packet Data 17-7

parsing raw syslogs

for access rule lookup 17-5

policy lookup from

checklist for 17-13

sessionized

access rule lookup 17-5

policy query icon 17-11

with 5-tuple data

policy query icon and 17-5

MARS Global Controller

See Global Controller

MARS GUI

accessing using

Internet Explorer, note 17-21

MARS incidents

See incidents

MARS Local Controller

See Local Controller

MARS session

idle timeout, exceeding

and Security Manager client session 17-9

MARS session timeout

caching Security Manager credentials 17-9

MARS user account

defining in Common Services

associating with roles 17-15

for policy lookup 17-16

not defined in Common Services

prompting for credentials 17-10

MARS user credentials

cross-launch authentication

benefits of 17-18

defining 17-18

MARS user roles

Admin

editing Security Manager credentials 17-10

for modifying Security Manager credentials 17-9

Notifications Only

disabling saving of Security Manager credentials 17-10

Operator

disabling saving of Security Manager credentials 17-10

Security Analyst

editing Security Manager credentials 17-10

MARS web interface

policy table lookup

with Security Manager not installed 17-10

matched incident ranking 21-7

Matched Rule 20-3

matched rule ranking 21-7

matching access rules

retrieved during

policy lookup 17-3

matching rules

accurate mapping of syslogs 17-5

in read-only policy table

policy lookup from MARS 17-3

not found

during policy lookup 17-13

number of

for connection-related messages 17-5

permit ACE 17-5

matching signatures

in read-only policy table 17-8

policy lookup from MARS 17-8

MIB

MARS format 2-58

Microsoft Windows host, bootstrap 11-4

mitigate 20-5

mitigation

of security threats

using policy lookup from MARS 17-1

mitigation policy

suggested content 1-1

modal dialog box

looking up policy table

from MARS 17-10

Modems

line impedance matching filter 25-31

monitoring

network attacks

using MARS events 17-1

policy table lookup and 17-1

monitoring policy

suggested content 1-1

Multiple Devices window

description 17-21

Multiple Events window

description 17-21

MySDN

accessing from

read-only signature policy table in MARS 17-35

N

NAC, AAA server support 15-1

NAT connection report 21-7

navigating

from MARS events

to policies 17-1

to Security Manager 3.0.x or 3.1.x 17-8

to Security Manager 3.2 17-8

to access rule policy

from MARS events 17-19

to IPS signature policy

from MARS events 17-24

to other MARS pages

from read-only access rule table 17-30

from read-only signature policy table 17-34

to permit ACE

from ICMP connection-related messages 17-20

from TCP connection-related messages 17-20

from UDP connection-related messages 17-20

navigating from MARS

for configuring event action filters 17-8

NetFllow, enable processing 2-35

NetFlow 2-31

configuration 2-31

Global NetFlow UPD Port 2-36

NetFlow, bootstrap reporting devices 2-33

NetFlow,enable processing 2-36

NetFlow,examined networks 2-36

NetFlow,guidelines 2-33

NetFlow,how it is used 2-32

NetFlow,performance tuning 2-36

NetFlow,supported versions 2-32

NetFlow events

policy query icon for 17-8

NetScreen

IDP 2.x 7-47

IDP 3.x 7-47

IDP 4.0 7-47

IDP 4.1 7-47

IDP-Management Server 7-47

Security Manager 7-47

network/host objects

destination

read-only access rule table 17-32

expanding contents

read-only policy table 17-12

source

read-only access rule table 17-32

network administrators

associating with user account

for policy lookup from MARS 17-16

network group ranking 21-6

network operators

associating with user account

for policy lookup from MARS 17-15

network ranking 21-6

Network Status tab

Incidents 18-17

Top Destinations 18-18

Top Event Types 18-17

Top Sources 18-18

Network Summary dashboard

detecting incidents 17-19

viewing rules, events 17-19

non-Workflow mode

access rule matches

with Security Manager running 17-23

policy table lookup

from MARS events 17-3

with Security Manager client active 17-10

with Security Manager not running 17-10

notification traffic

between MARS and monitored devices

enabling 17-14

NP Identity Ifc keyword

TCP, UDP connection-related syslogs

access rule lookup and 17-5

NSDB

accessing from

read-only signature policy table in MARS 17-35

O

Order/Rank By 21-7

order by 21-7

bytes transmitted 21-8

incident count 21-8

session count 21-7

time 21-8

P

Packet Data events

huge syslog messages 17-7

on IPS and IDS sensors

policy query icon and 17-7

pager 23-11, 24-11

parsing

invalid syslog messages 17-13

MARS session object

for access rule lookup 17-5

missing 5-tuple data

events in MARS 17-11

raw IPS event messages

for signature policy lookup 17-7

raw syslogs

for access rule lookup from MARS 17-5

password

change default 25-8

password, Security Manager

read-only access rule table 17-31

read-only signature policy table 17-34

performance

of MARS

number of rules 17-11

of Security Manager

number of rules 17-11

PIX

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

PIX firewalls

supported software versions

for policy and events lookup 17-15

PIX Security Appliance, see PIX 5-1

PN Log agent 15-7

PN Log Agent, error messages 15-10

PN MARS

seed file columns 2-23

policy lookup 17-12

policy lookup from MARS 17-11

policy query icon

displayed for

access rule matches 17-2

connection-related messages 17-2

signatures fired 17-2

displayed in

read-only lookup 17-5

read-write lookup 17-5

for access rules

not found on the device 17-12

for connection-related messages

generated by management traffic 17-5

for Context Data events 17-7

for devices with multiple contexts

without reporting IP address 17-8

for events in Global Controller 17-8

for NetFlow events 17-8

for Packet Data events 17-7

for Unknown Device Event Type

triggered by custom signatures 17-8

for unsupported syslog IDs

generated by IOS routers 17-7

Incident Details page 17-2

inconsistent display

query types and 17-11

in Reporting Device column 17-20

no matching rules, error 17-12

virtual sensors, error 17-12

policy query login dialog box

saving Security Manager credentials 17-9

Policy Query popup window

See read-only policy table

policy table lookup

associating user roles and permissions 17-8

authentication failure

during connection from MARS 17-2

authentication options

using MARS credentials 17-2

using Security Manager credentials 17-2

backward compatibility from MARS 4.3.4, 5.3.4

with Security Manager 3.0.x, 3.1.x 17-8

checklist for 17-13

cross-launch authentication settings 17-18

deleting

Security Manager credentials 17-10

device lookup query

sequence of actions 17-4

devices with multiple contexts

prerequisites for 17-4

error message 17-9, 17-10, 17-12

event action filter, configuring 17-3

for access rules

in MARS 4.2.1 through 5.3.1 17-5

parsing syslogs 17-5

for connection-related syslogs

number of matches 17-5

for the selected MARS event

with multiple device matches 17-3

with no device match 17-3

from MARS

for access rules in Security Manager 17-1

for signatures in Security Manager 17-1

sample case 17-1

signature, modifying 17-8

taskflow 17-2

guidelines for working 17-8

HTTPS connection with MARS 17-2

in read-only mode

absence of connection direction in syslogs 17-5

absence of post-NAT addresses in syslogs 17-5

supported Security Manager and MARS versions 17-1

in read-write mode

supported Security Manager and MARS versions 17-1

MARS user roles 17-9

modal dialog box 17-10

overview of

access rule lookup 17-4

prompting for credentials

MARS user not in Common Services 17-10

reusing an existing Security Manager instance 17-3

signature policies, overview 17-7

time taken for 17-10

with Security Manager client active

in non-Workflow mode 17-3

in Workflow mode 17-3

with Security Manager client not installed 17-3

with Security Manager client not running 17-3

with Security Manager session timed out 17-3

policy table lookup and

Cisco Secure ACS roles

policy table lookup from MARS 17-8

Policy Table window

See read-only policy table

description 17-21

post NAT destination addresses 21-11

post NAT source addresses 21-10

pre NAT destination addresses 21-11

pre NAT source addresses 21-10

protocol ranking 21-6

public networks 2-39

Q

queries

action

ANY 21-12

actions 21-12

criteria, matching

access rule lookup 17-23

destination IP 21-11

ANY 21-11

devices 21-11

IP addresses 21-11

IP ranges 21-11

networks 21-11

post NAT destination addresses 21-11

pre NAT destination addresses 21-11

devices 21-11

display format

all matching event raw messages 21-7

all matching events 21-7

all matching sessions 21-7

destination IP address ranking 21-6

destination ranking 21-6

event type group ranking 21-6

MAC address report 21-7

matched incident ranking 21-7

matched rule ranking 21-7

NAT connection report 21-7

protocol ranking 21-6

reporting device ranking 21-7

reporting device type ranking 21-7

source IP address ranking 21-6

source port ranking 21-6

unknown event report 21-7

use only firing events 21-8

event type grouping 21-11

event types 21-11

ANY 21-11

in MARS

low-latency 17-11

realtime event 17-11

operation

AND 21-12, 22-13

FOLLOWED-BY 21-12, 22-13

none 21-12, 22-13

OR 21-12, 22-13

parameters for

signature events 17-24

result format

destination network group ranking 21-6

destination network ranking 21-6

event type ranking 21-5

network group ranking 21-6

network ranking 21-6

reported user ranking 21-7

source network group ranking 21-6

source network ranking 21-6

results

returning incidents 17-20

rule 21-12

ANY 21-12

save as

reports 21-13

rules 21-13

service

ANY 21-11

defined services 21-11

service variables 21-11

severity

ANY 21-12

green 21-12

red 21-12

yellow 21-12

source IP

ANY 21-10

devices 21-10

IP addresses 21-10

IP ranges 21-10

networks 21-10

post NAT source addresses 21-10

pre NAT source addresses 21-10

variables 21-10

time range

last 21-8

start and end times 21-8

zone 21-12

query

display format 21-5

reporting device ranking 2-28

Query/Reports tab

identifying event

for access rule lookup 17-20

for signature policy lookup 17-25

identifying incident

for access rule lookup 17-20

for signature policy lookup 17-25

querying

for MARS events from devices

without reporting IP address 17-8

for Unknown Reporting Devices in MARS 17-8

Security Manager policies

from MARS events 17-1

Query page 21-1

defining query parameters

for access rule events 17-20

for signature events 17-24

R

rank by 21-7

bytes transmitted 21-8

incident count 21-8

session count 21-7

time 21-8

raw messages

archive folder location 25-4

file name format 25-4

maximum size stored 25-4

retrieve from local controller database 25-6

retrieving from archive server 25-3

read-only access rule table

first match highlighted 17-23

hyperlink in rule number 17-32

in MARS

viewing matched rules 17-3

interface objects 17-33

in the MARS GUI

field descriptions 17-30

login username, Security Manager 17-31

multiple matches 17-23

navigating

to Access Rules page 17-31

to a page number 17-23

navigating across pages 17-23

navigating to other MARS pages 17-30

network/host objects

destination 17-32

source 17-32

pagination 17-23

Security Manager icon

refreshing the page 17-31

Security Manager login credentials 17-31

Security Manager login password 17-31

selecting number of items 17-23

switching between matched rules 17-23

read-only mode

policy lookup from MARS and 17-1

read-only policy table

after display of

access rules, modifying 17-13

caching of query results 17-11

editing signature from 17-8

error message

corrective action 17-12

device added to MARS only 17-12

event action filter, configuring 17-8

expanding

network/host objects 17-12

service objects 17-12

matching access rules

for connection-related syslogs 17-5

matching rules 17-3

modifying policy

using Help Desk role 17-16

saving Security Manager credentials 17-18

starting Security Manager client from

for access rule syslogs 17-1

for signature syslogs 17-1

read-only signature policy page

accessing from

Dashboard 17-34

Incidents page 17-34

Query Reports tab 17-34

search for incident ID 17-34

adding

event action filter 17-29

editing signature 17-29

navigating

to other MARS pages 17-34

to Signatures page 17-34

Security Manager icon

refreshing the page 17-34

starting Security Manager client 17-29

viewing

Security Manager details 17-29

signature parameters 17-36

read-only signature policy table

opening

MySDN 17-35

NSDB 17-35

password, Security Manager 17-34

Security Manager login credentials 17-34

Security Manager login username 17-34

read-write mode

policy lookup from MARS and 17-1

realtime events

policy lookup

error message 17-11

realtime events lookup

device versions

supported for 17-15

realtime event viewer

access rule lookup

for connection teardown events 17-12

remediation policy

suggested content 1-1

removing

user 24-12

report

adding 21-25

delete 21-26

edit 21-26

new 21-25

reported user ranking 21-7

Reporting Applications tab

deleting

Security Manager credentials 17-10

dimming out

Security Manager credentials 17-10

MARS user roles

Notifications Only 17-10

Operator 17-10

Security Manager user credentials

for initial communication 17-9

using MARS credentials

not defined in Common Services 17-10

reporting device ranking 21-7

reporting device type ranking 21-7

reporting IP address

for devices with multiple contexts

policy table lookup 17-8

reports

viewing 21-19, 21-25

reports, view type, CSV 21-24

reports, view type, recent 21-24

reports,view type, total 21-24

report views, CSV 21-24

report views, peak, reports, view type, peak 21-24

report views, recent 21-24

report views, total 21-24

rules

destination IP

ANY 22-8

devices 22-8

DISTINCT 22-8

IP addresses 22-8

IP ranges 22-8

Network Groups 22-8

networks 22-8

SAME 22-8

variables 22-8

device 22-11

ANY 22-11

Unknown Reporting Device 22-11

variables 22-11

event type grouping 22-10

event types 22-10

ANY 22-10

variables 22-10

reported user

ANY 22-11

Invalid User Name 22-11

NONE 22-11

variables 22-11

service

ANY 22-9

defined groups 22-10

defined services 22-10

service variables 22-9

severity

ANY 22-12

green 22-12

red 22-12

yellow 22-12

source IP

devices 22-7

IP addresses 22-7

IP ranges 22-7

Network Groups 22-7

networks 22-7

variables 22-7

runtime logging 25-1

S

scheduling

discovery 2-40

security contexts

add discovered 5-18

define reporting options 5-19

make MARS aware of 5-17

Security Manager policy query icon

See policy query icon

Security Manager Policy Query page

See read-only policy table

security policies

objectives of 1-1

security policy

suggested content 1-1

see CVE 24-2

seed file

CSV file 2-21

loading 2-25

sensor ID

in IPS syslog messages in MARS

for virtual sensors 17-7

service

adding 24-8

deleting 24-8

editing 24-8

editing groups 24-7

service group

adding 24-7

service management 24-7

service objects

expanding contents

read-only policy table 17-12

read-only access rule table

displayed in MARS 17-32

service provider

adding 23-11, 24-11

services

adding group 24-7

session count 21-7

sessionzed events

MARS

policy query icon 17-11

setting

runtime logging levels 25-1

Severity icons 20-3

Short Message Service

See SMS. 22-15

signature ID

parsed from IPS event messages

for signature policy lookup from MARS 17-7

signature policy lookup

See IPS signature policy lookup

signatures

description 17-7

hyperlinked ID

opening MySDN 17-35

opening NSDB 17-35

looking up from events

minimizing false negatives 17-24

minimizing false positives 17-24

tuning 17-24

modifying

during policy lookup from MARS 17-8

modifying on device

policy lookup, error 17-13

parameters, viewing

from read-only policy page in MARS 17-36

Signatures page

navigating from MARS events

with Security Manager not installed 17-29

with Security Manager running 17-29

with Security Manager timed out 17-29

signature summary table

for editing signatures 17-8

navigating from MARS 17-8

Simple Network Management Protocol

See SNMP. 22-15

SNMP RO, unsupported characters 2-9, 2-23, 2-30

Snort

syslog format expectation 7-43

Solaris host, bootstrap 11-2

source IP address ranking 21-6

source network group ranking 21-6

source network ranking 21-6

source port ranking 21-6

SSH

fingerprint validation 25-9

SSL

certificate validation 25-9

stacked charts 18-18

standard query

for MARS events

display of policy query icon 17-11

static information 20-10

subsignature ID

parsed from IPS event messages

for signature policy lookup from MARS 17-7

syslog

alert forwarding 2-55

disable relay 2-57

enable relay 2-56

forwarding

status reports 2-57

message forwarding 2-55

troubleshoot relay 2-57

syslog message IDs

for firewall devices

supported for policy lookup from MARS 17-6

for IOS routers

supported for policy lookup from MARS 17-7

supported for policy lookup from MARS

by firewall devices 17-6

unsupported

for policy lookup 17-13

policy query icon 17-13

syslog messages

for IPS events

absence of sensor ID 17-7

parsing 17-7

for Packet Data events 17-7

generated by access rules

supported for policy lookup from MARS 17-5

generated by connection setup/teardown

supported for policy lookup from MARS 17-5

generated by IOS 12.2 routers

example, with ACL name 17-6

generated by PIX firewalls

example, with access group name 17-6

parsing for access rule lookup from MARS 17-5

system administrators

associating with user account

for policy lookup from MARS 17-16

system determined false positive type 20-8

system log messages

changing the severity level 17-7

connection teardown

policy lookup, error 17-12

deployed rules

synchronization with device 17-11

for access rule lookup

with log keyword 17-6

without log keyword 17-6

for access rules on IOS routers

with log-input keyword 17-7

with log keyword 17-7

for IOS routers

contents 17-7

format

for ASA devices 17-6

for FWSM 17-6

for PIX devices 17-6

generated by access rules

unavailable on device 17-13

in MARS, generated by

access rules 17-3

connection setup/teardown 17-3

IPS signatures 17-3

invalid format

policy lookup 17-13

logging level

for access rule lookup 17-6

with default level and interval 17-6

T

table

incidents 20-5

taskflow

for policy table lookup

from MARS events 17-2

TCP connection-related message

access rule lookup 17-5

example

for an ASA device 17-6

testing

connectivity

between MARS and Security Manager 17-19

Time 20-3

time consumption

for policy table lookup

number of rules 17-11

with Security Manager client open 17-10

Timeout Interval, setting for GUI and CLI 18-5

time ranges

incidents 20-4

Topology

toggle device display 18-17

traffic flows

between MARS and devices

enabling 17-14

identify and enable 1-4

troubleshoot,cannot add device 2-20

troubleshoot,cannot re-add device 2-20

troubleshooting

access rules quickly

using policy lookup 17-1

firewall and signature configurations

using policy lookup 17-1

network events

using policy lookup from MARS 17-1

tuning

false positives 20-5, 20-9

U

UDP connection-related message

access rule lookup 17-5

example

for an ASA device 17-6

unconfirmed false positive type 20-8

Unknown Device Event Type

custom signatures and 17-8

unknown event report 21-7

Unknown Reporting Devices

querying for

in MARS 17-8

unlock

after login failure 3-15

CLI command

after login failure 3-4

use only firing events 21-8

user

adding 23-10, 24-9

editing 24-12

removing 24-12

user account

associating roles for

policy lookup 17-15

creating a separate one

for policy lookup 17-16

for MARS

defining in Security Manager 17-15

for Security Manager discovery

defining in MARS 17-18

separate one for audit trail 17-15

with admin privileges

for adding Security Manager to MARS 17-9

User Configuration page

disabling

saving of credentials 17-19

in MARS

deleting Security Manager credentials 17-10

editing Security Manager credentials 17-10

Security Manager credentials disabled 17-10

message, displaying

while using MARS credentials 17-19

user confirmed false positive type 20-8

user confirmed positive type 20-8

user credentials

for Security Manager discovery

defining in MARS 17-18

of Security Manager added to MARS

in Reporting Applications tab 17-9

in the User Configuration page 17-9

Reporting Applications tab of MARS

different from those in User Configuration page 17-9

User Configuration page of MARS

authenticating Security Manager 17-9

populated from policy query login dialog box 17-9

user group

adding 24-12

user management 24-8

roles defined 24-9

user roles

for policy lookup from MARS 17-15

for policy table lookup from MARS 17-8

in MARS

editing Security Manager credentials 17-10

modifying Security Manager credentials 17-9

Notifications Only 17-10

Operator 17-10

V

validation

fingerprint 25-9

valid networks 2-39

variables 21-10, 21-11, 22-7, 22-8

views

committed 17-11

deployed

policy lookup from MARS 17-11

virtual sensors

signature policy lookup

from MARS events 17-7

W

Workflow mode

access rule matches

with Security Manager running 17-23

policy table lookup

editable activities 17-10

from MARS events 17-3

with Security Manager client active 17-10

with Security Manager not running 17-10

Z

zone planning

for Global Controller 17-16

for multiple Local Controllers 17-16

	User Guide for Cisco Security MARS Local Controller, Release 5.3.x
	Index
User Guide for Cisco Security MARS Local Controller, Release 5.3.x Preface STM Task Flow Overview Reporting and Mitigation Devices Overview Authenticating with External AAA Servers Configuring Router and Switch Devices Configuring Firewall Devices Configuring VPN Devices Configuring Network-based IDS and IPS Devices Configuring Host-Based IDS and IPS Devices Configuring Antivirus Devices Configuring Vulnerability Assessment Devices Configuring Generic, Solaris, Linux, and Windows Application Hosts Configuring Database Applications Configuring Web Server Devices Configuring Web Proxy Devices Configuring AAA Devices Configuring Wireless LAN Devices Configuring Custom Devices Policy Table Lookup on Cisco Security Manager Network Summary Case Management Incident Investigation and Mitigation Queries and Reports Rules Sending Alerts Management Tab Overview System Maintenance Cisco Security MARS XML API Reference Regular Expression Reference Date/Time Format Specfication System Rules and Reports Reference Glossary Index	Download this chapter Index Table Of Contents Numerics - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z Index Numerics 4.3.2 MARS version read-only policy lookup 17-8 4.3.4 MARS version policy lookup, read-write 17-8 5.3.4 MARS version policy lookup, read-write 17-8 5-tuple data access rule lookup from MARS and 17-3 low-latency event query 17-11 parsing during access rule lookup 17-5 policy table lookup from MARS and 17-3 802.1x, logging in Cisco Secure ACS 15-5 A AAA authentication and Cisco Secure ACS for policy lookup 17-15 AAA devices 15-1 AAA server add 3-8 delete 3-15 servers supported 3-1 access rule events in MARS looking up policy table 17-3 access rule lookup authentication failure during connection from MARS 17-2 communication between MARS and Security Manager 17-14 deployed changes synchronization with 17-11 device lookup query sequence of actions 17-4 with a unique hostname 17-4 without any domain and hostname 17-4 device lookup results and 17-4 device software versions supported for 17-15 devices with multiple contexts prerequisites for 17-4 error message 17-12 expanding network/host objects 17-12 service objects 17-12 for syslog messages on IOS routers 17-7 for the selected MARS event with multiple device matches 17-3 with no device match 17-3 from MARS in read-only mode 17-1 in read-write mode 17-1 overview 17-4 sample case 17-1 taskflow 17-2 without Security Manager client running 17-3 from MARS events in Security Manager 3.1.1 through 3.0.1 17-5 in Security Manager 3.2 17-5 guidelines for working 17-8 in MARS 4.3.4 and 5.3.4 17-5 parsing raw syslogs 17-5 in read-only mode supported MARS versions 17-4 supported Security Manager versions 17-5 in read-write mode improved rule matching accuracy 17-5 supported MARS versions 17-4 supported Security Manager versions 17-5 looking up device in MARS 17-4 MARS session object 17-5 multiple matches for syslogs with insufficient details for parsing 17-6 starting a new client session 17-10 supported syslog IDs for firewall devices 17-6 syslog messages supported by IOS routers 17-6 by security appliances 17-6 syslogs supported for by firewall devices 17-6 with multiple hostname matches 17-4 with Security Manager client active in non-Workflow mode 17-3 in Workflow mode 17-3 with Security Manager client timed out 17-10 access rules empty policy lookup from MARS 17-12 hyperlink in rule number read-only policy table 17-32 looking up from MARS events (prerequisites) 17-20 from MARS events (procedure) 17-19 modified after read-only policy display 17-13 not synchronized with device 17-13 on higher security interface, inbound policy lookup 17-13 on lower security interface, inbound policy lookup 17-13 policy query icon 17-12 on lower security interface, outbound policy lookup 17-13 unavailable on the device for MARS syslogs 17-13 Access Rules page expanding objects lookup from MARS events 17-23 highlighted row after policy lookup from MARS 17-23 looking up from MARS events 17-23 with Security Manager not installed 17-23 with Security Manager running 17-23 with Security Manager timed out 17-23 Accounts expired unlocking 3-4 ACS configuring user names 3-8 Action 20-3 Activate button 22-18, 22-19, 22-21, 22-23, 24-1 activating reporting devices 2-28 explanation 18-7 what it does 2-28 when multiple users are logged in 18-8 when to use 2-28 Activation Settings page 18-9 activities in an editable state and policy table lookup from MARS 17-3 policy table lookup with Security Manager client active 17-10 Add Event Action Filter dialog box fields with default values 17-29 values from MARS events 17-29 read-only signature policy page in the MARS GUI 17-29 adding cell phone number 23-11, 24-11 CSV file 2-21 devices 2-18 manually 2-18 seed file 2-21 drop rules 22-22 event groups 24-3 inspection rules 22-19 pager number 23-11, 24-11 seed file 2-21 service 24-8 user 23-10, 24-9 user group 24-12 adding IP groups 24-4 adding service provider 23-11, 24-11 Admin role adding Security Manager to MARS 17-16 admin roles, see user management 24-9 Adobe SVG 18-15 alert action 22-15 Distributed Threat Management 22-15 Email 22-15 NONE 22-15 Page 22-15 SMS 22-15 SNMP 22-15 Syslog 22-15 hard drive 25-21 alerts 23-1 all matching event raw messages 21-7 all matching events 21-7 all matching sessions 21-7 anomaly detection, see NetFlow 2-32 approvers associating with user account for policy lookup from MARS 17-15 archive server retrieving raw messages 25-3 ASA devices supported software versions for policy and events lookup 17-15 with multiple contexts and policy lookup from MARS 17-4 prerequisite for policy table lookup 17-4 attack diagram 18-14 attack paths L2 20-5 L3 20-5 audit trail 25-3 authentication of MARS for policy lookup Security Manager deleted from MARS 17-10 authentication settings for MARS to access Security Manager 17-15 policy table lookup allow saving of credentials 17-19 using MARS credentials 17-18 using Security Manager credentials 17-18 B backward compatibility of policy table lookup with Security Manager 3.0.x, 3.1.x 17-8 beep code 25-32 boostrap devices 1-5 bootstrapping devices for policy lookup 17-14 Security Manager server for communication with MARS 17-15 bootstrapping devices managed by MARS 17-14 browser settings File Download dialog box 17-23 bytes transmitted 21-8 C caching MARS events sessionization 17-11 policy rules in read-only policy window 17-11 reusing query results 17-11 Security Manager credentials until MARS session is active 17-9 Catalyst 6500 Series switches supported software versions for policy and events lookup 17-15 cell phone paging 23-11, 24-11 certificate monitor status 25-11 upgrading from expired or fingerprint 25-11 certificate comparison by MARS conflict detection 17-9 storing a fresh copy after prompting 17-9 storing a fresh copy automatically 17-9 certificates presented by Security Manager compared by MARS during policy lookup 17-9 changing drop rule status 22-21 inspection rule status 22-17 Cisco Adaptive Security Appliance, see CiscoASA 5-1 Cisco ASA add to MARS 5-14 bootstrapping 5-2 security context add discovered 5-18 define reporting options for 5-19 make MARS aware of 5-17 Cisco Firewall Services Modules, see Cisco FWSM 5-1 Cisco FWSM add to MARS 5-14 bootstrapping 5-2 security context add discovered 5-18 define reporting options for 5-19 make MARS aware of 5-17 Cisco IOS routers access lists with log-input keyword 17-7 log keyword 17-7 access rule lookup from MARS 17-2 supported software versions for policy and events lookup 17-15 supported syslog IDs for policy lookup 17-7 Cisco Network Security Database See NSDB Cisco Secure ACS access settings for MARS appliance 17-15 configuring user names 3-8 roles for policy table lookup 17-16 Cisco Secure ACS, 802.1x feature support 15-5 Cisco Secure ACS, 802.1x support 15-1 Cisco Secure ACS, audit logs required by MARS 15-3 Cisco Secure ACS, bootstrap 15-3 Cisco Secure ACS, event logs studied by MARS 15-1 Cisco Secure ACS, MARS agent 15-7 Cisco Secure ACS, NAC support 15-1 Cisco Secure ACS, representing in MARS 15-12 Cisco Secure ACS, sever support 15-2 Cisco Secure ACS, solution engine support 15-2 Cisco Secure ACS, supported versions 15-1 Cisco Secure ACS, TACACS+ command authorization 15-7 Cisco Security Manager Policy Query page See read-only policy table Cisco Security MARS See MARS Collapse All 20-5 columns seed file 2-23 Common Services AAA authentication for MARS appliance 17-15 MARS user account, creating 17-16 MARS user not defined in policy lookup 17-10 user account not defined in logging in to MARS 17-10 Common Services roles policy table lookup from MARS Help Desk role 17-8 Common Vulneratbilities and Exposures 24-2 community strings 2-38 configuration NetFlow 2-31 connection establishment messages looking up access rules from MARS 17-2 connection protocol between MARS and Security Manager for policy table lookup 17-2 with MARS 17-18 connection-related messages access rule lookup from MARS 17-3 generated by outbound traffic, policy lookup 17-13 ICMP access rule lookup from MARS events 17-5 management traffic NP Identity Ifc keyword 17-5 number of matches for access rule lookup 17-5 TCP access rule lookup from MARS events 17-5 UDP access rule lookup from MARS events 17-5 connection setup message and session termination 17-5 common ID with teardown message 17-5 defining 17-5 connection teardown messages 2-minute gap with connection setup 17-12 and corresponding setup syslog 17-5 direction details 17-5 in a different session from setup 17-12 looking up access rules from MARS 17-2 pre-NATed address 17-5 realtime event viewer 17-12 connectivity failure from MARS to Security Manager error message 17-9 connectivity test between MARS and Security Manager configuring administrative host 17-19 correct credentials 17-19 error message 17-19 failure due to incorrect credentials 17-9 success 17-19 Context Data events on IPS and IDS sensors policy query icon and 17-7 creating report 21-25 cross-launch authentication settings for policy lookup allow saving of credentials 17-18 prompting user for credentials 17-18 using MARS credentials 17-18 modifying to disable saving of Security Manager credentials 17-10 saving in MARS for Security Manager not added 17-16 cross-launching Security Manager client from MARS events 17-1 without secure connection 17-9 CsmContentProvider file downloading during policy lookup 17-23 File Download dialog box preventing from appearing 17-23 CSV files 2-21 custom log parser selecting traffic type 16-14 custom signatures policy lookup for 17-8 unknown device event type 17-27 CVE 24-2 D Daemon Manager not running on Security Manager policy table lookup 17-9 data reduction 18-14 default certificate response change 25-10 default fingerprint response change 25-10 default password change 25-8 deleting service 24-8 deployment of access rule changes synchronization with device 17-11 destination IP address ranking 21-6 destination network group ranking 21-6 destination network ranking 21-6 destination ranking 21-6 device,re-add 2-20 device lookup for policy query from MARS discovered devices 17-4 multiple matching hostnames 17-4 parameters passed 17-4 renaming device name 17-4 reporting IP address 17-4 single matching hostname 17-4 without domain name 17-4 devices access rule lookup from MARS 17-2 added to MARS only policy lookup 17-12 adding to MARS 17-14 bootstrap overview 1-5 bootstrapping for policy lookup 17-14 managed by MARS 17-14 define overview 1-6 deleting 2-20 deleting all displayed 2-20 discovered but not submitted policy lookup, error 17-12 edit 2-19 in MARS multiple matches during policy lookup 17-3 no match during policy lookup 17-3 time synchronization, recommendation 17-14 managed by MARS and Security Manager running compatible software version 17-13 managed by Security Manager preparing for policy lookup 17-14 management traffic between MARS and 17-14 mitigation monitored by MARS 17-13 notification traffic between MARS and 17-14 reporting monitored by MARS 17-13 software versions supported by MARS and Security Manager 17-15 synchronization with changed policies 17-11 versions supported for policy lookup by MARS and Security Manager 17-11 with matching hostname policy lookup from MARS 17-4 with matching IP address policy lookup from MARS 17-4 with multiple contexts Device Properties page 17-4 differing host and context names 17-4 logging configuration 17-6 policy query icon 17-8 reporting IP address in MARS 17-8 setting hostname for policy lookup from MARS 17-4 without a unique match policy lookup from MARS 17-4 without matching host and domain names policy lookup from MARS 17-4 diagnostics beep codes 25-32 diagrams attack 18-14 discovering networks automatic 2-40 discovery in MARS devices that do not allow 17-4 devices that support 17-4 scheduling 2-40 updating 2-40 display format query 21-5 drop rule activate and inactive 22-21 drop rules adding 22-22 editing 22-22 drop rule status changing 22-21 dynamic information 20-10 dynamic vulnerability scanning 2-30 E editing drop rules 22-22 host information 24-6 inspection rules 22-18 IP groups 24-4 service 24-8 user 24-12 error message testing connectivity between MARS and Security Manager 17-19 error messages policy table lookup from MARS access rules not on device 17-12 addition of multiple Security Managers to Local Controller 17-8 changed Security Manager credentials not updated in MARS 17-9 connection setup syslog unavailable 17-12 connection teardown events in realtime viewer 17-12 connectivity to Security Manager 17-9 Daemon Manager not running on Security Manager 17-9 device added to MARS only 17-12 discovered but unsubmitted devices 17-12 empty access rules 17-12 HTTPS not enabled on Security Manager 17-9 implicit permit statement in access rules 17-13 incorrect Security manager login credentials 17-9 management traffic events 17-12 modal dialog box open 17-10 modified signature on device 17-13 RPC connection failure 17-11 unsynchronized changes 17-11 event action filter configuring during policy table lookup from MARS 17-3 saving as a local policy 17-29 event groups 24-3 event log changing pulling time interval for Windows 11-11 event management 24-1 editing 24-2 events in MARS caching, sessionization 17-11 in MARS, generated by access rules 17-3 connection setup/teardown 17-3 IPS signatures 17-3 management traffic 17-12 in MARS, identifying for access rule lookup 17-20 events lookup device software versions supported for 17-15 Event Type 20-3 event type group ranking 21-6 event type ranking 21-5 Expand All 20-5 expired accounts 3-4 expired certificate 25-11 F false positive system determined 20-8 unconfirmed 20-8 user confirmed false positive 20-8 positive 20-8 false positives minimizing signature tuning 17-7 tuning 20-5 tuning signatures 17-7 File Download dialog box policy table lookup from MARS events 17-23 preventing from appearing 17-23 filter modem 25-31 fingerprint validation 25-9 FWSM access rule lookup from MARS 17-2 supported software versions for policy and events lookup 17-15 with multiple contexts and policy lookup from MARS 17-4 prerequisite for policy table lookup 17-4 G gateways intermediate allowing flows between MARS and devices 17-14 Global Controller policy query icon for events 17-8 policy table lookup and 17-8 viewing Security Manager server from 17-8 zone planning for Security Manager mapping 17-16 H hard drive failure alert 25-21 hotswap procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 25-26 raidstatus command 25-20 replacing in carrier 25-29 slot number diagram, MARS 55, 110R, 110, 210, GC2R, and GC2 25-25 hardware maintenance MARS 55, 110, 110R, 210, GC2R, GC2 25-18 Help Desk role modifying policy from read-only policy table 17-16 historical events policy lookup error message 17-11 historical events lookup device versions supported for 17-15 hosts adding 24-5 adding Security Manager on a new one 17-17 an existing one 17-17 editing 24-6 Hot Spot Graph 18-14 hotswap hard drives 25-20 power supply 25-30 procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 25-26 I ICMP connection-related messages absence of necessary parameters 17-5 access rule lookup from MARS 17-5 accuracy of matching policies 17-5 example for an ASA device 17-6 management traffic access rule lookup 17-5 identifying 17-13 idle session timeout of Security Manager authentication of MARS 17-9 login credentials prompt during policy lookup 17-9 policy table lookup 17-9 idle timeout exceeded for MARS session without Security Manager client open before lookup 17-9 with Security Manager login credentials for lookup 17-9 IDSM-2 modules supported software versions for policy and events lookup 17-15 IDS sensors Context Data events and signature policy lookup 17-7 Packet Data events and signature policy lookup 17-7 signature policy lookup from MARS events 17-7 IIS adding Security Manager on an existing host 17-17 implicit permit configured in access rules lookup from MARS events 17-13 incident count 21-8 Incident Details page 20-4 accessing from a search 17-20 Dashboard 17-20 Incidents page 17-20 Query/Reports tab 17-20 navigating to read-only policy page 17-20 read-only signature policy page 17-24 policy query icon for access rule lookup 17-20 for signature lookup 17-24 Incident ID 20-3 incident ID Dashboard 17-20 Incidents page 17-20 locating using a search 17-20 Query Results page 17-20 Incident Path 20-3 incidents 18-13 action 20-3 correlation to events 17-19 description 17-19 event type 20-3 incident ID 20-3 incident path 20-3 incident vector 20-3 in MARS policy table lookup and 17-2 instances 20-6 looking up access rule and editing 17-20 matched rule 20-3 ranked by bytes transmitted 17-20 ranked by sessions 17-20 severity 20-3 time 20-3 time ranges 20-4 Incidents page detecting incidents 17-19 viewing rules, events 17-19 incident table 20-5 Incident Vector 20-3 inspection rule activate and inactive 22-17 inspection rules adding 22-19 editing 22-18 inspection rule status changing 22-17 instances incidents 20-6 interface objects read-only access rule table displayed in MARS 17-33 viewing contents from read-only policy table 17-23 Internet Explorer accessing MARS GUI using for access rule lookup 17-21 for signature policy lookup 17-29 cached passwords policy table lookup 17-21 File Download dialog box 17-23 remembered passwords policy table lookup 17-21 Internet Information Services See IIS interoperation of MARS and Security Manager for policy lookup 17-1 IOS IPS devices signature policy lookup from MARS 17-2 IOS IPS sensors supported software versions for policy and events lookup 17-15 IP groups adding 24-4 editing 24-4 IP management 24-3 adding hosts 24-5 IP range 24-4 network 24-4 variable 24-4 IPS events error message invalid details 17-13 in MARS fired by a signature 17-7 signature policy lookup 17-3 IPS sensors Context Data events and signature policy lookup 17-7 Packet Data events and signature policy lookup 17-7 signature policy lookup from MARS 17-2 supported software versions for policy and events lookup 17-15 IPS signature policy lookup authentication failure during connection from MARS 17-2 communication between MARS and Security Manager 17-14 device lookup query sequence of actions 17-4 device software versions supported for 17-15 error message, invalid events 17-13 error message, modified signature 17-13 event action filter, configuring 17-3 fields parsed from raw syslogs for IPS events in MARS 17-7 for MARS events of type Context Data 17-7 Packet Data 17-7 from MARS for virtual sensors, error message 17-3 sample case 17-1 taskflow 17-2 without Security Manager client running 17-3 guidelines for working 17-8 looking up devices in MARS 17-4 overview 17-7 signature ID, using 17-7 starting a new client session 17-10 subsignature ID, using 17-7 with Security Manager client active in non-Workflow mode 17-3 in Workflow mode 17-3 with Security Manager client timed out 17-10 IPS virtual sensors signature policy lookup from MARS events 17-7 L L2 attack path 20-5 L3 attack path 20-5 Linux host, bootstrap 11-2 loading MARS seed file 2-25 Local Controller adding multiple Security Manager servers to 17-8 one Security Manager server to 17-8 adding Security Manager to prerequisites 17-16 procedure 17-16 supported versions 17-16 using Admin role 17-16 defining for Security Manager access IP address 17-17 credentials for discovery 17-18 hostname 17-17 interface details 17-17 operating system 17-17 reporting IP address 17-17 mapping to Security Manager 17-16 policy lookup for managed devices 17-16 querying one Security Manager 17-16 same Security Manager on multiple defining 17-16 Security Manager not added to user credential fields 17-16 zone planning for multiple mapping to Security Manager 17-16 Local User Setup page defining MARS user account 17-18 log files 25-2 logging in to MARS using an account not in Common Services 17-10 using read/write privileges 17-10 Security Manager after error during policy lookup 17-11 using a different account from the one in MARS 17-10 logging level changing for firewalls and syslogs in MARS 17-6 default large number of events 17-7 logging message command 17-7 logging traffic between MARS and monitored devices enabling 17-14 login credentials of Security Manager saved in MARS during policy lookup 17-9 login credentials, Security Manager authenticating MARS Security Manager deleted from MARS 17-10 deleting from User Configuration page 17-10 editing from User Configuration page in MARS 17-10 read-only signature policy table 17-34 saving during policy lookup 17-18 using a different account from the one in MARS for policy lookup 17-10 login dialog box read-only policy page disabling saving of credentials 17-19 enabling saving of credentials 17-19 Login Failure procedure to unlock 3-15 log-input keyword access lists on IOS routers 17-7 output details 17-7 login username, Security Manager read-only access rule table 17-31 read-only signature policy table 17-34 log keyword access lists on IOS routers 17-7 output details 17-7 looking up access rules from MARS, overview 17-4 from MARS, procedure 17-19 from MARS events (prerequisites) 17-20 from Multiple Devices window 17-21 from Multiple Events window 17-21 from Policy Table window 17-21 devices in MARS for policy table query 17-4 signature policies from MARS events (overview) 17-24 from MARS events (procedure) 17-24 low-latency query for MARS events display of policy query icon 17-11 parsing 17-11 M MAC address report 21-7 management events 24-1 IP 24-3 service 24-7 user 24-8 management traffic between MARS and monitored devices enabling 17-14 connection-related messages access rule lookup from MARS 17-5 policy lookup error message 17-12 mapping Local Controller to Security Manager 17-16 MARS access rule lookup overview 17-4 adding devices to 17-14 adding Security Manager to users with admin privileges 17-9 audit trail 25-3 bootstrapping managed devices 17-14 checklist for policy table lookup 17-13 committed view of Security Manager policy 17-11 deployed view of Security Manager policy 17-11 device lookup for policy query 17-4 devices identifying for policy lookup 17-13 running supported software for lookup 17-13 device software versions supported for policy lookup 17-11 downloading Security Manager 17-10 easily-readable event data 17-1 integration with Security Manager for access rule lookup 17-1 for signature lookup 17-1 Local Controller mapping to Security Manager 17-16 log files 25-2 mitigation of security threats and policy changes 17-1 navigating to Incident Details page from Incidents page 17-2 from Query page 17-2 from Summary page 17-2 policy table lookup more accurate mapping of events in 4.3.4 and 5.3.4 17-5 read-only rule table, matched rules 17-3 reusing an existing Security Manager instance 17-3 time taken for 17-10 with Security Manager client not installed 17-3 with Security Manager client not running 17-3 with Security Manager in non-Workflow mode 17-3 with Security Manager in Workflow mode 17-3 with Security Manager session timed out 17-3 reusing Security Manager instance 17-10 sessionized events access rule lookup 17-5 starting a new instance of Security Manager with client session active 17-10 starting Security Manager client for modifying policies 17-1 starting Security Manager for policy lookup using Security Manager credentials 17-10 taskflow for policy table query 17-2 User Configuration page Security Manager credentials 17-10 versions 4.2.1 through 5.3.1 access rule lookup 17-5 versions 4.3.4 and 5.3.4 access rule lookup 17-5 versions supported for read-only policy lookup 17-1 for read-write policy lookup 17-1 viewing security incidents 17-1 MARS appliance activating 17-19 adding Security Manager to with admin user privileges 17-9 without admin user privileges 17-9 adding Security Manager to (procedure) 17-16 comparing certificate from Security Manager during policy lookup 17-9 configuring access to Security Manager 17-15 solving conflict with stored certificate during policy lookup 17-9 testing connectivity with Security Manager 17-19 time synchronization recommendation 17-14 MARS authentication with Security Manager for policy lookup credentials, caching of 17-9 deleting Security Manager from MARS 17-10 editing Security Manager credentials in MARS 17-10 MARS database deleting Security Manager credentials 17-10 Security Manager server from 17-10 saving Security Manager credentials during policy lookup 17-18 submitting to Security Manager addition 17-19 MARS events for connection teardown in realtime event viewer 17-12 generated by management traffic 17-12 generated by custom signatures and policy lookup 17-8 improved mapping of to Security Manager policies 17-5 IPS invalid details, policy lookup 17-13 looking up access rule and editing 17-20 navigating from to access rule policy 17-19 to IPS signature policy 17-24 of type Context Data 17-7 NetFlow 17-8 Packet Data 17-7 parsing raw syslogs for access rule lookup 17-5 policy lookup from checklist for 17-13 sessionized access rule lookup 17-5 policy query icon 17-11 with 5-tuple data policy query icon and 17-5 MARS Global Controller See Global Controller MARS GUI accessing using Internet Explorer, note 17-21 MARS incidents See incidents MARS Local Controller See Local Controller MARS session idle timeout, exceeding and Security Manager client session 17-9 MARS session timeout caching Security Manager credentials 17-9 MARS user account defining in Common Services associating with roles 17-15 for policy lookup 17-16 not defined in Common Services prompting for credentials 17-10 MARS user credentials cross-launch authentication benefits of 17-18 defining 17-18 MARS user roles Admin editing Security Manager credentials 17-10 for modifying Security Manager credentials 17-9 Notifications Only disabling saving of Security Manager credentials 17-10 Operator disabling saving of Security Manager credentials 17-10 Security Analyst editing Security Manager credentials 17-10 MARS web interface policy table lookup with Security Manager not installed 17-10 matched incident ranking 21-7 Matched Rule 20-3 matched rule ranking 21-7 matching access rules retrieved during policy lookup 17-3 matching rules accurate mapping of syslogs 17-5 in read-only policy table policy lookup from MARS 17-3 not found during policy lookup 17-13 number of for connection-related messages 17-5 permit ACE 17-5 matching signatures in read-only policy table 17-8 policy lookup from MARS 17-8 MIB MARS format 2-58 Microsoft Windows host, bootstrap 11-4 mitigate 20-5 mitigation of security threats using policy lookup from MARS 17-1 mitigation policy suggested content 1-1 modal dialog box looking up policy table from MARS 17-10 Modems line impedance matching filter 25-31 monitoring network attacks using MARS events 17-1 policy table lookup and 17-1 monitoring policy suggested content 1-1 Multiple Devices window description 17-21 Multiple Events window description 17-21 MySDN accessing from read-only signature policy table in MARS 17-35 N NAC, AAA server support 15-1 NAT connection report 21-7 navigating from MARS events to policies 17-1 to Security Manager 3.0.x or 3.1.x 17-8 to Security Manager 3.2 17-8 to access rule policy from MARS events 17-19 to IPS signature policy from MARS events 17-24 to other MARS pages from read-only access rule table 17-30 from read-only signature policy table 17-34 to permit ACE from ICMP connection-related messages 17-20 from TCP connection-related messages 17-20 from UDP connection-related messages 17-20 navigating from MARS for configuring event action filters 17-8 NetFllow, enable processing 2-35 NetFlow 2-31 configuration 2-31 Global NetFlow UPD Port 2-36 NetFlow, bootstrap reporting devices 2-33 NetFlow,enable processing 2-36 NetFlow,examined networks 2-36 NetFlow,guidelines 2-33 NetFlow,how it is used 2-32 NetFlow,performance tuning 2-36 NetFlow,supported versions 2-32 NetFlow events policy query icon for 17-8 NetScreen IDP 2.x 7-47 IDP 3.x 7-47 IDP 4.0 7-47 IDP 4.1 7-47 IDP-Management Server 7-47 Security Manager 7-47 network/host objects destination read-only access rule table 17-32 expanding contents read-only policy table 17-12 source read-only access rule table 17-32 network administrators associating with user account for policy lookup from MARS 17-16 network group ranking 21-6 network operators associating with user account for policy lookup from MARS 17-15 network ranking 21-6 Network Status tab Incidents 18-17 Top Destinations 18-18 Top Event Types 18-17 Top Sources 18-18 Network Summary dashboard detecting incidents 17-19 viewing rules, events 17-19 non-Workflow mode access rule matches with Security Manager running 17-23 policy table lookup from MARS events 17-3 with Security Manager client active 17-10 with Security Manager not running 17-10 notification traffic between MARS and monitored devices enabling 17-14 NP Identity Ifc keyword TCP, UDP connection-related syslogs access rule lookup and 17-5 NSDB accessing from read-only signature policy table in MARS 17-35 O Order/Rank By 21-7 order by 21-7 bytes transmitted 21-8 incident count 21-8 session count 21-7 time 21-8 P Packet Data events huge syslog messages 17-7 on IPS and IDS sensors policy query icon and 17-7 pager 23-11, 24-11 parsing invalid syslog messages 17-13 MARS session object for access rule lookup 17-5 missing 5-tuple data events in MARS 17-11 raw IPS event messages for signature policy lookup 17-7 raw syslogs for access rule lookup from MARS 17-5 password change default 25-8 password, Security Manager read-only access rule table 17-31 read-only signature policy table 17-34 performance of MARS number of rules 17-11 of Security Manager number of rules 17-11 PIX add to MARS 5-14 bootstrapping 5-2 security context add discovered 5-18 define reporting options for 5-19 make MARS aware of 5-17 PIX firewalls supported software versions for policy and events lookup 17-15 PIX Security Appliance, see PIX 5-1 PN Log agent 15-7 PN Log Agent, error messages 15-10 PN MARS seed file columns 2-23 policy lookup 17-12 policy lookup from MARS 17-11 policy query icon displayed for access rule matches 17-2 connection-related messages 17-2 signatures fired 17-2 displayed in read-only lookup 17-5 read-write lookup 17-5 for access rules not found on the device 17-12 for connection-related messages generated by management traffic 17-5 for Context Data events 17-7 for devices with multiple contexts without reporting IP address 17-8 for events in Global Controller 17-8 for NetFlow events 17-8 for Packet Data events 17-7 for Unknown Device Event Type triggered by custom signatures 17-8 for unsupported syslog IDs generated by IOS routers 17-7 Incident Details page 17-2 inconsistent display query types and 17-11 in Reporting Device column 17-20 no matching rules, error 17-12 virtual sensors, error 17-12 policy query login dialog box saving Security Manager credentials 17-9 Policy Query popup window See read-only policy table policy table lookup associating user roles and permissions 17-8 authentication failure during connection from MARS 17-2 authentication options using MARS credentials 17-2 using Security Manager credentials 17-2 backward compatibility from MARS 4.3.4, 5.3.4 with Security Manager 3.0.x, 3.1.x 17-8 checklist for 17-13 cross-launch authentication settings 17-18 deleting Security Manager credentials 17-10 device lookup query sequence of actions 17-4 devices with multiple contexts prerequisites for 17-4 error message 17-9, 17-10, 17-12 event action filter, configuring 17-3 for access rules in MARS 4.2.1 through 5.3.1 17-5 parsing syslogs 17-5 for connection-related syslogs number of matches 17-5 for the selected MARS event with multiple device matches 17-3 with no device match 17-3 from MARS for access rules in Security Manager 17-1 for signatures in Security Manager 17-1 sample case 17-1 signature, modifying 17-8 taskflow 17-2 guidelines for working 17-8 HTTPS connection with MARS 17-2 in read-only mode absence of connection direction in syslogs 17-5 absence of post-NAT addresses in syslogs 17-5 supported Security Manager and MARS versions 17-1 in read-write mode supported Security Manager and MARS versions 17-1 MARS user roles 17-9 modal dialog box 17-10 overview of access rule lookup 17-4 prompting for credentials MARS user not in Common Services 17-10 reusing an existing Security Manager instance 17-3 signature policies, overview 17-7 time taken for 17-10 with Security Manager client active in non-Workflow mode 17-3 in Workflow mode 17-3 with Security Manager client not installed 17-3 with Security Manager client not running 17-3 with Security Manager session timed out 17-3 policy table lookup and Cisco Secure ACS roles policy table lookup from MARS 17-8 Policy Table window See read-only policy table description 17-21 post NAT destination addresses 21-11 post NAT source addresses 21-10 pre NAT destination addresses 21-11 pre NAT source addresses 21-10 protocol ranking 21-6 public networks 2-39 Q queries action ANY 21-12 actions 21-12 criteria, matching access rule lookup 17-23 destination IP 21-11 ANY 21-11 devices 21-11 IP addresses 21-11 IP ranges 21-11 networks 21-11 post NAT destination addresses 21-11 pre NAT destination addresses 21-11 devices 21-11 display format all matching event raw messages 21-7 all matching events 21-7 all matching sessions 21-7 destination IP address ranking 21-6 destination ranking 21-6 event type group ranking 21-6 MAC address report 21-7 matched incident ranking 21-7 matched rule ranking 21-7 NAT connection report 21-7 protocol ranking 21-6 reporting device ranking 21-7 reporting device type ranking 21-7 source IP address ranking 21-6 source port ranking 21-6 unknown event report 21-7 use only firing events 21-8 event type grouping 21-11 event types 21-11 ANY 21-11 in MARS low-latency 17-11 realtime event 17-11 operation AND 21-12, 22-13 FOLLOWED-BY 21-12, 22-13 none 21-12, 22-13 OR 21-12, 22-13 parameters for signature events 17-24 result format destination network group ranking 21-6 destination network ranking 21-6 event type ranking 21-5 network group ranking 21-6 network ranking 21-6 reported user ranking 21-7 source network group ranking 21-6 source network ranking 21-6 results returning incidents 17-20 rule 21-12 ANY 21-12 save as reports 21-13 rules 21-13 service ANY 21-11 defined services 21-11 service variables 21-11 severity ANY 21-12 green 21-12 red 21-12 yellow 21-12 source IP ANY 21-10 devices 21-10 IP addresses 21-10 IP ranges 21-10 networks 21-10 post NAT source addresses 21-10 pre NAT source addresses 21-10 variables 21-10 time range last 21-8 start and end times 21-8 zone 21-12 query display format 21-5 reporting device ranking 2-28 Query/Reports tab identifying event for access rule lookup 17-20 for signature policy lookup 17-25 identifying incident for access rule lookup 17-20 for signature policy lookup 17-25 querying for MARS events from devices without reporting IP address 17-8 for Unknown Reporting Devices in MARS 17-8 Security Manager policies from MARS events 17-1 Query page 21-1 defining query parameters for access rule events 17-20 for signature events 17-24 R rank by 21-7 bytes transmitted 21-8 incident count 21-8 session count 21-7 time 21-8 raw messages archive folder location 25-4 file name format 25-4 maximum size stored 25-4 retrieve from local controller database 25-6 retrieving from archive server 25-3 read-only access rule table first match highlighted 17-23 hyperlink in rule number 17-32 in MARS viewing matched rules 17-3 interface objects 17-33 in the MARS GUI field descriptions 17-30 login username, Security Manager 17-31 multiple matches 17-23 navigating to Access Rules page 17-31 to a page number 17-23 navigating across pages 17-23 navigating to other MARS pages 17-30 network/host objects destination 17-32 source 17-32 pagination 17-23 Security Manager icon refreshing the page 17-31 Security Manager login credentials 17-31 Security Manager login password 17-31 selecting number of items 17-23 switching between matched rules 17-23 read-only mode policy lookup from MARS and 17-1 read-only policy table after display of access rules, modifying 17-13 caching of query results 17-11 editing signature from 17-8 error message corrective action 17-12 device added to MARS only 17-12 event action filter, configuring 17-8 expanding network/host objects 17-12 service objects 17-12 matching access rules for connection-related syslogs 17-5 matching rules 17-3 modifying policy using Help Desk role 17-16 saving Security Manager credentials 17-18 starting Security Manager client from for access rule syslogs 17-1 for signature syslogs 17-1 read-only signature policy page accessing from Dashboard 17-34 Incidents page 17-34 Query Reports tab 17-34 search for incident ID 17-34 adding event action filter 17-29 editing signature 17-29 navigating to other MARS pages 17-34 to Signatures page 17-34 Security Manager icon refreshing the page 17-34 starting Security Manager client 17-29 viewing Security Manager details 17-29 signature parameters 17-36 read-only signature policy table opening MySDN 17-35 NSDB 17-35 password, Security Manager 17-34 Security Manager login credentials 17-34 Security Manager login username 17-34 read-write mode policy lookup from MARS and 17-1 realtime events policy lookup error message 17-11 realtime events lookup device versions supported for 17-15 realtime event viewer access rule lookup for connection teardown events 17-12 remediation policy suggested content 1-1 removing user 24-12 report adding 21-25 delete 21-26 edit 21-26 new 21-25 reported user ranking 21-7 Reporting Applications tab deleting Security Manager credentials 17-10 dimming out Security Manager credentials 17-10 MARS user roles Notifications Only 17-10 Operator 17-10 Security Manager user credentials for initial communication 17-9 using MARS credentials not defined in Common Services 17-10 reporting device ranking 21-7 reporting device type ranking 21-7 reporting IP address for devices with multiple contexts policy table lookup 17-8 reports viewing 21-19, 21-25 reports, view type, CSV 21-24 reports, view type, recent 21-24 reports,view type, total 21-24 report views, CSV 21-24 report views, peak, reports, view type, peak 21-24 report views, recent 21-24 report views, total 21-24 rules destination IP ANY 22-8 devices 22-8 DISTINCT 22-8 IP addresses 22-8 IP ranges 22-8 Network Groups 22-8 networks 22-8 SAME 22-8 variables 22-8 device 22-11 ANY 22-11 Unknown Reporting Device 22-11 variables 22-11 event type grouping 22-10 event types 22-10 ANY 22-10 variables 22-10 reported user ANY 22-11 Invalid User Name 22-11 NONE 22-11 variables 22-11 service ANY 22-9 defined groups 22-10 defined services 22-10 service variables 22-9 severity ANY 22-12 green 22-12 red 22-12 yellow 22-12 source IP devices 22-7 IP addresses 22-7 IP ranges 22-7 Network Groups 22-7 networks 22-7 variables 22-7 runtime logging 25-1 S scheduling discovery 2-40 security contexts add discovered 5-18 define reporting options 5-19 make MARS aware of 5-17 Security Manager policy query icon See policy query icon Security Manager Policy Query page See read-only policy table security policies objectives of 1-1 security policy suggested content 1-1 see CVE 24-2 seed file CSV file 2-21 loading 2-25 sensor ID in IPS syslog messages in MARS for virtual sensors 17-7 service adding 24-8 deleting 24-8 editing 24-8 editing groups 24-7 service group adding 24-7 service management 24-7 service objects expanding contents read-only policy table 17-12 read-only access rule table displayed in MARS 17-32 service provider adding 23-11, 24-11 services adding group 24-7 session count 21-7 sessionzed events MARS policy query icon 17-11 setting runtime logging levels 25-1 Severity icons 20-3 Short Message Service See SMS. 22-15 signature ID parsed from IPS event messages for signature policy lookup from MARS 17-7 signature policy lookup See IPS signature policy lookup signatures description 17-7 hyperlinked ID opening MySDN 17-35 opening NSDB 17-35 looking up from events minimizing false negatives 17-24 minimizing false positives 17-24 tuning 17-24 modifying during policy lookup from MARS 17-8 modifying on device policy lookup, error 17-13 parameters, viewing from read-only policy page in MARS 17-36 Signatures page navigating from MARS events with Security Manager not installed 17-29 with Security Manager running 17-29 with Security Manager timed out 17-29 signature summary table for editing signatures 17-8 navigating from MARS 17-8 Simple Network Management Protocol See SNMP. 22-15 SNMP RO, unsupported characters 2-9, 2-23, 2-30 Snort syslog format expectation 7-43 Solaris host, bootstrap 11-2 source IP address ranking 21-6 source network group ranking 21-6 source network ranking 21-6 source port ranking 21-6 SSH fingerprint validation 25-9 SSL certificate validation 25-9 stacked charts 18-18 standard query for MARS events display of policy query icon 17-11 static information 20-10 subsignature ID parsed from IPS event messages for signature policy lookup from MARS 17-7 syslog alert forwarding 2-55 disable relay 2-57 enable relay 2-56 forwarding status reports 2-57 message forwarding 2-55 troubleshoot relay 2-57 syslog message IDs for firewall devices supported for policy lookup from MARS 17-6 for IOS routers supported for policy lookup from MARS 17-7 supported for policy lookup from MARS by firewall devices 17-6 unsupported for policy lookup 17-13 policy query icon 17-13 syslog messages for IPS events absence of sensor ID 17-7 parsing 17-7 for Packet Data events 17-7 generated by access rules supported for policy lookup from MARS 17-5 generated by connection setup/teardown supported for policy lookup from MARS 17-5 generated by IOS 12.2 routers example, with ACL name 17-6 generated by PIX firewalls example, with access group name 17-6 parsing for access rule lookup from MARS 17-5 system administrators associating with user account for policy lookup from MARS 17-16 system determined false positive type 20-8 system log messages changing the severity level 17-7 connection teardown policy lookup, error 17-12 deployed rules synchronization with device 17-11 for access rule lookup with log keyword 17-6 without log keyword 17-6 for access rules on IOS routers with log-input keyword 17-7 with log keyword 17-7 for IOS routers contents 17-7 format for ASA devices 17-6 for FWSM 17-6 for PIX devices 17-6 generated by access rules unavailable on device 17-13 in MARS, generated by access rules 17-3 connection setup/teardown 17-3 IPS signatures 17-3 invalid format policy lookup 17-13 logging level for access rule lookup 17-6 with default level and interval 17-6 T table incidents 20-5 taskflow for policy table lookup from MARS events 17-2 TCP connection-related message access rule lookup 17-5 example for an ASA device 17-6 testing connectivity between MARS and Security Manager 17-19 Time 20-3 time consumption for policy table lookup number of rules 17-11 with Security Manager client open 17-10 Timeout Interval, setting for GUI and CLI 18-5 time ranges incidents 20-4 Topology toggle device display 18-17 traffic flows between MARS and devices enabling 17-14 identify and enable 1-4 troubleshoot,cannot add device 2-20 troubleshoot,cannot re-add device 2-20 troubleshooting access rules quickly using policy lookup 17-1 firewall and signature configurations using policy lookup 17-1 network events using policy lookup from MARS 17-1 tuning false positives 20-5, 20-9 U UDP connection-related message access rule lookup 17-5 example for an ASA device 17-6 unconfirmed false positive type 20-8 Unknown Device Event Type custom signatures and 17-8 unknown event report 21-7 Unknown Reporting Devices querying for in MARS 17-8 unlock after login failure 3-15 CLI command after login failure 3-4 use only firing events 21-8 user adding 23-10, 24-9 editing 24-12 removing 24-12 user account associating roles for policy lookup 17-15 creating a separate one for policy lookup 17-16 for MARS defining in Security Manager 17-15 for Security Manager discovery defining in MARS 17-18 separate one for audit trail 17-15 with admin privileges for adding Security Manager to MARS 17-9 User Configuration page disabling saving of credentials 17-19 in MARS deleting Security Manager credentials 17-10 editing Security Manager credentials 17-10 Security Manager credentials disabled 17-10 message, displaying while using MARS credentials 17-19 user confirmed false positive type 20-8 user confirmed positive type 20-8 user credentials for Security Manager discovery defining in MARS 17-18 of Security Manager added to MARS in Reporting Applications tab 17-9 in the User Configuration page 17-9 Reporting Applications tab of MARS different from those in User Configuration page 17-9 User Configuration page of MARS authenticating Security Manager 17-9 populated from policy query login dialog box 17-9 user group adding 24-12 user management 24-8 roles defined 24-9 user roles for policy lookup from MARS 17-15 for policy table lookup from MARS 17-8 in MARS editing Security Manager credentials 17-10 modifying Security Manager credentials 17-9 Notifications Only 17-10 Operator 17-10 V validation fingerprint 25-9 valid networks 2-39 variables 21-10, 21-11, 22-7, 22-8 views committed 17-11 deployed policy lookup from MARS 17-11 virtual sensors signature policy lookup from MARS events 17-7 W Workflow mode access rule matches with Security Manager running 17-23 policy table lookup editable activities 17-10 from MARS events 17-3 with Security Manager client active 17-10 with Security Manager not running 17-10 Z zone planning for Global Controller 17-16 for multiple Local Controllers 17-16
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.