Rules

To display an incident, a matching rule was used to trigger that a possible security incident or attack was in progress. Cisco Security MARS includes a set of system rules that are automatically configured and applied to detect security incidents or attacks. Figure 10-8 displays a system rule to detect an active backdoor connection. An active backdoor connection typically signifies that a host has been attacked and that a connection is open for someone to remotely access and control this host, perhaps for use in a botnet.

Figure 10-8. System Inspection Rule to Detect an Active Backdoor Connection

In addition to the active backdoor system rule, some of the automatic or system inspection rules include detection of client exploits, firewall configuration issues, password attacks, scans, viruses found, viruses cleaned, worm propagation, and sudden traffic increases to a port.

In addition to the canned or predefined system inspection rules, Cisco Security MARS also features the ability to create customized or user inspection rules. User inspection rules can be ideal for homegrown or custom applications. These customized rules are created with the following parameters or fields:

• Source IP

• Destination IP

• Service

• Event

• Device

• User

• Keyword

• Count

• Operation

Rule information for a specific incident is available by selecting the incident details from the dashboard. General rule information is also available by selecting the Rules tab from the top of the Cisco Security MARS GUI. Cisco Security MARS was one of the first security monitoring products on the market to incorporate Netflow data. Netflow is a feature of Cisco IOS routers and Catalyst LAN switches. Netflow is essentially a record of a traffic flow between a particular source and destination through the IOS router. Netflow contains a high-level record of the source IP address, destination IP address, the time of the connection, and the duration of the connection.

Cisco IOS routers and Catalyst LAN switches running IOS periodically send a Netflow record to a Netflow collector such as Cisco Security MARS. This Netflow record is sent over User Datagram Protocol (UDP) and is highly efficient because it is merely a record of a traffic flow as opposed to a packet-by-packet dump of the traffic flow. Netflow contains the following information:

• Source IP address

• Destination IP address

• Ports/protocol

• Total packets

• Total bytes

Netflow is used by Cisco Security MARS to create a baseline of normal network traffic. This baseline is used to identify anomalous network behavior that can be indicative of several types of network attacks, including distributed denial-of-service (DDoS) attacks and worms that are sending large amounts of network traffic. Cisco Security MARS also contains integrated system inspection rules for IPS (Intrusion Prevention Service) that leverage Netflow information to signify a security incident or network attack, thus reducing the false positives that are sometimes associated with IPS. Netflow information, including the number of Netflow events received in the last 24 hours, is available on the dashboard.