User Guide for Cisco Security MARS Local Controller, Release 5.3.x - Index [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4.3.2

MARS version

read-only policy lookup 18-8

4.3.4

MARS version

policy lookup, read-write 18-8

5.3.4

MARS version

policy lookup, read-write 18-8

5-tuple data

access rule lookup from MARS and 18-3

low-latency event query 18-11

parsing during access rule lookup 18-5

policy table lookup from MARS and 18-3

802.1x, logging in Cisco Secure ACS 15-5

A

AAA authentication

and Cisco Secure ACS

for policy lookup 18-15

AAA devices 15-1

AAA server

add 3-8

delete 3-15

servers supported 3-1

access rule events

in MARS

looking up policy table 18-3

access rule lookup

authentication failure

during connection from MARS 18-2

communication

between MARS and Security Manager 18-14

deployed changes

synchronization with 18-11

device lookup query

sequence of actions 18-4

with a unique hostname 18-4

without any domain and hostname 18-4

device lookup results and 18-4

device software versions

supported for 18-15

devices with multiple contexts

prerequisites for 18-4

error message 18-12

expanding

network/host objects 18-12

service objects 18-12

for syslog messages

on IOS routers 18-7

for the selected MARS event

with multiple device matches 18-3

with no device match 18-3

from MARS

in read-only mode 18-1

in read-write mode 18-1

overview 18-4

sample case 18-1

taskflow 18-2

without Security Manager client running 18-3

from MARS events

in Security Manager 3.1.1 through 3.0.1 18-5

in Security Manager 3.2 18-5

guidelines for working 18-8

in MARS 4.3.4 and 5.3.4 18-5

parsing raw syslogs 18-5

in read-only mode

supported MARS versions 18-4

supported Security Manager versions 18-5

in read-write mode

improved rule matching accuracy 18-5

supported MARS versions 18-4

supported Security Manager versions 18-5

looking up device in MARS 18-4

MARS session object 18-5

multiple matches

for syslogs with insufficient details for parsing 18-6

starting a new client session 18-10

supported syslog IDs

for firewall devices 18-6

syslog messages supported

by IOS routers 18-6

by security appliances 18-6

syslogs supported for

by firewall devices 18-6

with multiple hostname matches 18-4

with Security Manager client active

in non-Workflow mode 18-3

in Workflow mode 18-3

with Security Manager client timed out 18-10

access rules

empty

policy lookup from MARS 18-12

hyperlink in rule number

read-only policy table 18-32

looking up

from MARS events (prerequisites) 18-20

from MARS events (procedure) 18-19

modified

after read-only policy display 18-13

not synchronized with device 18-13

on higher security interface, inbound

policy lookup 18-13

on lower security interface, inbound

policy lookup 18-13

policy query icon 18-12

on lower security interface, outbound

policy lookup 18-13

unavailable on the device

for MARS syslogs 18-13

Access Rules page

expanding objects

lookup from MARS events 18-23

highlighted row

after policy lookup from MARS 18-23

looking up

from MARS events 18-23

with Security Manager not installed 18-23

with Security Manager running 18-23

with Security Manager timed out 18-23

Accounts

expired

unlocking 3-4

ACS

configuring user names 3-8

Action 21-3

Activate button 23-18, 23-19, 23-21, 23-23, 25-1

activating reporting devices 2-28

explanation 19-7

what it does 2-28

when multiple users are logged in 19-8

when to use 2-28

Activation Settings page 19-9

activities

in an editable state

and policy table lookup from MARS 18-3

policy table lookup

with Security Manager client active 18-10

Add Event Action Filter dialog box

fields with

default values 18-29

values from MARS events 18-29

read-only signature policy page

in the MARS GUI 18-29

adding

cell phone number 24-11, 25-11

CSV file 2-21

devices 2-18

manually 2-18

seed file 2-21

drop rules 23-22

event groups 25-3

inspection rules 23-19

pager number 24-11, 25-11

seed file 2-21

service 25-8

user 24-10, 25-9

user group 25-12

adding IP groups 25-4

adding service provider 24-11, 25-11

Admin role

adding Security Manager

to MARS 18-16

admin roles, see user management 25-9

Adobe SVG 19-15

alert

action 23-15

Distributed Threat Management 23-15

Email 23-15

NONE 23-15

Page 23-15

SMS 23-15

SNMP 23-15

Syslog 23-15

hard drive 26-21

alerts 24-1

all matching event raw messages 22-7

all matching events 22-7

all matching sessions 22-7

anomaly detection, see NetFlow 2-32

approvers

associating with user account

for policy lookup from MARS 18-15

archive server

retrieving raw messages 26-3

ASA devices

supported software versions

for policy and events lookup 18-15

with multiple contexts

and policy lookup from MARS 18-4

prerequisite for policy table lookup 18-4

attack diagram 19-15

attack paths

L2 21-5

L3 21-5

audit trail 26-3

authentication

of MARS for policy lookup

Security Manager deleted from MARS 18-10

authentication settings

for MARS to access

Security Manager 18-15

policy table lookup

allow saving of credentials 18-19

using MARS credentials 18-18

using Security Manager credentials 18-18

B

backward compatibility

of policy table lookup

with Security Manager 3.0.x, 3.1.x 18-8

beep code 26-32

boostrap

devices 1-5

bootstrapping

devices

for policy lookup 18-14

Security Manager server

for communication with MARS 18-15

bootstrapping devices

managed by MARS 18-14

browser settings

File Download dialog box 18-23

bytes transmitted 22-8

C

caching

MARS events

sessionization 18-11

policy rules

in read-only policy window 18-11

reusing query results 18-11

Security Manager credentials

until MARS session is active 18-9

Catalyst 6500 Series switches

supported software versions

for policy and events lookup 18-15

cell phone paging 24-11, 25-11

certificate

monitor status 26-11

upgrading from expired or fingerprint 26-11

certificate comparison

by MARS

conflict detection 18-9

storing a fresh copy after prompting 18-9

storing a fresh copy automatically 18-9

certificates

presented by Security Manager

compared by MARS during policy lookup 18-9

changing

drop rule status 23-21

inspection rule status 23-17

Cisco Adaptive Security Appliance, see CiscoASA 5-1

Cisco ASA

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

Cisco Firewall Services Modules, see Cisco FWSM 5-1

Cisco FWSM

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

Cisco IOS routers

access lists with

log-input keyword 18-7

log keyword 18-7

access rule lookup

from MARS 18-2

supported software versions

for policy and events lookup 18-15

supported syslog IDs

for policy lookup 18-7

Cisco Network Security Database

See NSDB

Cisco Secure ACS

access settings for

MARS appliance 18-15

configuring user names 3-8

roles for

policy table lookup 18-16

Cisco Secure ACS, 802.1x feature support 15-5

Cisco Secure ACS, 802.1x support 15-1

Cisco Secure ACS, audit logs required by MARS 15-3

Cisco Secure ACS, bootstrap 15-3

Cisco Secure ACS, event logs studied by MARS 15-1

Cisco Secure ACS, MARS agent 15-7

Cisco Secure ACS, NAC support 15-1

Cisco Secure ACS, representing in MARS 15-12

Cisco Secure ACS, sever support 15-2

Cisco Secure ACS, solution engine support 15-2

Cisco Secure ACS, supported versions 15-1

Cisco Secure ACS, TACACS+ command authorization 15-7

Cisco Security Manager Policy Query page

See read-only policy table

Cisco Security MARS

See MARS

Collapse All 21-5

columns

seed file 2-23

Common Services

AAA authentication for

MARS appliance 18-15

MARS user account, creating 18-16

MARS user not defined in

policy lookup 18-10

user account not defined in

logging in to MARS 18-10

Common Services roles

policy table lookup from MARS

Help Desk role 18-8

Common Vulneratbilities and Exposures 25-2

community strings 2-38

configuration

NetFlow 2-31

connection establishment messages

looking up access rules from MARS 18-2

connection protocol

between MARS and Security Manager

for policy table lookup 18-2

with MARS 18-18

connection-related messages

access rule lookup from MARS 18-3

generated by

outbound traffic, policy lookup 18-13

ICMP

access rule lookup from MARS events 18-5

management traffic

NP Identity Ifc keyword 18-5

number of matches

for access rule lookup 18-5

TCP

access rule lookup from MARS events 18-5

UDP

access rule lookup from MARS events 18-5

connection setup message

and session termination 18-5

common ID with teardown message 18-5

defining 18-5

connection teardown messages

2-minute gap with

connection setup 18-12

and corresponding setup syslog 18-5

direction details 18-5

in a different session from setup 18-12

looking up access rules from MARS 18-2

pre-NATed address 18-5

realtime event viewer 18-12

connectivity failure

from MARS to Security Manager

error message 18-9

connectivity test

between MARS and Security Manager

configuring administrative host 18-19

correct credentials 18-19

error message 18-19

failure due to incorrect credentials 18-9

success 18-19

Context Data events

on IPS and IDS sensors

policy query icon and 18-7

creating

report 22-25

cross-launch authentication settings

for policy lookup

allow saving of credentials 18-18

prompting user for credentials 18-18

using MARS credentials 18-18

modifying

to disable saving of Security Manager credentials 18-10

saving in MARS

for Security Manager not added 18-16

cross-launching

Security Manager client

from MARS events 18-1

without secure connection 18-9

CsmContentProvider file

downloading

during policy lookup 18-23

File Download dialog box

preventing from appearing 18-23

CSV files 2-21

custom log parser

selecting traffic type 17-14

custom signatures

policy lookup for 18-8

unknown device event type 18-27

CVE 25-2

D

Daemon Manager

not running on Security Manager

policy table lookup 18-9

data reduction 19-14

default certificate response

change 26-10

default fingerprint response

change 26-10

default password

change 26-8

deleting service 25-8

deployment

of access rule changes

synchronization with device 18-11

destination IP address ranking 22-6

destination network group ranking 22-6

destination network ranking 22-6

destination ranking 22-6

device,re-add 2-20

device lookup

for policy query from MARS

discovered devices 18-4

multiple matching hostnames 18-4

parameters passed 18-4

renaming device name 18-4

reporting IP address 18-4

single matching hostname 18-4

without domain name 18-4

devices

access rule lookup

from MARS 18-2

added to MARS only

policy lookup 18-12

adding to MARS 18-14

bootstrap overview 1-5

bootstrapping

for policy lookup 18-14

managed by MARS 18-14

define

overview 1-6

deleting 2-20

deleting all displayed 2-20

discovered but not submitted

policy lookup, error 18-12

edit 2-19

in MARS

multiple matches during policy lookup 18-3

no match during policy lookup 18-3

time synchronization, recommendation 18-14

managed by MARS and Security Manager

running compatible software version 18-13

managed by Security Manager

preparing for policy lookup 18-14

management traffic

between MARS and 18-14

mitigation

monitored by MARS 18-13

notification traffic

between MARS and 18-14

reporting

monitored by MARS 18-13

software versions

supported by MARS and Security Manager 18-15

synchronization with

changed policies 18-11

versions supported for policy lookup

by MARS and Security Manager 18-11

with matching hostname

policy lookup from MARS 18-4

with matching IP address

policy lookup from MARS 18-4

with multiple contexts

Device Properties page 18-4

differing host and context names 18-4

logging configuration 18-6

policy query icon 18-8

reporting IP address in MARS 18-8

setting hostname for policy lookup from MARS 18-4

without a unique match

policy lookup from MARS 18-4

without matching host and domain names

policy lookup from MARS 18-4

diagnostics

beep codes 26-32

diagrams

attack 19-15

discovering networks

automatic 2-40

discovery

in MARS

devices that do not allow 18-4

devices that support 18-4

scheduling 2-40

updating 2-40

display format

query 22-5

drop rule

activate and inactive 23-21

drop rules

adding 23-22

editing 23-22

drop rule status

changing 23-21

dynamic information 21-10

dynamic vulnerability scanning 2-30

E

editing

drop rules 23-22

host information 25-6

inspection rules 23-18

IP groups 25-4

service 25-8

user 25-12

error message

testing connectivity

between MARS and Security Manager 18-19

error messages

policy table lookup from MARS

access rules not on device 18-12

addition of multiple Security Managers to Local Controller 18-8

changed Security Manager credentials not updated in MARS 18-9

connection setup syslog unavailable 18-12

connection teardown events in realtime viewer 18-12

connectivity to Security Manager 18-9

Daemon Manager not running on Security Manager 18-9

device added to MARS only 18-12

discovered but unsubmitted devices 18-12

empty access rules 18-12

HTTPS not enabled on Security Manager 18-9

implicit permit statement in access rules 18-13

incorrect Security manager login credentials 18-9

management traffic events 18-12

modal dialog box open 18-10

modified signature on device 18-13

RPC connection failure 18-11

unsynchronized changes 18-11

event action filter

configuring

during policy table lookup from MARS 18-3

saving as a local policy 18-29

event groups 25-3

event log

changing pulling time interval for Windows 11-11

event management 25-1

editing 25-2

events

in MARS

caching, sessionization 18-11

in MARS, generated by

access rules 18-3

connection setup/teardown 18-3

IPS signatures 18-3

management traffic 18-12

in MARS, identifying

for access rule lookup 18-20

events lookup

device software versions

supported for 18-15

Event Type 21-3

event type group ranking 22-6

event type ranking 22-5

Expand All 21-5

expired

accounts 3-4

expired certificate 26-11

F

false positive

system determined 21-8

unconfirmed 21-8

user confirmed

false positive 21-8

positive 21-8

false positives

minimizing

signature tuning 18-7

tuning 21-5

tuning signatures 18-7

File Download dialog box

policy table lookup

from MARS events 18-23

preventing from appearing 18-23

filter

modem 26-31

fingerprint validation 26-9

FWSM

access rule lookup

from MARS 18-2

supported software versions

for policy and events lookup 18-15

with multiple contexts

and policy lookup from MARS 18-4

prerequisite for policy table lookup 18-4

G

gateways

intermediate

allowing flows between MARS and devices 18-14

Global Controller

policy query icon for events 18-8

policy table lookup and 18-8

viewing Security Manager server from 18-8

zone planning for

Security Manager mapping 18-16

H

hard drive

failure alert 26-21

hotswap procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 26-26

raidstatus command 26-20

replacing in carrier 26-29

slot number diagram, MARS 55, 110R, 110, 210, GC2R, and GC2 26-25

hardware maintenance

MARS 55, 110, 110R, 210, GC2R, GC2 26-18

Help Desk role

modifying policy

from read-only policy table 18-16

historical events

policy lookup

error message 18-11

historical events lookup

device versions

supported for 18-15

hosts

adding 25-5

adding Security Manager on

a new one 18-17

an existing one 18-17

editing 25-6

Hot Spot Graph 19-15

hotswap

hard drives 26-20

power supply 26-30

procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 26-26

I

ICMP connection-related messages

absence of necessary parameters 18-5

access rule lookup from MARS 18-5

accuracy of matching policies 18-5

example

for an ASA device 18-6

management traffic

access rule lookup 18-5

identifying 18-13

idle session timeout

of Security Manager

authentication of MARS 18-9

login credentials prompt during policy lookup 18-9

policy table lookup 18-9

idle timeout

exceeded for MARS session

without Security Manager client open before lookup 18-9

with Security Manager login credentials for lookup 18-9

IDSM-2 modules

supported software versions

for policy and events lookup 18-15

IDS sensors

Context Data events

and signature policy lookup 18-7

Packet Data events

and signature policy lookup 18-7

signature policy lookup

from MARS events 18-7

IIS

adding Security Manager

on an existing host 18-17

implicit permit

configured in access rules

lookup from MARS events 18-13

incident count 22-8

Incident Details page 21-4

accessing from

a search 18-20

Dashboard 18-20

Incidents page 18-20

Query/Reports tab 18-20

navigating to

read-only policy page 18-20

read-only signature policy page 18-24

policy query icon

for access rule lookup 18-20

for signature lookup 18-24

Incident ID 21-3

incident ID

Dashboard 18-20

Incidents page 18-20

locating using a search 18-20

Query Results page 18-20

Incident Path 21-3

incidents 19-13

action 21-3

correlation to events 18-19

description 18-19

event type 21-3

incident ID 21-3

incident path 21-3

incident vector 21-3

in MARS

policy table lookup and 18-2

instances 21-6

looking up access rule

and editing 18-20

matched rule 21-3

ranked by bytes transmitted 18-20

ranked by sessions 18-20

severity 21-3

time 21-3

time ranges 21-4

Incidents page

detecting incidents 18-19

viewing rules, events 18-19

incident table 21-5

Incident Vector 21-3

inspection rule

activate and inactive 23-17

inspection rules

adding 23-19

editing 23-18

inspection rule status

changing 23-17

instances

incidents 21-6

interface objects

read-only access rule table

displayed in MARS 18-33

viewing contents

from read-only policy table 18-23

Internet Explorer

accessing MARS GUI using

for access rule lookup 18-21

for signature policy lookup 18-29

cached passwords

policy table lookup 18-21

File Download dialog box 18-23

remembered passwords

policy table lookup 18-21

Internet Information Services

See IIS

interoperation

of MARS and Security Manager

for policy lookup 18-1

IOS IPS devices

signature policy lookup

from MARS 18-2

IOS IPS sensors

supported software versions

for policy and events lookup 18-15

IP groups

adding 25-4

editing 25-4

IP management 25-3

adding

hosts 25-5

IP range 25-4

network 25-4

variable 25-4

IPS events

error message

invalid details 18-13

in MARS

fired by a signature 18-7

signature policy lookup 18-3

IPS sensors

Context Data events

and signature policy lookup 18-7

Packet Data events

and signature policy lookup 18-7

signature policy lookup

from MARS 18-2

supported software versions

for policy and events lookup 18-15

IPS signature policy lookup

authentication failure

during connection from MARS 18-2

communication

between MARS and Security Manager 18-14

device lookup query

sequence of actions 18-4

device software versions

supported for 18-15

error message, invalid events 18-13

error message, modified signature 18-13

event action filter, configuring 18-3

fields parsed from raw syslogs

for IPS events in MARS 18-7

for MARS events of type

Context Data 18-7

Packet Data 18-7

from MARS

for virtual sensors, error message 18-3

sample case 18-1

taskflow 18-2

without Security Manager client running 18-3

guidelines for working 18-8

looking up devices in MARS 18-4

overview 18-7

signature ID, using 18-7

starting a new client session 18-10

subsignature ID, using 18-7

with Security Manager client active

in non-Workflow mode 18-3

in Workflow mode 18-3

with Security Manager client timed out 18-10

IPS virtual sensors

signature policy lookup

from MARS events 18-7

L

L2 attack path 21-5

L3 attack path 21-5

Linux host, bootstrap 11-2

loading

MARS

seed file 2-25

Local Controller

adding

multiple Security Manager servers to 18-8

one Security Manager server to 18-8

adding Security Manager to

prerequisites 18-16

procedure 18-16

supported versions 18-16

using Admin role 18-16

defining for Security Manager

access IP address 18-17

credentials for discovery 18-18

hostname 18-17

interface details 18-17

operating system 18-17

reporting IP address 18-17

mapping to Security Manager 18-16

policy lookup

for managed devices 18-16

querying one Security Manager 18-16

same Security Manager on multiple

defining 18-16

Security Manager not added to

user credential fields 18-16

zone planning for multiple

mapping to Security Manager 18-16

Local User Setup page

defining

MARS user account 18-18

log files 26-2

logging in to

MARS

using an account not in Common Services 18-10

using read/write privileges 18-10

Security Manager

after error during policy lookup 18-11

using a different account from the one in MARS 18-10

logging level

changing for firewalls

and syslogs in MARS 18-6

default

large number of events 18-7

logging message command 18-7

logging traffic

between MARS and monitored devices

enabling 18-14

login credentials

of Security Manager

saved in MARS during policy lookup 18-9

login credentials, Security Manager

authenticating MARS

Security Manager deleted from MARS 18-10

deleting

from User Configuration page 18-10

editing

from User Configuration page in MARS 18-10

read-only signature policy table 18-34

saving during policy lookup 18-18

using a different account from the one in MARS

for policy lookup 18-10

login dialog box

read-only policy page

disabling saving of credentials 18-19

enabling saving of credentials 18-19

Login Failure

procedure to unlock 3-15

log-input keyword

access lists on IOS routers 18-7

output details 18-7

login username, Security Manager

read-only access rule table 18-31

read-only signature policy table 18-34

log keyword

access lists on IOS routers 18-7

output details 18-7

looking up

access rules

from MARS, overview 18-4

from MARS, procedure 18-19

from MARS events (prerequisites) 18-20

from Multiple Devices window 18-21

from Multiple Events window 18-21

from Policy Table window 18-21

devices in MARS

for policy table query 18-4

signature policies

from MARS events (overview) 18-24

from MARS events (procedure) 18-24

low-latency query

for MARS events

display of policy query icon 18-11

parsing 18-11

M

MAC address report 22-7

management

events 25-1

IP 25-3

service 25-7

user 25-8

management traffic

between MARS and monitored devices

enabling 18-14

connection-related messages

access rule lookup from MARS 18-5

policy lookup

error message 18-12

mapping

Local Controller

to Security Manager 18-16

MARS

access rule lookup

overview 18-4

adding devices to 18-14

adding Security Manager to

users with admin privileges 18-9

audit trail 26-3

bootstrapping managed devices 18-14

checklist for

policy table lookup 18-13

committed view

of Security Manager policy 18-11

deployed view

of Security Manager policy 18-11

device lookup for policy query 18-4

devices

identifying for policy lookup 18-13

running supported software for lookup 18-13

device software versions

supported for policy lookup 18-11

downloading Security Manager 18-10

easily-readable event data 18-1

integration with Security Manager

for access rule lookup 18-1

for signature lookup 18-1

Local Controller

mapping to Security Manager 18-16

log files 26-2

mitigation of security threats

and policy changes 18-1

navigating to Incident Details page

from Incidents page 18-2

from Query page 18-2

from Summary page 18-2

policy table lookup

more accurate mapping of events in 4.3.4 and 5.3.4 18-5

read-only rule table, matched rules 18-3

reusing an existing Security Manager instance 18-3

time taken for 18-10

with Security Manager client not installed 18-3

with Security Manager client not running 18-3

with Security Manager in non-Workflow mode 18-3

with Security Manager in Workflow mode 18-3

with Security Manager session timed out 18-3

reusing Security Manager instance 18-10

sessionized events

access rule lookup 18-5

starting a new instance of Security Manager

with client session active 18-10

starting Security Manager client

for modifying policies 18-1

starting Security Manager for policy lookup

using Security Manager credentials 18-10

taskflow

for policy table query 18-2

User Configuration page

Security Manager credentials 18-10

versions 4.2.1 through 5.3.1

access rule lookup 18-5

versions 4.3.4 and 5.3.4

access rule lookup 18-5

versions supported

for read-only policy lookup 18-1

for read-write policy lookup 18-1

viewing security incidents 18-1

MARS appliance

activating 18-19

adding Security Manager to

with admin user privileges 18-9

without admin user privileges 18-9

adding Security Manager to (procedure) 18-16

comparing certificate from Security Manager

during policy lookup 18-9

configuring access to

Security Manager 18-15

solving conflict with stored certificate

during policy lookup 18-9

testing connectivity

with Security Manager 18-19

time synchronization

recommendation 18-14

MARS authentication

with Security Manager for policy lookup

credentials, caching of 18-9

deleting Security Manager from MARS 18-10

editing Security Manager credentials in MARS 18-10

MARS database

deleting

Security Manager credentials 18-10

Security Manager server from 18-10

saving Security Manager credentials

during policy lookup 18-18

submitting to

Security Manager addition 18-19

MARS events

for connection teardown

in realtime event viewer 18-12

generated by

management traffic 18-12

generated by custom signatures

and policy lookup 18-8

improved mapping of

to Security Manager policies 18-5

IPS

invalid details, policy lookup 18-13

looking up access rule

and editing 18-20

navigating from

to access rule policy 18-19

to IPS signature policy 18-24

of type

Context Data 18-7

NetFlow 18-8

Packet Data 18-7

parsing raw syslogs

for access rule lookup 18-5

policy lookup from

checklist for 18-13

sessionized

access rule lookup 18-5

policy query icon 18-11

with 5-tuple data

policy query icon and 18-5

MARS Global Controller

See Global Controller

MARS GUI

accessing using

Internet Explorer, note 18-21

MARS incidents

See incidents

MARS Local Controller

See Local Controller

MARS session

idle timeout, exceeding

and Security Manager client session 18-9

MARS session timeout

caching Security Manager credentials 18-9

MARS user account

defining in Common Services

associating with roles 18-15

for policy lookup 18-16

not defined in Common Services

prompting for credentials 18-10

MARS user credentials

cross-launch authentication

benefits of 18-18

defining 18-18

MARS user roles

Admin

editing Security Manager credentials 18-10

for modifying Security Manager credentials 18-9

Notifications Only

disabling saving of Security Manager credentials 18-10

Operator

disabling saving of Security Manager credentials 18-10

Security Analyst

editing Security Manager credentials 18-10

MARS web interface

policy table lookup

with Security Manager not installed 18-10

matched incident ranking 22-7

Matched Rule 21-3

matched rule ranking 22-7

matching access rules

retrieved during

policy lookup 18-3

matching rules

accurate mapping of syslogs 18-5

in read-only policy table

policy lookup from MARS 18-3

not found

during policy lookup 18-13

number of

for connection-related messages 18-5

permit ACE 18-5

matching signatures

in read-only policy table 18-8

policy lookup from MARS 18-8

MIB

MARS format 2-58

Microsoft Windows host, bootstrap 11-4

mitigate 21-5

mitigation

of security threats

using policy lookup from MARS 18-1

mitigation policy

suggested content 1-1

modal dialog box

looking up policy table

from MARS 18-10

Modems

line impedance matching filter 26-31

monitoring

network attacks

using MARS events 18-1

policy table lookup and 18-1

monitoring policy

suggested content 1-1

Multiple Devices window

description 18-21

Multiple Events window

description 18-21

MySDN

accessing from

read-only signature policy table in MARS 18-35

N

NAC, AAA server support 15-1

NAT connection report 22-7

navigating

from MARS events

to policies 18-1

to Security Manager 3.0.x or 3.1.x 18-8

to Security Manager 3.2 18-8

to access rule policy

from MARS events 18-19

to IPS signature policy

from MARS events 18-24

to other MARS pages

from read-only access rule table 18-30

from read-only signature policy table 18-34

to permit ACE

from ICMP connection-related messages 18-20

from TCP connection-related messages 18-20

from UDP connection-related messages 18-20

navigating from MARS

for configuring event action filters 18-8

NetFllow, enable processing 2-35

NetFlow 2-31

configuration 2-31

Global NetFlow UPD Port 2-36

NetFlow, bootstrap reporting devices 2-33

NetFlow,enable processing 2-36

NetFlow,examined networks 2-36

NetFlow,guidelines 2-33

NetFlow,how it is used 2-32

NetFlow,performance tuning 2-36

NetFlow,supported versions 2-32

NetFlow events

policy query icon for 18-8

NetScreen

IDP 2.x 7-47

IDP 3.x 7-47

IDP 4.0 7-47

IDP-Management Server 7-47

Security Manager 7-47

network/host objects

destination

read-only access rule table 18-32

expanding contents

read-only policy table 18-12

source

read-only access rule table 18-32

network administrators

associating with user account

for policy lookup from MARS 18-16

network group ranking 22-6

network operators

associating with user account

for policy lookup from MARS 18-16

network ranking 22-6

Network Status tab

Incidents 19-17

Top Destinations 19-18

Top Event Types 19-18

Top Sources 19-18

Network Summary dashboard

detecting incidents 18-19

viewing rules, events 18-19

non-Workflow mode

access rule matches

with Security Manager running 18-23

policy table lookup

from MARS events 18-3

with Security Manager client active 18-10

with Security Manager not running 18-10

notification traffic

between MARS and monitored devices

enabling 18-14

NP Identity Ifc keyword

TCP, UDP connection-related syslogs

access rule lookup and 18-5

NSDB

accessing from

read-only signature policy table in MARS 18-35

O

Order/Rank By 22-7

order by 22-7

bytes transmitted 22-8

incident count 22-8

session count 22-7

time 22-8

P

Packet Data events

huge syslog messages 18-7

on IPS and IDS sensors

policy query icon and 18-7

pager 24-11, 25-11

parsing

invalid syslog messages 18-13

MARS session object

for access rule lookup 18-5

missing 5-tuple data

events in MARS 18-11

raw IPS event messages

for signature policy lookup 18-7

raw syslogs

for access rule lookup from MARS 18-5

password

change default 26-8

password, Security Manager

read-only access rule table 18-31

read-only signature policy table 18-34

performance

of MARS

number of rules 18-11

of Security Manager

number of rules 18-11

PIX

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

PIX firewalls

supported software versions

for policy and events lookup 18-15

PIX Security Appliance, see PIX 5-1

PN Log agent 15-7

PN Log Agent, error messages 15-10

PN MARS

seed file columns 2-23

policy lookup 18-12

policy lookup from MARS 18-11

policy query icon

displayed for

access rule matches 18-2

connection-related messages 18-2

signatures fired 18-2

displayed in

read-only lookup 18-5

read-write lookup 18-5

for access rules

not found on the device 18-12

for connection-related messages

generated by management traffic 18-5

for Context Data events 18-7

for devices with multiple contexts

without reporting IP address 18-8

for events in Global Controller 18-8

for NetFlow events 18-8

for Packet Data events 18-7

for Unknown Device Event Type

triggered by custom signatures 18-8

for unsupported syslog IDs

generated by IOS routers 18-7

Incident Details page 18-2

inconsistent display

query types and 18-11

in Reporting Device column 18-20

no matching rules, error 18-12

virtual sensors, error 18-12

policy query login dialog box

saving Security Manager credentials 18-9

Policy Query popup window

See read-only policy table

policy table lookup

associating user roles and permissions 18-8

authentication failure

during connection from MARS 18-2

authentication options

using MARS credentials 18-2

using Security Manager credentials 18-2

backward compatibility from MARS 4.3.4, 5.3.4

with Security Manager 3.0.x, 3.1.x 18-8

checklist for 18-13

cross-launch authentication settings 18-18

deleting

Security Manager credentials 18-10

device lookup query

sequence of actions 18-4

devices with multiple contexts

prerequisites for 18-4

error message 18-9, 18-10, 18-12

event action filter, configuring 18-3

for access rules

in MARS 4.2.1 through 5.3.1 18-5

parsing syslogs 18-5

for connection-related syslogs

number of matches 18-5

for the selected MARS event

with multiple device matches 18-3

with no device match 18-3

from MARS

for access rules in Security Manager 18-1

for signatures in Security Manager 18-1

sample case 18-1

signature, modifying 18-8

taskflow 18-2

guidelines for working 18-8

HTTPS connection with MARS 18-2

in read-only mode

absence of connection direction in syslogs 18-5

absence of post-NAT addresses in syslogs 18-5

supported Security Manager and MARS versions 18-1

in read-write mode

supported Security Manager and MARS versions 18-1

MARS user roles 18-9

modal dialog box 18-10

overview of

access rule lookup 18-4

prompting for credentials

MARS user not in Common Services 18-10

reusing an existing Security Manager instance 18-3

signature policies, overview 18-7

time taken for 18-10

with Security Manager client active

in non-Workflow mode 18-3

in Workflow mode 18-3

with Security Manager client not installed 18-3

with Security Manager client not running 18-3

with Security Manager session timed out 18-3

policy table lookup and

Cisco Secure ACS roles

policy table lookup from MARS 18-8

Policy Table window

See read-only policy table

description 18-21

post NAT destination addresses 22-11

post NAT source addresses 22-10

pre NAT destination addresses 22-11

pre NAT source addresses 22-10

protocol ranking 22-6

public networks 2-39

Q

queries

action

ANY 22-12

actions 22-12

criteria, matching

access rule lookup 18-23

destination IP 22-11

ANY 22-11

devices 22-11

IP addresses 22-11

IP ranges 22-11

networks 22-11

post NAT destination addresses 22-11

pre NAT destination addresses 22-11

devices 22-11

display format

all matching event raw messages 22-7

all matching events 22-7

all matching sessions 22-7

destination IP address ranking 22-6

destination ranking 22-6

event type group ranking 22-6

MAC address report 22-7

matched incident ranking 22-7

matched rule ranking 22-7

NAT connection report 22-7

protocol ranking 22-6

reporting device ranking 22-7

reporting device type ranking 22-7

source IP address ranking 22-6

source port ranking 22-6

unknown event report 22-7

use only firing events 22-8

event type grouping 22-11

event types 22-11

ANY 22-11

in MARS

low-latency 18-11

realtime event 18-11

operation

AND 22-12, 23-13

FOLLOWED-BY 22-12, 23-13

none 22-12, 23-13

OR 22-12, 23-13

parameters for

signature events 18-24

result format

destination network group ranking 22-6

destination network ranking 22-6

event type ranking 22-5

network group ranking 22-6

network ranking 22-6

reported user ranking 22-7

source network group ranking 22-6

source network ranking 22-6

results

returning incidents 18-20

rule 22-12

ANY 22-12

save as

reports 22-13

rules 22-13

service

ANY 22-11

defined services 22-11

service variables 22-11

severity

ANY 22-12

green 22-12

red 22-12

yellow 22-12

source IP

ANY 22-10

devices 22-10

IP addresses 22-10

IP ranges 22-10

networks 22-10

post NAT source addresses 22-10

pre NAT source addresses 22-10

variables 22-10

time range

last 22-8

start and end times 22-8

zone 22-12

query

display format 22-5

reporting device ranking 2-28

Query/Reports tab

identifying event

for access rule lookup 18-20

for signature policy lookup 18-25

identifying incident

for access rule lookup 18-20

for signature policy lookup 18-25

querying

for MARS events from devices

without reporting IP address 18-8

for Unknown Reporting Devices in MARS 18-8

Security Manager policies

from MARS events 18-1

Query page 22-1

defining query parameters

for access rule events 18-20

for signature events 18-24

R

rank by 22-7

bytes transmitted 22-8

incident count 22-8

session count 22-7

time 22-8

raw messages

archive folder location 26-4

file name format 26-4

maximum size stored 26-4

retrieve from local controller database 26-6

retrieving from archive server 26-3

read-only access rule table

first match highlighted 18-23

hyperlink in rule number 18-32

in MARS

viewing matched rules 18-3

interface objects 18-33

in the MARS GUI

field descriptions 18-30

login username, Security Manager 18-31

multiple matches 18-23

navigating

to Access Rules page 18-31

to a page number 18-23

navigating across pages 18-23

navigating to other MARS pages 18-30

network/host objects

destination 18-32

source 18-32

pagination 18-23

Security Manager icon

refreshing the page 18-31

Security Manager login credentials 18-31

Security Manager login password 18-31

selecting number of items 18-23

switching between matched rules 18-23

read-only mode

policy lookup from MARS and 18-1

read-only policy table

after display of

access rules, modifying 18-13

caching of query results 18-11

editing signature from 18-8

error message

corrective action 18-12

device added to MARS only 18-12

event action filter, configuring 18-8

expanding

network/host objects 18-12

service objects 18-12

matching access rules

for connection-related syslogs 18-5

matching rules 18-3

modifying policy

using Help Desk role 18-16

saving Security Manager credentials 18-18

starting Security Manager client from

for access rule syslogs 18-1

for signature syslogs 18-1

read-only signature policy page

accessing from

Dashboard 18-34

Incidents page 18-34

Query Reports tab 18-34

search for incident ID 18-34

adding

event action filter 18-29

editing signature 18-29

navigating

to other MARS pages 18-34

to Signatures page 18-34

Security Manager icon

refreshing the page 18-34

starting Security Manager client 18-29

viewing

Security Manager details 18-29

signature parameters 18-36

read-only signature policy table

opening

MySDN 18-35

NSDB 18-35

password, Security Manager 18-34

Security Manager login credentials 18-34

Security Manager login username 18-34

read-write mode

policy lookup from MARS and 18-1

realtime events

policy lookup

error message 18-11

realtime events lookup

device versions

supported for 18-15

realtime event viewer

access rule lookup

for connection teardown events 18-12

remediation policy

suggested content 1-1

removing

user 25-12

report

adding 22-25

delete 22-26

edit 22-26

new 22-25

reported user ranking 22-7

Reporting Applications tab

deleting

Security Manager credentials 18-10

dimming out

Security Manager credentials 18-10

MARS user roles

Notifications Only 18-10

Operator 18-10

Security Manager user credentials

for initial communication 18-9

using MARS credentials

not defined in Common Services 18-10

reporting device ranking 22-7

reporting device type ranking 22-7

reporting IP address

for devices with multiple contexts

policy table lookup 18-8

reports

viewing 22-19, 22-25

reports, view type, CSV 22-24

reports, view type, recent 22-24

reports,view type, total 22-24

reports, view types 22-23

report views, CSV 22-24

report views, peak, reports, view type, peak 22-24

report views, recent 22-24

report views, total 22-24

rules

destination IP

ANY 23-8

devices 23-8

DISTINCT 23-8

IP addresses 23-8

IP ranges 23-8

Network Groups 23-8

networks 23-8

SAME 23-8

variables 23-8

device 23-11

ANY 23-11

Unknown Reporting Device 23-11

variables 23-11

event type grouping 23-10

event types 23-10

ANY 23-10

variables 23-10

reported user

ANY 23-11

Invalid User Name 23-11

NONE 23-11

variables 23-11

service

ANY 23-9

defined groups 23-10

defined services 23-10

service variables 23-9

severity

ANY 23-12

green 23-12

red 23-12

yellow 23-12

source IP

devices 23-7

IP addresses 23-7

IP ranges 23-7

Network Groups 23-7

networks 23-7

variables 23-7

runtime logging 26-1

S

scheduling

discovery 2-40

security contexts

add discovered 5-18

define reporting options 5-19

make MARS aware of 5-17

Security Manager policy query icon

See policy query icon

Security Manager Policy Query page

See read-only policy table

security policies

objectives of 1-1

security policy

suggested content 1-1

see CVE 25-2

seed file

CSV file 2-21

loading 2-25

sensor ID

in IPS syslog messages in MARS

for virtual sensors 18-7

service

adding 25-8

deleting 25-8

editing 25-8

editing groups 25-7

service group

adding 25-7

service management 25-7

service objects

expanding contents

read-only policy table 18-12

read-only access rule table

displayed in MARS 18-32

service provider

adding 24-11, 25-11

services

adding group 25-7

session count 22-7

sessionzed events

MARS

policy query icon 18-11

setting

runtime logging levels 26-1

Severity icons 21-3

Short Message Service

See SMS. 23-15

signature ID

parsed from IPS event messages

for signature policy lookup from MARS 18-7

signature policy lookup

See IPS signature policy lookup

signatures

description 18-7

hyperlinked ID

opening MySDN 18-35

opening NSDB 18-35

looking up from events

minimizing false negatives 18-24

minimizing false positives 18-24

tuning 18-24

modifying

during policy lookup from MARS 18-8

modifying on device

policy lookup, error 18-13

parameters, viewing

from read-only policy page in MARS 18-36

Signatures page

navigating from MARS events

with Security Manager not installed 18-29

with Security Manager running 18-29

with Security Manager timed out 18-29

signature summary table

for editing signatures 18-8

navigating from MARS 18-8

Simple Network Management Protocol

See SNMP. 23-15

SNMP RO, unsupported characters 2-9, 2-23, 2-30

Snort

syslog format expectation 7-43

Solaris host, bootstrap 11-2

source IP address ranking 22-6

source network group ranking 22-6

source network ranking 22-6

source port ranking 22-6

SSH

fingerprint validation 26-9

SSL

certificate validation 26-9

stacked charts 19-18

standard query

for MARS events

display of policy query icon 18-11

static information 21-10

subsignature ID

parsed from IPS event messages

for signature policy lookup from MARS 18-7

syslog

alert forwarding 2-55

disable relay 2-57

enable relay 2-56

forwarding

status reports 2-57

message forwarding 2-55

troubleshoot relay 2-57

syslog message IDs

for firewall devices

supported for policy lookup from MARS 18-6

for IOS routers

supported for policy lookup from MARS 18-7

supported for policy lookup from MARS

by firewall devices 18-6

unsupported

for policy lookup 18-13

policy query icon 18-13

syslog messages

for IPS events

absence of sensor ID 18-7

parsing 18-7

for Packet Data events 18-7

generated by access rules

supported for policy lookup from MARS 18-5

generated by connection setup/teardown

supported for policy lookup from MARS 18-5

generated by IOS 12.2 routers

example, with ACL name 18-6

generated by PIX firewalls

example, with access group name 18-6

parsing for access rule lookup from MARS 18-5

system administrators

associating with user account

for policy lookup from MARS 18-16

system determined false positive type 21-8

system log messages

changing the severity level 18-7

connection teardown

policy lookup, error 18-12

deployed rules

synchronization with device 18-11

for access rule lookup

with log keyword 18-6

without log keyword 18-6

for access rules on IOS routers

with log-input keyword 18-7

with log keyword 18-7

for IOS routers

contents 18-7

format

for ASA devices 18-6

for FWSM 18-6

for PIX devices 18-6

generated by access rules

unavailable on device 18-13

in MARS, generated by

access rules 18-3

connection setup/teardown 18-3

IPS signatures 18-3

invalid format

policy lookup 18-13

logging level

for access rule lookup 18-6

with default level and interval 18-6

T

table

incidents 21-5

taskflow

for policy table lookup

from MARS events 18-2

TCP connection-related message

access rule lookup 18-5

example

for an ASA device 18-6

testing

connectivity

between MARS and Security Manager 18-19

Time 21-3

time consumption

for policy table lookup

number of rules 18-11

with Security Manager client open 18-10

Timeout Interval, setting for GUI and CLI 19-5

time ranges

incidents 21-4

Topology

toggle device display 19-17

traffic flows

between MARS and devices

enabling 18-14

identify and enable 1-4

troubleshoot,cannot add device 2-20

troubleshoot,cannot re-add device 2-20

troubleshooting

access rules quickly

using policy lookup 18-1

firewall and signature configurations

using policy lookup 18-1

network events

using policy lookup from MARS 18-1

tuning

false positives 21-5, 21-9

U

UDP connection-related message

access rule lookup 18-5

example

for an ASA device 18-6

unconfirmed false positive type 21-8

Unknown Device Event Type

custom signatures and 18-8

unknown event report 22-7

Unknown Reporting Devices

querying for

in MARS 18-8

unlock

after login failure 3-15

CLI command

after login failure 3-4

use only firing events 22-8

user

adding 24-10, 25-9

editing 25-12

removing 25-12

user account

associating roles for

policy lookup 18-15

creating a separate one

for policy lookup 18-16

for MARS

defining in Security Manager 18-15

for Security Manager discovery

defining in MARS 18-18

separate one for audit trail 18-15

with admin privileges

for adding Security Manager to MARS 18-9

User Configuration page

disabling

saving of credentials 18-19

in MARS

deleting Security Manager credentials 18-10

editing Security Manager credentials 18-10

Security Manager credentials disabled 18-10

message, displaying

while using MARS credentials 18-19

user confirmed false positive type 21-8

user confirmed positive type 21-8

user credentials

for Security Manager discovery

defining in MARS 18-18

of Security Manager added to MARS

in Reporting Applications tab 18-9

in the User Configuration page 18-9

Reporting Applications tab of MARS

different from those in User Configuration page 18-9

User Configuration page of MARS

authenticating Security Manager 18-9

populated from policy query login dialog box 18-9

user group

adding 25-12

user management 25-8

roles defined 25-9

user roles

for policy lookup from MARS 18-15

for policy table lookup from MARS 18-8

in MARS

editing Security Manager credentials 18-10

modifying Security Manager credentials 18-9

Notifications Only 18-10

Operator 18-10

V

validation

fingerprint 26-9

valid networks 2-39

variables 22-10, 22-11, 23-7, 23-8

views

committed 18-11

deployed

policy lookup from MARS 18-11

virtual sensors

signature policy lookup

from MARS events 18-7

W

Workflow mode

access rule matches

with Security Manager running 18-23

policy table lookup

editable activities 18-10

from MARS events 18-3

with Security Manager client active 18-10

with Security Manager not running 18-10

Z

zone planning

for Global Controller 18-16

for multiple Local Controllers 18-16

	User Guide for Cisco Security MARS Local Controller, Release 5.3.x
	Index
User Guide for Cisco Security MARS Local Controller, Release 5.3.x Preface STM Task Flow Overview Reporting and Mitigation Devices Overview Authenticating with External AAA Servers Configuring Router and Switch Devices Configuring Firewall Devices Configuring VPN Devices Configuring Network-based IDS and IPS Devices Configuring Host-Based IDS and IPS Devices Configuring Antivirus Devices Configuring Vulnerability Assessment Devices Configuring Generic, Solaris, Linux, and Windows Application Hosts Configuring Database Applications Configuring Web Server Devices Configuring Web Proxy Devices Configuring AAA Devices Configuring Wireless LAN Devices Configuring Custom Devices Policy Table Lookup on Cisco Security Manager Network Summary Case Management Incident Investigation and Mitigation Queries and Reports Rules Sending Alerts Management Tab Overview System Maintenance Cisco Security MARS XML API Reference Regular Expression Reference Date/Time Format Specfication System Rules and Reports Reference Glossary Index	Download this chapter Index Table Of Contents Numerics - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z Index Numerics 4.3.2 MARS version read-only policy lookup 18-8 4.3.4 MARS version policy lookup, read-write 18-8 5.3.4 MARS version policy lookup, read-write 18-8 5-tuple data access rule lookup from MARS and 18-3 low-latency event query 18-11 parsing during access rule lookup 18-5 policy table lookup from MARS and 18-3 802.1x, logging in Cisco Secure ACS 15-5 A AAA authentication and Cisco Secure ACS for policy lookup 18-15 AAA devices 15-1 AAA server add 3-8 delete 3-15 servers supported 3-1 access rule events in MARS looking up policy table 18-3 access rule lookup authentication failure during connection from MARS 18-2 communication between MARS and Security Manager 18-14 deployed changes synchronization with 18-11 device lookup query sequence of actions 18-4 with a unique hostname 18-4 without any domain and hostname 18-4 device lookup results and 18-4 device software versions supported for 18-15 devices with multiple contexts prerequisites for 18-4 error message 18-12 expanding network/host objects 18-12 service objects 18-12 for syslog messages on IOS routers 18-7 for the selected MARS event with multiple device matches 18-3 with no device match 18-3 from MARS in read-only mode 18-1 in read-write mode 18-1 overview 18-4 sample case 18-1 taskflow 18-2 without Security Manager client running 18-3 from MARS events in Security Manager 3.1.1 through 3.0.1 18-5 in Security Manager 3.2 18-5 guidelines for working 18-8 in MARS 4.3.4 and 5.3.4 18-5 parsing raw syslogs 18-5 in read-only mode supported MARS versions 18-4 supported Security Manager versions 18-5 in read-write mode improved rule matching accuracy 18-5 supported MARS versions 18-4 supported Security Manager versions 18-5 looking up device in MARS 18-4 MARS session object 18-5 multiple matches for syslogs with insufficient details for parsing 18-6 starting a new client session 18-10 supported syslog IDs for firewall devices 18-6 syslog messages supported by IOS routers 18-6 by security appliances 18-6 syslogs supported for by firewall devices 18-6 with multiple hostname matches 18-4 with Security Manager client active in non-Workflow mode 18-3 in Workflow mode 18-3 with Security Manager client timed out 18-10 access rules empty policy lookup from MARS 18-12 hyperlink in rule number read-only policy table 18-32 looking up from MARS events (prerequisites) 18-20 from MARS events (procedure) 18-19 modified after read-only policy display 18-13 not synchronized with device 18-13 on higher security interface, inbound policy lookup 18-13 on lower security interface, inbound policy lookup 18-13 policy query icon 18-12 on lower security interface, outbound policy lookup 18-13 unavailable on the device for MARS syslogs 18-13 Access Rules page expanding objects lookup from MARS events 18-23 highlighted row after policy lookup from MARS 18-23 looking up from MARS events 18-23 with Security Manager not installed 18-23 with Security Manager running 18-23 with Security Manager timed out 18-23 Accounts expired unlocking 3-4 ACS configuring user names 3-8 Action 21-3 Activate button 23-18, 23-19, 23-21, 23-23, 25-1 activating reporting devices 2-28 explanation 19-7 what it does 2-28 when multiple users are logged in 19-8 when to use 2-28 Activation Settings page 19-9 activities in an editable state and policy table lookup from MARS 18-3 policy table lookup with Security Manager client active 18-10 Add Event Action Filter dialog box fields with default values 18-29 values from MARS events 18-29 read-only signature policy page in the MARS GUI 18-29 adding cell phone number 24-11, 25-11 CSV file 2-21 devices 2-18 manually 2-18 seed file 2-21 drop rules 23-22 event groups 25-3 inspection rules 23-19 pager number 24-11, 25-11 seed file 2-21 service 25-8 user 24-10, 25-9 user group 25-12 adding IP groups 25-4 adding service provider 24-11, 25-11 Admin role adding Security Manager to MARS 18-16 admin roles, see user management 25-9 Adobe SVG 19-15 alert action 23-15 Distributed Threat Management 23-15 Email 23-15 NONE 23-15 Page 23-15 SMS 23-15 SNMP 23-15 Syslog 23-15 hard drive 26-21 alerts 24-1 all matching event raw messages 22-7 all matching events 22-7 all matching sessions 22-7 anomaly detection, see NetFlow 2-32 approvers associating with user account for policy lookup from MARS 18-15 archive server retrieving raw messages 26-3 ASA devices supported software versions for policy and events lookup 18-15 with multiple contexts and policy lookup from MARS 18-4 prerequisite for policy table lookup 18-4 attack diagram 19-15 attack paths L2 21-5 L3 21-5 audit trail 26-3 authentication of MARS for policy lookup Security Manager deleted from MARS 18-10 authentication settings for MARS to access Security Manager 18-15 policy table lookup allow saving of credentials 18-19 using MARS credentials 18-18 using Security Manager credentials 18-18 B backward compatibility of policy table lookup with Security Manager 3.0.x, 3.1.x 18-8 beep code 26-32 boostrap devices 1-5 bootstrapping devices for policy lookup 18-14 Security Manager server for communication with MARS 18-15 bootstrapping devices managed by MARS 18-14 browser settings File Download dialog box 18-23 bytes transmitted 22-8 C caching MARS events sessionization 18-11 policy rules in read-only policy window 18-11 reusing query results 18-11 Security Manager credentials until MARS session is active 18-9 Catalyst 6500 Series switches supported software versions for policy and events lookup 18-15 cell phone paging 24-11, 25-11 certificate monitor status 26-11 upgrading from expired or fingerprint 26-11 certificate comparison by MARS conflict detection 18-9 storing a fresh copy after prompting 18-9 storing a fresh copy automatically 18-9 certificates presented by Security Manager compared by MARS during policy lookup 18-9 changing drop rule status 23-21 inspection rule status 23-17 Cisco Adaptive Security Appliance, see CiscoASA 5-1 Cisco ASA add to MARS 5-14 bootstrapping 5-2 security context add discovered 5-18 define reporting options for 5-19 make MARS aware of 5-17 Cisco Firewall Services Modules, see Cisco FWSM 5-1 Cisco FWSM add to MARS 5-14 bootstrapping 5-2 security context add discovered 5-18 define reporting options for 5-19 make MARS aware of 5-17 Cisco IOS routers access lists with log-input keyword 18-7 log keyword 18-7 access rule lookup from MARS 18-2 supported software versions for policy and events lookup 18-15 supported syslog IDs for policy lookup 18-7 Cisco Network Security Database See NSDB Cisco Secure ACS access settings for MARS appliance 18-15 configuring user names 3-8 roles for policy table lookup 18-16 Cisco Secure ACS, 802.1x feature support 15-5 Cisco Secure ACS, 802.1x support 15-1 Cisco Secure ACS, audit logs required by MARS 15-3 Cisco Secure ACS, bootstrap 15-3 Cisco Secure ACS, event logs studied by MARS 15-1 Cisco Secure ACS, MARS agent 15-7 Cisco Secure ACS, NAC support 15-1 Cisco Secure ACS, representing in MARS 15-12 Cisco Secure ACS, sever support 15-2 Cisco Secure ACS, solution engine support 15-2 Cisco Secure ACS, supported versions 15-1 Cisco Secure ACS, TACACS+ command authorization 15-7 Cisco Security Manager Policy Query page See read-only policy table Cisco Security MARS See MARS Collapse All 21-5 columns seed file 2-23 Common Services AAA authentication for MARS appliance 18-15 MARS user account, creating 18-16 MARS user not defined in policy lookup 18-10 user account not defined in logging in to MARS 18-10 Common Services roles policy table lookup from MARS Help Desk role 18-8 Common Vulneratbilities and Exposures 25-2 community strings 2-38 configuration NetFlow 2-31 connection establishment messages looking up access rules from MARS 18-2 connection protocol between MARS and Security Manager for policy table lookup 18-2 with MARS 18-18 connection-related messages access rule lookup from MARS 18-3 generated by outbound traffic, policy lookup 18-13 ICMP access rule lookup from MARS events 18-5 management traffic NP Identity Ifc keyword 18-5 number of matches for access rule lookup 18-5 TCP access rule lookup from MARS events 18-5 UDP access rule lookup from MARS events 18-5 connection setup message and session termination 18-5 common ID with teardown message 18-5 defining 18-5 connection teardown messages 2-minute gap with connection setup 18-12 and corresponding setup syslog 18-5 direction details 18-5 in a different session from setup 18-12 looking up access rules from MARS 18-2 pre-NATed address 18-5 realtime event viewer 18-12 connectivity failure from MARS to Security Manager error message 18-9 connectivity test between MARS and Security Manager configuring administrative host 18-19 correct credentials 18-19 error message 18-19 failure due to incorrect credentials 18-9 success 18-19 Context Data events on IPS and IDS sensors policy query icon and 18-7 creating report 22-25 cross-launch authentication settings for policy lookup allow saving of credentials 18-18 prompting user for credentials 18-18 using MARS credentials 18-18 modifying to disable saving of Security Manager credentials 18-10 saving in MARS for Security Manager not added 18-16 cross-launching Security Manager client from MARS events 18-1 without secure connection 18-9 CsmContentProvider file downloading during policy lookup 18-23 File Download dialog box preventing from appearing 18-23 CSV files 2-21 custom log parser selecting traffic type 17-14 custom signatures policy lookup for 18-8 unknown device event type 18-27 CVE 25-2 D Daemon Manager not running on Security Manager policy table lookup 18-9 data reduction 19-14 default certificate response change 26-10 default fingerprint response change 26-10 default password change 26-8 deleting service 25-8 deployment of access rule changes synchronization with device 18-11 destination IP address ranking 22-6 destination network group ranking 22-6 destination network ranking 22-6 destination ranking 22-6 device,re-add 2-20 device lookup for policy query from MARS discovered devices 18-4 multiple matching hostnames 18-4 parameters passed 18-4 renaming device name 18-4 reporting IP address 18-4 single matching hostname 18-4 without domain name 18-4 devices access rule lookup from MARS 18-2 added to MARS only policy lookup 18-12 adding to MARS 18-14 bootstrap overview 1-5 bootstrapping for policy lookup 18-14 managed by MARS 18-14 define overview 1-6 deleting 2-20 deleting all displayed 2-20 discovered but not submitted policy lookup, error 18-12 edit 2-19 in MARS multiple matches during policy lookup 18-3 no match during policy lookup 18-3 time synchronization, recommendation 18-14 managed by MARS and Security Manager running compatible software version 18-13 managed by Security Manager preparing for policy lookup 18-14 management traffic between MARS and 18-14 mitigation monitored by MARS 18-13 notification traffic between MARS and 18-14 reporting monitored by MARS 18-13 software versions supported by MARS and Security Manager 18-15 synchronization with changed policies 18-11 versions supported for policy lookup by MARS and Security Manager 18-11 with matching hostname policy lookup from MARS 18-4 with matching IP address policy lookup from MARS 18-4 with multiple contexts Device Properties page 18-4 differing host and context names 18-4 logging configuration 18-6 policy query icon 18-8 reporting IP address in MARS 18-8 setting hostname for policy lookup from MARS 18-4 without a unique match policy lookup from MARS 18-4 without matching host and domain names policy lookup from MARS 18-4 diagnostics beep codes 26-32 diagrams attack 19-15 discovering networks automatic 2-40 discovery in MARS devices that do not allow 18-4 devices that support 18-4 scheduling 2-40 updating 2-40 display format query 22-5 drop rule activate and inactive 23-21 drop rules adding 23-22 editing 23-22 drop rule status changing 23-21 dynamic information 21-10 dynamic vulnerability scanning 2-30 E editing drop rules 23-22 host information 25-6 inspection rules 23-18 IP groups 25-4 service 25-8 user 25-12 error message testing connectivity between MARS and Security Manager 18-19 error messages policy table lookup from MARS access rules not on device 18-12 addition of multiple Security Managers to Local Controller 18-8 changed Security Manager credentials not updated in MARS 18-9 connection setup syslog unavailable 18-12 connection teardown events in realtime viewer 18-12 connectivity to Security Manager 18-9 Daemon Manager not running on Security Manager 18-9 device added to MARS only 18-12 discovered but unsubmitted devices 18-12 empty access rules 18-12 HTTPS not enabled on Security Manager 18-9 implicit permit statement in access rules 18-13 incorrect Security manager login credentials 18-9 management traffic events 18-12 modal dialog box open 18-10 modified signature on device 18-13 RPC connection failure 18-11 unsynchronized changes 18-11 event action filter configuring during policy table lookup from MARS 18-3 saving as a local policy 18-29 event groups 25-3 event log changing pulling time interval for Windows 11-11 event management 25-1 editing 25-2 events in MARS caching, sessionization 18-11 in MARS, generated by access rules 18-3 connection setup/teardown 18-3 IPS signatures 18-3 management traffic 18-12 in MARS, identifying for access rule lookup 18-20 events lookup device software versions supported for 18-15 Event Type 21-3 event type group ranking 22-6 event type ranking 22-5 Expand All 21-5 expired accounts 3-4 expired certificate 26-11 F false positive system determined 21-8 unconfirmed 21-8 user confirmed false positive 21-8 positive 21-8 false positives minimizing signature tuning 18-7 tuning 21-5 tuning signatures 18-7 File Download dialog box policy table lookup from MARS events 18-23 preventing from appearing 18-23 filter modem 26-31 fingerprint validation 26-9 FWSM access rule lookup from MARS 18-2 supported software versions for policy and events lookup 18-15 with multiple contexts and policy lookup from MARS 18-4 prerequisite for policy table lookup 18-4 G gateways intermediate allowing flows between MARS and devices 18-14 Global Controller policy query icon for events 18-8 policy table lookup and 18-8 viewing Security Manager server from 18-8 zone planning for Security Manager mapping 18-16 H hard drive failure alert 26-21 hotswap procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 26-26 raidstatus command 26-20 replacing in carrier 26-29 slot number diagram, MARS 55, 110R, 110, 210, GC2R, and GC2 26-25 hardware maintenance MARS 55, 110, 110R, 210, GC2R, GC2 26-18 Help Desk role modifying policy from read-only policy table 18-16 historical events policy lookup error message 18-11 historical events lookup device versions supported for 18-15 hosts adding 25-5 adding Security Manager on a new one 18-17 an existing one 18-17 editing 25-6 Hot Spot Graph 19-15 hotswap hard drives 26-20 power supply 26-30 procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 26-26 I ICMP connection-related messages absence of necessary parameters 18-5 access rule lookup from MARS 18-5 accuracy of matching policies 18-5 example for an ASA device 18-6 management traffic access rule lookup 18-5 identifying 18-13 idle session timeout of Security Manager authentication of MARS 18-9 login credentials prompt during policy lookup 18-9 policy table lookup 18-9 idle timeout exceeded for MARS session without Security Manager client open before lookup 18-9 with Security Manager login credentials for lookup 18-9 IDSM-2 modules supported software versions for policy and events lookup 18-15 IDS sensors Context Data events and signature policy lookup 18-7 Packet Data events and signature policy lookup 18-7 signature policy lookup from MARS events 18-7 IIS adding Security Manager on an existing host 18-17 implicit permit configured in access rules lookup from MARS events 18-13 incident count 22-8 Incident Details page 21-4 accessing from a search 18-20 Dashboard 18-20 Incidents page 18-20 Query/Reports tab 18-20 navigating to read-only policy page 18-20 read-only signature policy page 18-24 policy query icon for access rule lookup 18-20 for signature lookup 18-24 Incident ID 21-3 incident ID Dashboard 18-20 Incidents page 18-20 locating using a search 18-20 Query Results page 18-20 Incident Path 21-3 incidents 19-13 action 21-3 correlation to events 18-19 description 18-19 event type 21-3 incident ID 21-3 incident path 21-3 incident vector 21-3 in MARS policy table lookup and 18-2 instances 21-6 looking up access rule and editing 18-20 matched rule 21-3 ranked by bytes transmitted 18-20 ranked by sessions 18-20 severity 21-3 time 21-3 time ranges 21-4 Incidents page detecting incidents 18-19 viewing rules, events 18-19 incident table 21-5 Incident Vector 21-3 inspection rule activate and inactive 23-17 inspection rules adding 23-19 editing 23-18 inspection rule status changing 23-17 instances incidents 21-6 interface objects read-only access rule table displayed in MARS 18-33 viewing contents from read-only policy table 18-23 Internet Explorer accessing MARS GUI using for access rule lookup 18-21 for signature policy lookup 18-29 cached passwords policy table lookup 18-21 File Download dialog box 18-23 remembered passwords policy table lookup 18-21 Internet Information Services See IIS interoperation of MARS and Security Manager for policy lookup 18-1 IOS IPS devices signature policy lookup from MARS 18-2 IOS IPS sensors supported software versions for policy and events lookup 18-15 IP groups adding 25-4 editing 25-4 IP management 25-3 adding hosts 25-5 IP range 25-4 network 25-4 variable 25-4 IPS events error message invalid details 18-13 in MARS fired by a signature 18-7 signature policy lookup 18-3 IPS sensors Context Data events and signature policy lookup 18-7 Packet Data events and signature policy lookup 18-7 signature policy lookup from MARS 18-2 supported software versions for policy and events lookup 18-15 IPS signature policy lookup authentication failure during connection from MARS 18-2 communication between MARS and Security Manager 18-14 device lookup query sequence of actions 18-4 device software versions supported for 18-15 error message, invalid events 18-13 error message, modified signature 18-13 event action filter, configuring 18-3 fields parsed from raw syslogs for IPS events in MARS 18-7 for MARS events of type Context Data 18-7 Packet Data 18-7 from MARS for virtual sensors, error message 18-3 sample case 18-1 taskflow 18-2 without Security Manager client running 18-3 guidelines for working 18-8 looking up devices in MARS 18-4 overview 18-7 signature ID, using 18-7 starting a new client session 18-10 subsignature ID, using 18-7 with Security Manager client active in non-Workflow mode 18-3 in Workflow mode 18-3 with Security Manager client timed out 18-10 IPS virtual sensors signature policy lookup from MARS events 18-7 L L2 attack path 21-5 L3 attack path 21-5 Linux host, bootstrap 11-2 loading MARS seed file 2-25 Local Controller adding multiple Security Manager servers to 18-8 one Security Manager server to 18-8 adding Security Manager to prerequisites 18-16 procedure 18-16 supported versions 18-16 using Admin role 18-16 defining for Security Manager access IP address 18-17 credentials for discovery 18-18 hostname 18-17 interface details 18-17 operating system 18-17 reporting IP address 18-17 mapping to Security Manager 18-16 policy lookup for managed devices 18-16 querying one Security Manager 18-16 same Security Manager on multiple defining 18-16 Security Manager not added to user credential fields 18-16 zone planning for multiple mapping to Security Manager 18-16 Local User Setup page defining MARS user account 18-18 log files 26-2 logging in to MARS using an account not in Common Services 18-10 using read/write privileges 18-10 Security Manager after error during policy lookup 18-11 using a different account from the one in MARS 18-10 logging level changing for firewalls and syslogs in MARS 18-6 default large number of events 18-7 logging message command 18-7 logging traffic between MARS and monitored devices enabling 18-14 login credentials of Security Manager saved in MARS during policy lookup 18-9 login credentials, Security Manager authenticating MARS Security Manager deleted from MARS 18-10 deleting from User Configuration page 18-10 editing from User Configuration page in MARS 18-10 read-only signature policy table 18-34 saving during policy lookup 18-18 using a different account from the one in MARS for policy lookup 18-10 login dialog box read-only policy page disabling saving of credentials 18-19 enabling saving of credentials 18-19 Login Failure procedure to unlock 3-15 log-input keyword access lists on IOS routers 18-7 output details 18-7 login username, Security Manager read-only access rule table 18-31 read-only signature policy table 18-34 log keyword access lists on IOS routers 18-7 output details 18-7 looking up access rules from MARS, overview 18-4 from MARS, procedure 18-19 from MARS events (prerequisites) 18-20 from Multiple Devices window 18-21 from Multiple Events window 18-21 from Policy Table window 18-21 devices in MARS for policy table query 18-4 signature policies from MARS events (overview) 18-24 from MARS events (procedure) 18-24 low-latency query for MARS events display of policy query icon 18-11 parsing 18-11 M MAC address report 22-7 management events 25-1 IP 25-3 service 25-7 user 25-8 management traffic between MARS and monitored devices enabling 18-14 connection-related messages access rule lookup from MARS 18-5 policy lookup error message 18-12 mapping Local Controller to Security Manager 18-16 MARS access rule lookup overview 18-4 adding devices to 18-14 adding Security Manager to users with admin privileges 18-9 audit trail 26-3 bootstrapping managed devices 18-14 checklist for policy table lookup 18-13 committed view of Security Manager policy 18-11 deployed view of Security Manager policy 18-11 device lookup for policy query 18-4 devices identifying for policy lookup 18-13 running supported software for lookup 18-13 device software versions supported for policy lookup 18-11 downloading Security Manager 18-10 easily-readable event data 18-1 integration with Security Manager for access rule lookup 18-1 for signature lookup 18-1 Local Controller mapping to Security Manager 18-16 log files 26-2 mitigation of security threats and policy changes 18-1 navigating to Incident Details page from Incidents page 18-2 from Query page 18-2 from Summary page 18-2 policy table lookup more accurate mapping of events in 4.3.4 and 5.3.4 18-5 read-only rule table, matched rules 18-3 reusing an existing Security Manager instance 18-3 time taken for 18-10 with Security Manager client not installed 18-3 with Security Manager client not running 18-3 with Security Manager in non-Workflow mode 18-3 with Security Manager in Workflow mode 18-3 with Security Manager session timed out 18-3 reusing Security Manager instance 18-10 sessionized events access rule lookup 18-5 starting a new instance of Security Manager with client session active 18-10 starting Security Manager client for modifying policies 18-1 starting Security Manager for policy lookup using Security Manager credentials 18-10 taskflow for policy table query 18-2 User Configuration page Security Manager credentials 18-10 versions 4.2.1 through 5.3.1 access rule lookup 18-5 versions 4.3.4 and 5.3.4 access rule lookup 18-5 versions supported for read-only policy lookup 18-1 for read-write policy lookup 18-1 viewing security incidents 18-1 MARS appliance activating 18-19 adding Security Manager to with admin user privileges 18-9 without admin user privileges 18-9 adding Security Manager to (procedure) 18-16 comparing certificate from Security Manager during policy lookup 18-9 configuring access to Security Manager 18-15 solving conflict with stored certificate during policy lookup 18-9 testing connectivity with Security Manager 18-19 time synchronization recommendation 18-14 MARS authentication with Security Manager for policy lookup credentials, caching of 18-9 deleting Security Manager from MARS 18-10 editing Security Manager credentials in MARS 18-10 MARS database deleting Security Manager credentials 18-10 Security Manager server from 18-10 saving Security Manager credentials during policy lookup 18-18 submitting to Security Manager addition 18-19 MARS events for connection teardown in realtime event viewer 18-12 generated by management traffic 18-12 generated by custom signatures and policy lookup 18-8 improved mapping of to Security Manager policies 18-5 IPS invalid details, policy lookup 18-13 looking up access rule and editing 18-20 navigating from to access rule policy 18-19 to IPS signature policy 18-24 of type Context Data 18-7 NetFlow 18-8 Packet Data 18-7 parsing raw syslogs for access rule lookup 18-5 policy lookup from checklist for 18-13 sessionized access rule lookup 18-5 policy query icon 18-11 with 5-tuple data policy query icon and 18-5 MARS Global Controller See Global Controller MARS GUI accessing using Internet Explorer, note 18-21 MARS incidents See incidents MARS Local Controller See Local Controller MARS session idle timeout, exceeding and Security Manager client session 18-9 MARS session timeout caching Security Manager credentials 18-9 MARS user account defining in Common Services associating with roles 18-15 for policy lookup 18-16 not defined in Common Services prompting for credentials 18-10 MARS user credentials cross-launch authentication benefits of 18-18 defining 18-18 MARS user roles Admin editing Security Manager credentials 18-10 for modifying Security Manager credentials 18-9 Notifications Only disabling saving of Security Manager credentials 18-10 Operator disabling saving of Security Manager credentials 18-10 Security Analyst editing Security Manager credentials 18-10 MARS web interface policy table lookup with Security Manager not installed 18-10 matched incident ranking 22-7 Matched Rule 21-3 matched rule ranking 22-7 matching access rules retrieved during policy lookup 18-3 matching rules accurate mapping of syslogs 18-5 in read-only policy table policy lookup from MARS 18-3 not found during policy lookup 18-13 number of for connection-related messages 18-5 permit ACE 18-5 matching signatures in read-only policy table 18-8 policy lookup from MARS 18-8 MIB MARS format 2-58 Microsoft Windows host, bootstrap 11-4 mitigate 21-5 mitigation of security threats using policy lookup from MARS 18-1 mitigation policy suggested content 1-1 modal dialog box looking up policy table from MARS 18-10 Modems line impedance matching filter 26-31 monitoring network attacks using MARS events 18-1 policy table lookup and 18-1 monitoring policy suggested content 1-1 Multiple Devices window description 18-21 Multiple Events window description 18-21 MySDN accessing from read-only signature policy table in MARS 18-35 N NAC, AAA server support 15-1 NAT connection report 22-7 navigating from MARS events to policies 18-1 to Security Manager 3.0.x or 3.1.x 18-8 to Security Manager 3.2 18-8 to access rule policy from MARS events 18-19 to IPS signature policy from MARS events 18-24 to other MARS pages from read-only access rule table 18-30 from read-only signature policy table 18-34 to permit ACE from ICMP connection-related messages 18-20 from TCP connection-related messages 18-20 from UDP connection-related messages 18-20 navigating from MARS for configuring event action filters 18-8 NetFllow, enable processing 2-35 NetFlow 2-31 configuration 2-31 Global NetFlow UPD Port 2-36 NetFlow, bootstrap reporting devices 2-33 NetFlow,enable processing 2-36 NetFlow,examined networks 2-36 NetFlow,guidelines 2-33 NetFlow,how it is used 2-32 NetFlow,performance tuning 2-36 NetFlow,supported versions 2-32 NetFlow events policy query icon for 18-8 NetScreen IDP 2.x 7-47 IDP 3.x 7-47 IDP 4.0 7-47 IDP-Management Server 7-47 Security Manager 7-47 network/host objects destination read-only access rule table 18-32 expanding contents read-only policy table 18-12 source read-only access rule table 18-32 network administrators associating with user account for policy lookup from MARS 18-16 network group ranking 22-6 network operators associating with user account for policy lookup from MARS 18-16 network ranking 22-6 Network Status tab Incidents 19-17 Top Destinations 19-18 Top Event Types 19-18 Top Sources 19-18 Network Summary dashboard detecting incidents 18-19 viewing rules, events 18-19 non-Workflow mode access rule matches with Security Manager running 18-23 policy table lookup from MARS events 18-3 with Security Manager client active 18-10 with Security Manager not running 18-10 notification traffic between MARS and monitored devices enabling 18-14 NP Identity Ifc keyword TCP, UDP connection-related syslogs access rule lookup and 18-5 NSDB accessing from read-only signature policy table in MARS 18-35 O Order/Rank By 22-7 order by 22-7 bytes transmitted 22-8 incident count 22-8 session count 22-7 time 22-8 P Packet Data events huge syslog messages 18-7 on IPS and IDS sensors policy query icon and 18-7 pager 24-11, 25-11 parsing invalid syslog messages 18-13 MARS session object for access rule lookup 18-5 missing 5-tuple data events in MARS 18-11 raw IPS event messages for signature policy lookup 18-7 raw syslogs for access rule lookup from MARS 18-5 password change default 26-8 password, Security Manager read-only access rule table 18-31 read-only signature policy table 18-34 performance of MARS number of rules 18-11 of Security Manager number of rules 18-11 PIX add to MARS 5-14 bootstrapping 5-2 security context add discovered 5-18 define reporting options for 5-19 make MARS aware of 5-17 PIX firewalls supported software versions for policy and events lookup 18-15 PIX Security Appliance, see PIX 5-1 PN Log agent 15-7 PN Log Agent, error messages 15-10 PN MARS seed file columns 2-23 policy lookup 18-12 policy lookup from MARS 18-11 policy query icon displayed for access rule matches 18-2 connection-related messages 18-2 signatures fired 18-2 displayed in read-only lookup 18-5 read-write lookup 18-5 for access rules not found on the device 18-12 for connection-related messages generated by management traffic 18-5 for Context Data events 18-7 for devices with multiple contexts without reporting IP address 18-8 for events in Global Controller 18-8 for NetFlow events 18-8 for Packet Data events 18-7 for Unknown Device Event Type triggered by custom signatures 18-8 for unsupported syslog IDs generated by IOS routers 18-7 Incident Details page 18-2 inconsistent display query types and 18-11 in Reporting Device column 18-20 no matching rules, error 18-12 virtual sensors, error 18-12 policy query login dialog box saving Security Manager credentials 18-9 Policy Query popup window See read-only policy table policy table lookup associating user roles and permissions 18-8 authentication failure during connection from MARS 18-2 authentication options using MARS credentials 18-2 using Security Manager credentials 18-2 backward compatibility from MARS 4.3.4, 5.3.4 with Security Manager 3.0.x, 3.1.x 18-8 checklist for 18-13 cross-launch authentication settings 18-18 deleting Security Manager credentials 18-10 device lookup query sequence of actions 18-4 devices with multiple contexts prerequisites for 18-4 error message 18-9, 18-10, 18-12 event action filter, configuring 18-3 for access rules in MARS 4.2.1 through 5.3.1 18-5 parsing syslogs 18-5 for connection-related syslogs number of matches 18-5 for the selected MARS event with multiple device matches 18-3 with no device match 18-3 from MARS for access rules in Security Manager 18-1 for signatures in Security Manager 18-1 sample case 18-1 signature, modifying 18-8 taskflow 18-2 guidelines for working 18-8 HTTPS connection with MARS 18-2 in read-only mode absence of connection direction in syslogs 18-5 absence of post-NAT addresses in syslogs 18-5 supported Security Manager and MARS versions 18-1 in read-write mode supported Security Manager and MARS versions 18-1 MARS user roles 18-9 modal dialog box 18-10 overview of access rule lookup 18-4 prompting for credentials MARS user not in Common Services 18-10 reusing an existing Security Manager instance 18-3 signature policies, overview 18-7 time taken for 18-10 with Security Manager client active in non-Workflow mode 18-3 in Workflow mode 18-3 with Security Manager client not installed 18-3 with Security Manager client not running 18-3 with Security Manager session timed out 18-3 policy table lookup and Cisco Secure ACS roles policy table lookup from MARS 18-8 Policy Table window See read-only policy table description 18-21 post NAT destination addresses 22-11 post NAT source addresses 22-10 pre NAT destination addresses 22-11 pre NAT source addresses 22-10 protocol ranking 22-6 public networks 2-39 Q queries action ANY 22-12 actions 22-12 criteria, matching access rule lookup 18-23 destination IP 22-11 ANY 22-11 devices 22-11 IP addresses 22-11 IP ranges 22-11 networks 22-11 post NAT destination addresses 22-11 pre NAT destination addresses 22-11 devices 22-11 display format all matching event raw messages 22-7 all matching events 22-7 all matching sessions 22-7 destination IP address ranking 22-6 destination ranking 22-6 event type group ranking 22-6 MAC address report 22-7 matched incident ranking 22-7 matched rule ranking 22-7 NAT connection report 22-7 protocol ranking 22-6 reporting device ranking 22-7 reporting device type ranking 22-7 source IP address ranking 22-6 source port ranking 22-6 unknown event report 22-7 use only firing events 22-8 event type grouping 22-11 event types 22-11 ANY 22-11 in MARS low-latency 18-11 realtime event 18-11 operation AND 22-12, 23-13 FOLLOWED-BY 22-12, 23-13 none 22-12, 23-13 OR 22-12, 23-13 parameters for signature events 18-24 result format destination network group ranking 22-6 destination network ranking 22-6 event type ranking 22-5 network group ranking 22-6 network ranking 22-6 reported user ranking 22-7 source network group ranking 22-6 source network ranking 22-6 results returning incidents 18-20 rule 22-12 ANY 22-12 save as reports 22-13 rules 22-13 service ANY 22-11 defined services 22-11 service variables 22-11 severity ANY 22-12 green 22-12 red 22-12 yellow 22-12 source IP ANY 22-10 devices 22-10 IP addresses 22-10 IP ranges 22-10 networks 22-10 post NAT source addresses 22-10 pre NAT source addresses 22-10 variables 22-10 time range last 22-8 start and end times 22-8 zone 22-12 query display format 22-5 reporting device ranking 2-28 Query/Reports tab identifying event for access rule lookup 18-20 for signature policy lookup 18-25 identifying incident for access rule lookup 18-20 for signature policy lookup 18-25 querying for MARS events from devices without reporting IP address 18-8 for Unknown Reporting Devices in MARS 18-8 Security Manager policies from MARS events 18-1 Query page 22-1 defining query parameters for access rule events 18-20 for signature events 18-24 R rank by 22-7 bytes transmitted 22-8 incident count 22-8 session count 22-7 time 22-8 raw messages archive folder location 26-4 file name format 26-4 maximum size stored 26-4 retrieve from local controller database 26-6 retrieving from archive server 26-3 read-only access rule table first match highlighted 18-23 hyperlink in rule number 18-32 in MARS viewing matched rules 18-3 interface objects 18-33 in the MARS GUI field descriptions 18-30 login username, Security Manager 18-31 multiple matches 18-23 navigating to Access Rules page 18-31 to a page number 18-23 navigating across pages 18-23 navigating to other MARS pages 18-30 network/host objects destination 18-32 source 18-32 pagination 18-23 Security Manager icon refreshing the page 18-31 Security Manager login credentials 18-31 Security Manager login password 18-31 selecting number of items 18-23 switching between matched rules 18-23 read-only mode policy lookup from MARS and 18-1 read-only policy table after display of access rules, modifying 18-13 caching of query results 18-11 editing signature from 18-8 error message corrective action 18-12 device added to MARS only 18-12 event action filter, configuring 18-8 expanding network/host objects 18-12 service objects 18-12 matching access rules for connection-related syslogs 18-5 matching rules 18-3 modifying policy using Help Desk role 18-16 saving Security Manager credentials 18-18 starting Security Manager client from for access rule syslogs 18-1 for signature syslogs 18-1 read-only signature policy page accessing from Dashboard 18-34 Incidents page 18-34 Query Reports tab 18-34 search for incident ID 18-34 adding event action filter 18-29 editing signature 18-29 navigating to other MARS pages 18-34 to Signatures page 18-34 Security Manager icon refreshing the page 18-34 starting Security Manager client 18-29 viewing Security Manager details 18-29 signature parameters 18-36 read-only signature policy table opening MySDN 18-35 NSDB 18-35 password, Security Manager 18-34 Security Manager login credentials 18-34 Security Manager login username 18-34 read-write mode policy lookup from MARS and 18-1 realtime events policy lookup error message 18-11 realtime events lookup device versions supported for 18-15 realtime event viewer access rule lookup for connection teardown events 18-12 remediation policy suggested content 1-1 removing user 25-12 report adding 22-25 delete 22-26 edit 22-26 new 22-25 reported user ranking 22-7 Reporting Applications tab deleting Security Manager credentials 18-10 dimming out Security Manager credentials 18-10 MARS user roles Notifications Only 18-10 Operator 18-10 Security Manager user credentials for initial communication 18-9 using MARS credentials not defined in Common Services 18-10 reporting device ranking 22-7 reporting device type ranking 22-7 reporting IP address for devices with multiple contexts policy table lookup 18-8 reports viewing 22-19, 22-25 reports, view type, CSV 22-24 reports, view type, recent 22-24 reports,view type, total 22-24 reports, view types 22-23 report views, CSV 22-24 report views, peak, reports, view type, peak 22-24 report views, recent 22-24 report views, total 22-24 rules destination IP ANY 23-8 devices 23-8 DISTINCT 23-8 IP addresses 23-8 IP ranges 23-8 Network Groups 23-8 networks 23-8 SAME 23-8 variables 23-8 device 23-11 ANY 23-11 Unknown Reporting Device 23-11 variables 23-11 event type grouping 23-10 event types 23-10 ANY 23-10 variables 23-10 reported user ANY 23-11 Invalid User Name 23-11 NONE 23-11 variables 23-11 service ANY 23-9 defined groups 23-10 defined services 23-10 service variables 23-9 severity ANY 23-12 green 23-12 red 23-12 yellow 23-12 source IP devices 23-7 IP addresses 23-7 IP ranges 23-7 Network Groups 23-7 networks 23-7 variables 23-7 runtime logging 26-1 S scheduling discovery 2-40 security contexts add discovered 5-18 define reporting options 5-19 make MARS aware of 5-17 Security Manager policy query icon See policy query icon Security Manager Policy Query page See read-only policy table security policies objectives of 1-1 security policy suggested content 1-1 see CVE 25-2 seed file CSV file 2-21 loading 2-25 sensor ID in IPS syslog messages in MARS for virtual sensors 18-7 service adding 25-8 deleting 25-8 editing 25-8 editing groups 25-7 service group adding 25-7 service management 25-7 service objects expanding contents read-only policy table 18-12 read-only access rule table displayed in MARS 18-32 service provider adding 24-11, 25-11 services adding group 25-7 session count 22-7 sessionzed events MARS policy query icon 18-11 setting runtime logging levels 26-1 Severity icons 21-3 Short Message Service See SMS. 23-15 signature ID parsed from IPS event messages for signature policy lookup from MARS 18-7 signature policy lookup See IPS signature policy lookup signatures description 18-7 hyperlinked ID opening MySDN 18-35 opening NSDB 18-35 looking up from events minimizing false negatives 18-24 minimizing false positives 18-24 tuning 18-24 modifying during policy lookup from MARS 18-8 modifying on device policy lookup, error 18-13 parameters, viewing from read-only policy page in MARS 18-36 Signatures page navigating from MARS events with Security Manager not installed 18-29 with Security Manager running 18-29 with Security Manager timed out 18-29 signature summary table for editing signatures 18-8 navigating from MARS 18-8 Simple Network Management Protocol See SNMP. 23-15 SNMP RO, unsupported characters 2-9, 2-23, 2-30 Snort syslog format expectation 7-43 Solaris host, bootstrap 11-2 source IP address ranking 22-6 source network group ranking 22-6 source network ranking 22-6 source port ranking 22-6 SSH fingerprint validation 26-9 SSL certificate validation 26-9 stacked charts 19-18 standard query for MARS events display of policy query icon 18-11 static information 21-10 subsignature ID parsed from IPS event messages for signature policy lookup from MARS 18-7 syslog alert forwarding 2-55 disable relay 2-57 enable relay 2-56 forwarding status reports 2-57 message forwarding 2-55 troubleshoot relay 2-57 syslog message IDs for firewall devices supported for policy lookup from MARS 18-6 for IOS routers supported for policy lookup from MARS 18-7 supported for policy lookup from MARS by firewall devices 18-6 unsupported for policy lookup 18-13 policy query icon 18-13 syslog messages for IPS events absence of sensor ID 18-7 parsing 18-7 for Packet Data events 18-7 generated by access rules supported for policy lookup from MARS 18-5 generated by connection setup/teardown supported for policy lookup from MARS 18-5 generated by IOS 12.2 routers example, with ACL name 18-6 generated by PIX firewalls example, with access group name 18-6 parsing for access rule lookup from MARS 18-5 system administrators associating with user account for policy lookup from MARS 18-16 system determined false positive type 21-8 system log messages changing the severity level 18-7 connection teardown policy lookup, error 18-12 deployed rules synchronization with device 18-11 for access rule lookup with log keyword 18-6 without log keyword 18-6 for access rules on IOS routers with log-input keyword 18-7 with log keyword 18-7 for IOS routers contents 18-7 format for ASA devices 18-6 for FWSM 18-6 for PIX devices 18-6 generated by access rules unavailable on device 18-13 in MARS, generated by access rules 18-3 connection setup/teardown 18-3 IPS signatures 18-3 invalid format policy lookup 18-13 logging level for access rule lookup 18-6 with default level and interval 18-6 T table incidents 21-5 taskflow for policy table lookup from MARS events 18-2 TCP connection-related message access rule lookup 18-5 example for an ASA device 18-6 testing connectivity between MARS and Security Manager 18-19 Time 21-3 time consumption for policy table lookup number of rules 18-11 with Security Manager client open 18-10 Timeout Interval, setting for GUI and CLI 19-5 time ranges incidents 21-4 Topology toggle device display 19-17 traffic flows between MARS and devices enabling 18-14 identify and enable 1-4 troubleshoot,cannot add device 2-20 troubleshoot,cannot re-add device 2-20 troubleshooting access rules quickly using policy lookup 18-1 firewall and signature configurations using policy lookup 18-1 network events using policy lookup from MARS 18-1 tuning false positives 21-5, 21-9 U UDP connection-related message access rule lookup 18-5 example for an ASA device 18-6 unconfirmed false positive type 21-8 Unknown Device Event Type custom signatures and 18-8 unknown event report 22-7 Unknown Reporting Devices querying for in MARS 18-8 unlock after login failure 3-15 CLI command after login failure 3-4 use only firing events 22-8 user adding 24-10, 25-9 editing 25-12 removing 25-12 user account associating roles for policy lookup 18-15 creating a separate one for policy lookup 18-16 for MARS defining in Security Manager 18-15 for Security Manager discovery defining in MARS 18-18 separate one for audit trail 18-15 with admin privileges for adding Security Manager to MARS 18-9 User Configuration page disabling saving of credentials 18-19 in MARS deleting Security Manager credentials 18-10 editing Security Manager credentials 18-10 Security Manager credentials disabled 18-10 message, displaying while using MARS credentials 18-19 user confirmed false positive type 21-8 user confirmed positive type 21-8 user credentials for Security Manager discovery defining in MARS 18-18 of Security Manager added to MARS in Reporting Applications tab 18-9 in the User Configuration page 18-9 Reporting Applications tab of MARS different from those in User Configuration page 18-9 User Configuration page of MARS authenticating Security Manager 18-9 populated from policy query login dialog box 18-9 user group adding 25-12 user management 25-8 roles defined 25-9 user roles for policy lookup from MARS 18-15 for policy table lookup from MARS 18-8 in MARS editing Security Manager credentials 18-10 modifying Security Manager credentials 18-9 Notifications Only 18-10 Operator 18-10 V validation fingerprint 26-9 valid networks 2-39 variables 22-10, 22-11, 23-7, 23-8 views committed 18-11 deployed policy lookup from MARS 18-11 virtual sensors signature policy lookup from MARS events 18-7 W Workflow mode access rule matches with Security Manager running 18-23 policy table lookup editable activities 18-10 from MARS events 18-3 with Security Manager client active 18-10 with Security Manager not running 18-10 Z zone planning for Global Controller 18-16 for multiple Local Controllers 18-16
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks