Table Of Contents

Network Summary

Global Controller Network Summary Page Concepts

Global Controller Technologies

Navigation within the MARS Appliance

Log In to the Local Controller

Log In to the Global Controller

Basic Navigation

Links, Icons, and Filters for Navigation

Tabs for Navigation

Help Page

Your Suggestions Welcomed

Set the GUI and CLI Timeout Interval

Set the Logon Banner Message

Activate Button

Activate Button Color Changes

Global Controller Activation Considerations

Automatic Activation Settings Page

Set the Activation Interval

Summary Pages

Dashboard

Recent Incidents

Sessions and Events

Inactive Device Events

Data Reduction

Page Refresh

Diagrams

Diagram Manipulation

Display Devices in Topology

Network Status

Improving Status Display Refresh

Chart Reading

Hotspots

My Reports

Set up Reports for Viewing

Network Summary

---

This chapter describes the MARS web interface and certain components of the Summary and Admin tabs.

This chapter contains the following topics:

•Global Controller Network Summary Page Concepts

•Global Controller Technologies

•Navigation within the MARS Appliance

•Help Page

•Set the GUI and CLI Timeout Interval

•Set the Logon Banner Message

•Activate Button

•Summary Pages

Global Controller Network Summary Page Concepts

The Global Controller Summary page differs from the Local Controller Summary page in the following ways:

•Devices common to Local Controllers are merged in the Global Controller topology. If you have a router listed on both Local Controllers LC1 and LC2, it only shows up once in topology graphs and on the Summary page.

•Networks common to Local Controllers are not merged in the Global Controller topology, but are displayed as separate topologies even if they are the same network.

Global Controller Technologies

The Global Controller is a complete threat mitigation Global Controller that combines network intelligence, ContextCorrelation™, SureVector™ analysis, and AutoMitigate™ capability in a high performance Global Controller indispensable to subvert real security incidents.

ContextCorrelation groups multiple events and network behavior across NAT boundaries in a session. System and user-defined correlation rules are then applied to multiple sessions to identify valid incidents—significantly reducing raw event data and prioritizing response.

SureVector analysis processes incidents to determine if threats are valid or have been countered by assessing the attack path components—end to end. The result eliminates false positives and resolved threats, and enables full path drill-down visualization and investigation.

AutoMitigate capability identifies available choke point devices along the attack vector and allows you to automate appropriate device commands that can mitigate the threat. The result responsively and accurately prevents or contains an attack by leveraging the infrastructure.

Navigation within the MARS Appliance

The MARS web interface runs within a single browser window. The MARS product functions are categorized with labeled tabs, each tab subdivided with subtabs.

---

Note Do not use the browser navigation buttons with the MARS Appliance GUI (for example, Back, Forward, Refresh, or Stop).

---

This section contains the following topics:

•Log In to the Local Controller

•Log In to the Global Controller

•Basic Navigation

Log In to the Local Controller

---

Step 1 To login to the Local Controller, enter its IP or DNS address into the browser address field.

The login box appears.

Figure 7-1 Local Controller Login Box

Step 2 Enter your login name and password.

If you do not have a login name, contact your network administrator.

Step 3 From the Type drop-down list, select Local if you are logging in to a user account created on this MARS, or select Global if you are logging in to a user account created on the Global Controller to which this Local Controller reports.

Step 4 Click Login.

The first page to appear after a login is the Summary tab Dashboard page. The duration of the delay in displaying information results from a combination of the following causes:

•How long the Local Controller has been powered up and connected to the network.

•Amount of traffic on your networks.

•Reporting syslog levels of the reporting devices.

•Size of the network.

•The number and type of reporting devices.

For most networks, the Summary page populates shortly after configuration. Some values are only relevant after an interval of time. For example, the values in the 24 Hour Events and 24 Hour Incidents tables.

---

Log In to the Global Controller

---

Step 1 To login to the Global Controller, enter its IP or DNS address into the browser address field.

The login box appears.

Figure 7-2 Global Controller Login Box

Step 2 Enter your login name and password.

If you do not have a login name, contact your network administrator.

Step 3 Click Login.

The first page to appear after a login is the Summary tab Dashboard page. The duration of the delay in displaying information results from a combination of the following causes:

•How long the Global Controller has been powered up and connected to the network.

•Amount of traffic on your networks.

•Reporting syslog levels of the reporting devices.

•Size of the network.

•The number and type of reporting devices.

For most networks, the Summary page populates shortly after configuration. Some values are only relevant after an interval of time (for example, the values in the 24 Hour Events and 24 Hour Incidents tables).

---

Basic Navigation

The MARS Appliance uses a tab-based, hyperlinked user interface. Elements of the interface, for both the Local and Global Controllers, are illustrated in the figures that follow.

This section contains the following topics:

•Links, Icons, and Filters for Navigation

•Tabs for Navigation

Links, Icons, and Filters for Navigation

When you mouse over an alphanumeric string or an icon that is a clickable hyper-link, the mouse cursor changes to a pointing finger cursor . Figure 7-3 shows some of the clickable objects on the Dashboard page.

Figure 7-3 Links, Icons, and Filters

1	Link to the item's detail page or popup window.	2	Query icon links to query page. The corresponding query field is populated with the item.
3	Dropdown lists filter what is displayed.	4	Path icons launch Path or Incident Vector pop-up diagrams.

Tabs for Navigation

Click any of the seven tabs to navigate to the pages relevant to the tab's sub-tabs, as shown in Figure 7-4 though Figure 7-11.

---

Note Do not use the browser navigation buttons with the MARS Appliance GUI (for example, Back, Forward, Refresh, or Stop).

---

Figure 7-4 Summary Tab: Global Controller

Figure 7-5 Summary Tab: Local Controller

Figure 7-6 Incidents Tab

Figure 7-7 Query/Reports Tab

Figure 7-8 Global Controller Rules Tab

Figure 7-9 Local Controller Rules Tab

Figure 7-10 Management Tab

Figure 7-11 Administration Tab

Figure 7-12 Help Tab

Help Page

The Help page, as shown in Figure 7-13, provides URLs to online documentation and a feedback form to submit constructive comments to the MARS development engineering team.

Figure 7-13 Help Page

Click About to display the software version number running on the MARS.

Click Documentation to display URLs to MARS documentation on the Cisco Systems, Inc. website (http://www.cisco.com).

Your Suggestions Welcomed

The Feedback button appears at the bottom of most pages, a shown in Figure 7-13.

When you click the feedback button, or navigate to the Feedback page, the feedback dialog box appears, as shown in Figure 7-14.

Figure 7-14 Feedback Dialog Box

To send your comments to the MARS development engineering team, type in your email address and comments then click Submit. When you click the Include log file a MARS log file is sent with your message.

Set the GUI and CLI Timeout Interval

When a user is inactive on the GUI or CLI for a duration exceeding the timeout interval, that user is logged out and must login again to continue accessing the MARS Appliance. The settings for the timeout interval are Never (indefinite duration) 15, 30, 45, and 60 minutes.

In general, GUI activities that initiate access to the MARS webserver restart the timeout interval. Table 7-1 lists GUI activities that do not restart the timeout interval.

Table 7-1 User Activities That Do Not Restart the Timeout Interval 

GUI Area	Activity
Throughout the GUI	•Mouse Motion •Random keystrokes •Clicking inactive areas •Clicking drop-down lists without selecting •Clicking radio buttons, checkboxes, add remove, or arithmetic operators in configuration dialog boxes •Typing alphanumeric values in text boxes of configuration dialog boxes
Real-Time Event Viewer (Query/Reports  > Query)	•Selecting the Scroll Speed •Clicking Pause •Clicking Resume
Incidents Detail Page (Incidents > View)	•Clicking "+" or "-" to expand a table •Clicking Expand All or Collapse All

To set the timeout interval, follow these steps:

---

Step 1 Navigate to Admin > System Parameters > Timeout Settings , as shown in Figure 7-15.

Step 2 Select the timeout intervals for each role.

The timeout interval for the Administrator, Security Analyst, and Operator roles are set separately. The Admin timeout setting is also the timeout interval for the CLI.

Figure 7-15 Timeout Interval Configuration Page

Step 3 Click Submit.

End of Procedure

---

Set the Logon Banner Message

Some MARS administrators or environments require that a message be displayed on the logon page to notify users of authorization requirements or operational restrictions. This message, or logon banner, is configurable by MARS administrators who have the requisite permission. An example of a logon banner message is shown in Figure 7-16.

Figure 7-16 Example Logon Banner Message

Complete the following steps to set the Login Banner Message:

---

Step 1 Navigate to the Admin > System Parameters page. The System Parameters page appears as shown in Figure 7-17.

Figure 7-17 Systems Parameters Page

Step 2 Click to select Banner Settings. The Banner Message Input page appears.

Figure 7-18 Banner Message Input Page

Step 3 Paste in, or type, the text to be displayed at logon. Note that the maximum number of characters allowed is 2000.

Step 4 Click Submit.

---

Activate Button

This section discusses the Activate button.

Changes made to MARS configurations and settings, (most notably to devices, rules, and reports) must be passed to the MARS background processes either by clicking Activate, or by scheduling an automatic activation process.

---

Note The activation process is CPU intensive. It is best to activate after all changes are complete. For example, if you are adding multiple devices, it is better for system performance to activate the changes after adding all devices rather than activating after adding each device.

---

This section contains the following topics:

•Activate Button Color Changes

•Global Controller Activation Considerations

•Automatic Activation Settings Page

•Set the Activation Interval

Activate Button Color Changes

The Activate button displays red with bold italic print when a configuration change requires activation, as shown in Figure 7-19. The Activate button is on all tabs.

Figure 7-19 Activate Button Turns Red When GUI Configuration Change is Submitted

For the user account that made the changes, the Activate button displays red in every new session or already open session of that account. It does not display red in any sessions of any other accounts. When you click the red Activate button, a pop-up window appears displaying the time, login name, user role, and activation status, as shown in Figure 7-20. The Status field can display Ok, or Error. The action for Error is to try again later.

Figure 7-20 Popup Message Received when Activation Completed

When an Activation is complete, the Activate button displays white in all open and subsequently launched sessions, as shown in Figure 7-21.

Figure 7-21 Activate Button Resets to White When Activation Completes

Multiple Logged-in Users Making Changes at the Same Time

Clicking Activate, activates all changes made by all user accounts. If two different accounts both make changes, the red Activate button displays in both of their session GUIs. If one account clicks Activate, the changes of all other accounts are also activated, and the Activate button displays white in the GUI of all accounts (after a page refresh, or when clicking another tab).

Clicking the White Activate Button

Clicking the white Activate button launches a pop-up message window displaying the last activation event time, the login name and role of the initiator, and an activate option as shown in Figure 7-22. Clicking the Activate option in the pop-up window forces an activation process. Any changes made by other accounts are activated, and an Activation Done pop-up window appears, as shown in Figure 7-20.

Figure 7-22 Popup Message When White Activate Button is Clicked

Global Controller Activation Considerations

A topology synchronization occurs between Global and Local Controllers when an activation process is initiated on either platform.

Automatic Activation Settings Page

A scheduler daemon that wakes up every minute can be configured to execute automatic activations. The Activations Setting Page sets the time interval between automatic activations executed by the scheduler (Admin > System Parameters  > Activation Settings). There is no CLI command for the scheduler.

The time intervals are Never (default), 15, 30, 45, and 60 minutes.

Set the Activation Interval

Complete the following steps to set the automatic activation schedule:

---

Step 1 Navigate to the Admin > System Parameters page as shown in Figure 7-17.

Step 2 Click Activation Settings.

The Activation Interval page appears, as shown in Figure 7-23.

Figure 7-23 Automatic Activation Interval Page

Step 3 Select an Activation Interval from the drop-down list.

The possible values are NEVER (default), 15 minutes, 30 minutes, 45 minutes, and 60 minutes.

Step 4 Click Submit.

End of Set the Activation Interval.

---

Summary Pages

From the Summary pages, you can very quickly evaluate the state of the network. The Summary pages include the Dashboard, Network Status, HotSpot Diagrams (Global Controller only), and My Reports, as shown in Figure 7-24 and Figure 7-25.

Figure 7-24 Local Controller Summary Tab

Figure 7-25 Global Controller Summary Tab

---

Note If you experience long page refresh times for the Dashboard or Network Summary pages when changing the query timeframes of charts to values greater than the default (Day), try the following workarounds:

---

1. Refresh Workaround 1

–Reset all chart timeframes back to Day.

–Change a chart timeframe and run the report per your requirements.

–Reset the chart to Day before changing the next chart timeframe.

2. Refresh Workaround 2

–Open a new session in a separate browser instance to view a chart.

–Change the chart time interval and run the report per your requirements.

---

Note Charts revert to default settings in each new session. The view type and timeframe settings are retained during a session, but the legend display is retained only while the page is viewed.

---

This section contains the following topics:

•Dashboard

•Diagrams

•Network Status

•Hotspots

•My Reports

Dashboard

---

Note When you first view the Summary page after upgrading the MARS, expect a small delay while the Java Server pages recompile.

---

---

Note For all of the charts on this page, you can set different query timeframes, toggle the size of the chart, view the latest report, and so on, by clicking on the buttons in the chart's window.

---

Figure 7-26 The Working Areas on the Dashboard

1	Subtabs	5	Tabs
2	Case Bar (Local Controller only)	6	Recent incidents information
3	Links to Cases assigned to you.	7	HotSpot and Attack diagrams
4	Charts

This section contains the following topics:

•Recent Incidents

•Sessions and Events

•Inactive Device Events

•Data Reduction

•Page Refresh

Recent Incidents

The first feature to notice about the Dashboard is the recent incidents that have fired. Cisco Security Monitoring, Analysis, and Response System (MARS) comes with pre-defined rules, and these incidents are the result of those rules firing. These rules are generic, globally applicable, and should serve you well as a starting point once you begin to tune the MARS.

Figure 7-27 Drilling-down into Incidents

1	Link to the Incident sessions detail page	5	Link to the rule details page
2	Incident severity icons •Red—Severe threat •Yellow—Possible threat •Green—Unlikely threat	6	Incident Path icon launches the topology diagram popup window
3	Link to the Event Type Details page	7	Incident Vector icon launches the incident attack vector diagram
4	Query icon links to Query page	8	Link to the View Case page

Sessions and Events

Within a given time window, a session is a collection of events that all share a common end-to-end:

•Source and destination address

•Source and destination port

•Protocol

Event sessionization aggregates event data making it easier to sort and examine. Event sessionization lets the system treat events as single units of information and helps you understand if an attack truly has materialized. It gives you the context of the attack by giving you all the events on that session.

Sessionization works across NAT (network address translation) boundaries - if a session traverses a device that does NAT on that session, MARS is able to sessionize events even if they are reported by two devices on either side of that firewall.

Networks start to show immediate action in the events and sessions categories. Note that the 24 Hour Events table and the Events and Sessions chart are different ways of presenting the same information.

Inactive Device Events

MARS generates an inactive device event for any device that does not report an event within 1 hour of the last received event. Inactive device events are generated for all security and monitoring devices except MARS, CSA, Symantec AntiVirus, FoundScan, eEye REM, QualysGuard, and Security Manager.

Data Reduction

Data Reduction is a representation of how much event data MARS collapsed into sessions. For example a data reduction of 66% measures three events per session on the average - this number is dependent on many variables particular to your network.

Figure 7-28 Data Reduction

Page Refresh

The Page Refresh Rate polls the LC/GC TOGGLE according to the setting you assign. The default setting is fifteen minutes. The refresh setting remains the same until you log out. This setting only applies to the pages that have the Page Refresh pull-down.

Figure 7-29 Page Refresh

---

Note You can change the refresh rate with the dropdown list.

---

Diagrams

The Summary page has two diagrams: the Hot Spot Graph and the Attack Diagram. The Global Controller uses the configuration and topology discovery information that were propagated up from the Local Controllers. The following table shows you the icons used in the diagrams.

You can start drilling-down into the diagrams by clicking any of the icons listed in Table 7-2. You can start drilling-down attack paths in the Attack Diagram by clicking the Path icon . Drilling-down into these diagrams is one of the fastest ways to uncover real-time information about your network.

Figure 7-30 Clickable Hot Spots: Brown = Attackers & Red = Compromised

---

Note Clouds can represent collections of gateways in the Hotspot graph. A gateway cloud is a device that is unknown to MARS. You can discover gateway clouds by clicking them if you have the SNMP information.

---

Table 7-2 Icons and States in Topology 

	Healthy	Attacker	Compromised	Compromised and Attacking
Clouds		—	—	—
Firewall
Reporting Host
Host
IDS
Network
Router
Switch
Global Controller (Global Controller or Local Controller)

To see the diagrams, you need the Adobe SVG viewer plug-in. The Adobe SVG viewer plug-in should automatically install.

---

Note If you click No on the SVG auto-installer, MARS does not prompt you to install it again. If you want to run the auto-installer, open the browser and click Tools > Internet Options > General > Delete Cookies.

---

Figure 7-31 The Hot Spot Graph and Attack Diagram

1	Displays SVG Help	2	Displays clouds for selected devices on a full page
3	Displays all devices on a full page	4	Selects zone to be displayed (Global Controller only)
5	Selects zone to be displayed (Global Controller only)

This section contains the following topics:

•Diagram Manipulation

•Display Devices in Topology

Diagram Manipulation

•Pull down the menu labeled Global Zone to select an individual local zone.

•Right-click the diagram to zoom in and out, to reset the diagram to its original size, to set the diagram's viewing quality, to search, and to manipulate the SVG image.

•Alt+click to use the hand to move the image.

•Ctrl+click to use the magnifying glass to zoom in.

•Ctrl+click and drag to select an area.

•Ctrl+shift+click to use the magnifying glass to zoom out.

---

Note If the MARS discovers an unknown device, it displays that device using a unique name in the form of the string "eth" followed by a hyphen ("-"), followed by the IP address in 32 bit notation, such as "eth-168034561".

---

Display Devices in Topology

You can specify how to display a reporting device in the HotSpot Graph. By clicking the icon in the Device Display column, you can specify whether to display the device as an individual node on the graph or collapse it within a cloud. By having a device "hidden" in a cloud, you can cut down on the number of devices displayed in the graph, thus making it easier to read at a higher level.

A cloud identifies a collection of networks for which you do not want to define the complete physical topology. Much like when you draw a network diagram on a piece of paper, you can use a cloud to depict networks in which you have no direct interest, but which are needed to represent to complete the diagram. For example, you may want to display only gateway devices or mitigation devices, representing other reporting devices as part of a cloud.

To toggle the display status of a device, follow these steps:

---

Step 1 Click Admin > Security and Monitor Devices.

Step 2 Click the icon in the Device Display column of the device that you want to toggle.

Figure 7-32 The Device Display icons

The icon changes from a host icon to a host within a cloud or vice versa.

Step 3 Click Activate.

---

Network Status

The Network Status page is where you come to get the big picture. On the Network Status page, you can see the charts for:

•Incidents —Rated by severity.

•Attacks: All - Top Rules Fired—Rated by the highest number of incidents fired.

•Activity: All - Top Event Types—Rated by the highest numbers of events of that type.

•Activity: All - Top Reporting Devices—Rated by the total number of events reported by each security device.

•Activity: All - Top Sources—The top IP addresses that appear as session sources, ranked by session count.

•Activity: All - Top Destinations—The top IP addresses that appear as session destinations, ranked by session count.

For all of the charts on this page, you can set different time frames, the size of the chart, view the latest report, and so on, by clicking on the buttons in the chart's window.

Improving Status Display Refresh

If you experience exceedingly long page refresh times for the Dashboard or Network Summary pages when changing the query timeframes of charts to values greater than the default (Day), try the following workaround:

---

Step 1 Reset all chart timeframes back to Day.

Step 2 Change a single chart timeframe and run the report per your requirements.

Step 3 Reset the chart to Day before changing the next chart timeframe.

---

Tip Alternatively, you can open a new session in a separate browser instance to view a chart. Then, change the chart's time interval and run the report per your requirements.

---

---

Note Charts revert to default settings in each new session. The view type and timeframe settings are retained during a session, but the legend displays only while the page is viewed.

---

---

Chart Reading

These are stacked charts. You can tell which severity of incident your network has most experienced for the day by looking for the dominant shade. In the figure below, low priority green incidents cover less area than high priority red incidents because they have occurred less often.

Figure 7-33 A Day's Events and NetFlow with the Legend Displayed

1	Displays values by hour, day, week, month, quarter (the last 3 months), or year.	2	Sets chart to represent the sum of all zones or each individual zone (Global Controller only).
3	Displays a larger version of the chart.	4	Displays the chart legend.
5	The chart legend

To read the charts most efficiently, note that it is solely the thickness of a particular color that determines its value at that point - and that a spike (or drop) in any particular color could be caused by a spike (or drop) of a different color lower down in the stack.

A perfectly flat line indicates that MARS received no data during that time period.

Figure 7-34 A Flat Line in a Week's Top Rules Fired

1	The flat line in the Top Rules Fired chart

In the following Incidents chart, you can see the top incidents for the week, starting eight days in the past.

Figure 7-35 Eight Days of Incidents

1

A more drastic spike in red is not offset by the green incident

2

Incident spikes are built upon each other

Hotspots

The Hotspots page contains topology graphs of the hotspots on each of the Local Controllers connected to your Global Controller. You can use the pull-down menu to select whether to view the hotspot for a single Local Controller or combined hotspots for all the Local Controllers connected to your Global Controller.

Clicking on the Full Topo Graph button displays a detailed graph of the topology; clicking the Large Graph button displays the attack on a full page. Clicking the Details button logs you into the Local Controller and displays the hotspot graph there.

My Reports

The My Reports page is where you can choose the reports that you want to view. As long as you are using the MARS with your log-in name, the reports that you have selected appear here.

Set up Reports for Viewing

---

Step 1 Click the Edit button on the My Reports page.

Step 2 Select the radio button next to the report that you want to see as a chart.

Step 3 Click Submit.

LC/GC TOGGLE now displays the chart that you selected on the My Reports page.

---

Note Reports must be scheduled to run periodically, that is, every hour or every day. If you activate a report, allow for some time for the data to accumulate.

---

You can display any number of charts on the My Reports page, however expect slower loading times for large numbers of charts.

The reports that you can select from are pre-defined. When you create your own reports, you can select those to display. See Reports, page 8-27 for more information.

---