Table of Contents
Advertisement
Chapter 7
Configuring Host-Based IDS and IPS Devices
Cisco Security Agent 4.x Device
To enable Cisco Security Agent (CSA) as a reporting device in MARS, you must identify the CSA
Management Console (CSA MC) as the reporting device. The CSA MC receives alerts from the CSA
agents that it monitors, and it forwards those alerts to MARS as SNMP notifications.
When MARS receives the SNMP notification, the source IP address in the notification is that of the CSA
agent that originally triggered the event, rather than the CSA MC that forwarded it. Therefore, MARS
requires host definitions for each of the CSA agents that can potentially trigger an event. These
definitions are added as sub-components under the device definition of the CSA MC.
As of MARS, release 4.1.1, the MARS Appliance discovers CSA agents as they generate alerts,
eliminating the need to manually define them. MARS parses the alert to identify the CSA agent
hostname and to discover the host operating system (OS). MARS uses this information to add any
undefined agents as children of the CSA MC as a host with either the Generic Windows (all Windows)
or Generic (Unix or Linux) operating system value. You are still required to define the CSA MC;
however, you are not required to define each agent. The default topology presentation for discovered
CSA agents is within a cloud.
The first SNMP notification from an unknown CSA agent appears to originate from the CSA MC. MARS
Note
parses this notification and defines a child agent of the CSA MC using the discovered settings. Once the
agent is defined, all subsequent messages appear to originate from the CSA agent.
Prior to 4.1.1., you were required to manually add each agent or by using an exported hosts file, as
defined in
Prior to the 4.1.1 release, CSA was identified by the device type name Cisco CSA 4.0. As part of an
Note
upgrade, any Cisco CSA 4.0 devices were renamed as Cisco CSA 4.x. This new name includes support
for Cisco CSA 4.0 and 4.5.
This section contains the following topics:
•
•
•
Configure CSA Management Center to Generate Required Data
To bootstrap CSA, you must configure the CSA MC to forward SNMP notifications to the MARS
Appliance. In addition, you can export the list of CSA agents in a format that MARS can import.
However, this export operation is not necessary, as MARS discovers the agents as they generate
notifications.
This section contains the following topics:
•
•
78-17020-01
Export CSA Agent Information to File, page
Configure CSA Management Center to Generate Required Data, page 7-5
Add and Configure a CSA MC Device in MARS, page 7-7
Troubleshooting CSA Agent Installs, page 7-10
Configure CSA MC to Forward SNMP Notifications to MARS, page 7-6
Export CSA Agent Information to File, page 7-6
7-6.
User Guide for Cisco Security MARS Local Controller
Cisco Security Agent 4.x Device
7-5
Advertisement
Table of Contents
Troubleshooting
