Add The Cisco Ics Device To Mars; Define Rules And Reports For Cisco Ics Events - Cisco CS-MARS-20-K9 - Security MARS 20 User Manual

Security mars local controller
Table of Contents

Advertisement

Chapter 8
Configuring Antivirus Devices

Add the Cisco ICS Device to MARS

Before MARS can being processing the syslog messages as Cisco ICS messages, you must define the
Cisco ICS management server as an software application running on a host. After Cisco ICS is defined
as a reporting device, MARS can process any inspection rules that you have defined using Cisco ICS
event types.
To add a Cisco ICS server to MARS, follow these steps:
Click Admin > Security and Monitor Devices > Add.
Step 1
From the Device Type list, select Add SW Security apps on a new host.
Step 2
You can also select Add SW Security apps on an existing host if you have already defined the host within
MARS, perhaps as part of the Management >IP Management settings or if you are running another
application on the host, such as Microsoft Internet Information Services.
In the Device Name field, enter the hostname of the server.
Step 3
In the Reporting IP field, enter the IP address of the interface in Cisco ICS server from which the syslog
Step 4
messages will originate.
Under Enter interface information, enter the interface name, IP address, and netmask value of the
Step 5
interface in Cisco ICS server from which the syslog messages will originate.
This address is the same value as the Reporting IP address.
Click Apply.
Step 6
Step 7
Click Next to move the Reporting Applications tab.
In the Select Application field, select Cisco ICS 1.x, then click Add.
Step 8
Step 9
Click Select to add the Cisco ICS application to this host.
Click Done to save the changes.
Step 10
To activate the device, click Activate.
Step 11

Define Rules and Reports for Cisco ICS Events

From Cisco ICS, MARS receives syslog messages that allow it to identify outbreaks, successful OPACL
and OPSig deployments, and failed attempts to deploy. MARS stays abreast of when the OPACLs and
OPSigs fire on Cisco IPS devices. MARS also monitors the Cisco ICS server for system issues, such as
database failures.
These events assist MARS in providing an accurate, holistic assessment of your network. OPACL and
OPSig matching events provide five-tuple correlation, which MARS uses to perform attack path analysis
and verify the containment of threats. You can uses the events to define inspection rules that help you
perform manual mitigation on devices that cannot use OPACLs and OPSigs.
78-17020-01
User Guide for Cisco Security MARS Local Controller
Cisco Incident Control Server
8-15

Advertisement

Table of Contents
loading

This manual is also suitable for:

Mars 20Mars 50Mars 100Mars 200

Table of Contents