Troubleshooting
Problem
Symptom
Cause
Diagnosing The Problem
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the QRadar appliance receiving the events.
- Type the following command to verify whether the interface is logging packets from your source device as 'martian':
/var/log/messages | grep martian
Sep 25 14:13:51 radar kernel: martian source xx.xx.xx.xx from xx.xx.xx.xx, on dev eth1
- If your appliance is reporting events from a device in tcpdump, but not identifying any martian sources, contact QRadar Support for more assistance with this issue.
- If your appliance is reporting martian sources for events, see the Resolving the problem section.
Resolving The Problem
If martian sources are reported in /var/log/messages, contact your network administrator to correct the routing or packet spoofing issues. If you continue to experience issues, you can modify your rp_filter settings. As these settings alter how appliances prevent IP spoofing from DDos attacks, strict mode is enabled by default per RFC3704 on QRadar appliances.
Procedure
If your appliance is proxied or firewalled, discuss a change with your network admin to consider loose or setting the disable option for rp_filte on IPv4 addresses. Disabling filtering by setting the configuration to 'No source validation' can resolve this issue when network errors cannot be easily correct, but might expose your appliance interfaces to security issues.
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the QRadar appliance receiving the martian events.
- Edit the /etc/sysctl.conf file.
- Modify the value of the net.ipv4.conf.all.rp_filter parameter to allow the configuration change to persist after a reboot:
net.ipv4.conf.all.rp_filter = {integer}
Options
0 - No source validation.
1 - Strict mode filtering as defined in RFC 3704 (default).
2 - Loose mode filtering as defined in RFC 3704. - Modify the value of the net.ipv4.conf.{interface}.rp_filter parameter to allow a specific interface to use a new filtering value:
net.ipv4.conf.{interface}.rp_filter = {integer}
For example, to set loose filtering on eth1, type:net.ipv4.conf.eth1.rp_filter = 2
0 - No source validation.
1 - Strict mode filtering as defined in RFC 3704 (default).
2 - Loose mode filtering as defined in RFC 3704. - To restart the network service, type:
sysctl -p
- To confirm the rp_filter configuration is correct after the service restart, type:
cat proc/sys/net/ipv4/conf/<NIC>/rp_filter
After the service restarts, log in to the QRadar Console and verify events are visible in the Log Activity tab. If you continue to experience issues with martian packets, contact your network team for further assistance or repeat this procedure to disable filtering, if advised by your network security team.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 August 2022
UID
ibm16606669