topic Re: CS-MARS - Drop rule keyword based in Network Security

CS-MARS - Drop rule keyword based

JUCETA — Fri, 21 Feb 2020 09:12:50 GMT

Hi all,

I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.

Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.

Any idea?

Thanks a lot.

Re: CS-MARS - Drop rule keyword based

beth-martin — Mon, 09 Oct 2006 14:06:44 GMT

would use the rule with

the "/" since that's the standard format used in Regex string:

[Hh][Oo][Ss][Tt]:\x20.+\.[Rr][Uu][/\r/\n]

Re: CS-MARS - Drop rule keyword based

JUCETA — Tue, 10 Oct 2006 05:11:56 GMT

Hi Beth,

Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.

Sorry again if I don't understand what you mean or where apply the regex string you're talking about.

Thanks a lot.