Table of Contents
Advertisement
Data Enabling Features
•
Note
•
Click Submit to save your changes.
Step 6
Step 7
To enable NetFlow processing by the MARS Appliance, click Activate.
Before MARScan start detecting anomalies based on NetFlow data, it must first develop a baseline for
network behavior. It takes a full week, including the weekend, for MARS to develop such a baseline.
After this period has elapsed, MARS can start generating incidents based on NetFlow's anomaly
detection.
Host and Device Identification and Detail Strategies
MARS studies many events at the network layer, relying on firewalls, routers, and IPS devices to identify
anomalies and suspected incidents at a layer above the endpoint hosts that are the source or destination
of network sessions. If operating exclusively at this network layer, MARS can generate a number of false
positive incidents that must be manually investigated. However, several features exist that allow you to
provide host-level details to MARS:
•
•
•
User Guide for Cisco Security MARS Local Controller
2-36
Specifying one or more networks causes MARS to generate NetFlow-based anomalies that occur
only on the specified networks. If empty, then entire network is examined for anomalies. If the
Local Controller is monitoring a specific zone (as defined by theGlobal Controller-Local Controller
relationship), then this field should include only those networks for which this Local Controller is
responsible.
To reduce the memory usage and increase performance of the appliance, you can configure
MARS to profile hosts belonging to a set of valid networks.
Leaving this value blank (not specifying any networks) causes MARS to examine all networks for
anomalous behavior based on the NetFlow events.
Enable event reporting from the hosts on your network. MARS can receive, and in some cases, pull
event data directly from the hosts on your network. This additional data allows MARS to verify the
success of some attacks, as well as to report issues with the operation of the host, such as including
them in "device down" reports if they are inaccessible. For more information on configuring the
hosts and MARS to pull or receive data from those hosts, see the following topics:
–
Adding Generic Devices, page 10-1
–
Sun Solaris and Linux Hosts, page 10-2
Microsoft Windows Hosts, page 10-4
–
Manually identify the operating system type and network services running on discovered hosts. For
more information, see
Define Vulnerability Assessment Information, page 10-12
Network Services Running on the Host, page 10-14
Manually identify common hosts and nodes in your network by adding other devices via
Management > IP Management. This additional data allows you to identify those hosts that are
likely to be involved in network sessions without having to configure the hosts to provide event data
directly to MARS. This open allows you to provide vulnerability assessment information to assist
in the reduction of false positives. For more information on adding hosts manually, see
page
23-5.
Chapter 2
Reporting and Mitigation Devices Overview
and
Identify
Add a Host,
78-17020-01
Advertisement
Table of Contents
Troubleshooting
