Mars Events Diagram

Published 19th January 2009 at 1013 × 730 in Cisco Mars Event Correlation Diagram
Mars Events Diagram

Mars Events Diagram

Mars is so much more that an IDS Management system.

(1) Devices Send RAW logs / alerts & messages to MARS
(2) MARS discovers the network topology
(3) Data "sessions" are created, i.e. if a TCP flow passes thru more than one device, this would be two Events but one session
(4) All sessions are correlated against rules to find problems / security incidents
(5) Vulnerability information is gather to determine if the incident is a risk
(6) Where possible incident mitigation suggestions are made
(7) With all the information given in 1->5 False positives can be removed, i.e. if a firewall blocks an attack picked up by an IDS the incident is logged as a false positive.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>