Table of Contents
Advertisement
Chapter 2
Reporting and Mitigation Devices Overview
Devices that Require Custom Seed Files
Some reporting devices represent the management consoles for the actual host- or node-based reporting
devices. These consoles often represent centralized log servers for the devices they manage. However,
for MARS to correctly correlate the logs for these centralized log servers, you must identify those host-
or node-based reporting device. In some cases, MARS is able to dynamically learn of the hosts or nodes
by parsing the logs. In other cases, you must use a seed file generated by management console to identify
each of the managed reporting devices.
Once you generate the seed file, you must import that seed file under the host that represents the
management console in the MARS web interface to load the sensor module information from the CSV
or seed file. The device types that use a custom seed file are as follows:
•
•
•
•
Devices that Require Updates After the Seed File Import
When you add specific reporting devices using a seed file, you must edit them to complete the definition
of the device before you can monitor them. Typically, these devices are IDS/IPS devices that monitor
specific networks. The device types that you must update are as follows:
•
•
•
Seed File Header Columns
Table 2-4
for a given column, you must enter a comma to delineate that column.
78-17020-01
Entercept. For more information, see
Entercept Version 2.5), page
IntruVert IntruShield. For more information, see
IntruShield Manager, page
Cisco Security Agent. While MARS can learn of the CSA agents dynamically, you can also import
the initial list of agents using a custom seed file. For more information, see
Information to File, page
7-6.
Symantec AntiVirus. While MARS can learn of the Symantec AntiVirus agents dynamically, you
can also import the initial list of agents using a custom seed file. For more information, see
the AntiVirus Agent List, page
Cisco IDS 4.x Devices. These sensors are defined by importing a MARS-specific seed file as
defined in
Load Devices From the Seed File, page
must identify the monitored networks that it monitors. For more information, see
Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File, page
Cisco IPS 5.x Devices. These sensors are defined by importing a MARS-specific seed file as defined
in
Load Devices From the Seed File, page
identify the monitored networks that it monitors. For more information, see
Networks for Cisco IPS or IDS Device Imported from a Seed File, page
IntruShield Senors. These sensors are defined by importing a custom seedfile; however, once you
import the sensors, which appear as children of the IntruShield Manager host, you must identify the
monitored networks for each sensor. For more information, see
Seed File, page
6-27.
describes the columns in the seed files and identifies valid values. If you do not enter a value
Extracting Entercept Agent Information into a CSV file (for
7-1.
Extracting Intruvert Sensor Information from the
6-22.
8-7.
2-24. However, once you import a sensor, you
2-24. However, once you import a sensor, you must
User Guide for Cisco Security MARS Local Controller
Adding Reporting and Mitigation Devices
Export CSA Agent
Specify the
6-8.
Specify the Monitored
6-8.
Add IntruShield Sensors Using a
Export
2-21
Advertisement
Table of Contents
Troubleshooting
