Table of Contents
Advertisement
Checklist for Monitoring Phase
Task
Define custom inspection rules and refine system inspection rules.
3.
Inspection rules correlate events from disparate devices into meaningful sessions that reflect the end-to-end
activities of an attack or other network session. By identifying the end-to-end view of attacks, MARS is better
able to identify mitigation points in your network. However, you can define inspection rules to accomplish
different goals: identification of an attack is just one possible goal. Other example goals include identifying use
of priority assets, network health, and refining your network configuration based on usage analysis.
MARS ships with over 100 system inspection rules; however, you may find that you cannot identify those
sessions that are important to your corporate policies. For example, if you want to monitor the use of a custom
or unsupported application, you can either define a new inspection rule that monitors traffic between a selected
source and destination using a known protocol and port pair, or define a custom log parser that uniquely processes
the events generated by that application to expose the data within the event that you want to track. Monitoring a
known protocol port pair can provide summary data, such as number of sessions, where a custom log parser can
enable detailed inspection of aspects of the traffic, such as resource utilization or failed logging attempts. To
define a custom parser, you must know the message format used by that appliance and it must be published to
MARS in clear text.
Organizing the rules that you create into meaningful groups can help clarify your purpose and improves the
learnability of the system. As you consider your specific goals, you should define a rule group (and a
corresponding report group) to help you refine the strategies you identified in Step
members of multiple groups, you do not have to worry about creating multiple rules to address the same issue.
The groups are merely available to help your organize your work and allow you to focus on one strategy at a time.
Result: Any custom inspection rules are developed and existing inspection rules are configured to provide proper
notification in compliance with your corporate policies. Any custom log parser and inspection rules are defined
that enable the audit of the traffic flows of home-grown or unsupported applications or protocols.
For more information, see:
Rule and Report Groups, page 21-24
•
•
Event Management, page 23-1
•
IP Management, page 23-3
Service Management, page 23-7
•
User Management, page 23-8
•
Adding User Defined Log Parser Templates, page 15-1
•
Inspection Rules, page 21-4
•
Working with System and User Inspection Rules, page 21-17
•
Setting Alerts, page 21-23
•
•
Sending Alerts and Incident Notifications, page 22-1
User Guide for Cisco Security MARS Local Controller
1-12
Chapter 1
STM Task Flow Overview
1.
Because rules can be
78-17020-01
Advertisement
Table of Contents
Troubleshooting
