https://community.cisco.com/t5/network-security/mars-rules/m-p/1402349#M923797 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><DIV class="jive-rendered-content"><P>Thanks ganesh,</P><P></P><P>There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.</P><P></P><P>I have not worked on MARS ,i will be going to install soon,making things clear before implementation.</P><P></P><P>Thanks</P></DIV><P></P></PRE><P>Hi Thomas,</P><P></P><P>Check out the below link hope that helps</P><P></P><P><A class="jive-link-external-small" href="http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044">http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044</A></P><P></P><P>Ganesh.H</P></BODY></HTML> Fri, 05 Mar 2010 15:00:23 GMT Ganesh Hariharan 2010-03-05T15:00:23Z https://community.cisco.com/t5/network-security/mars-rules/m-p/1402346#M923792 <P>Hello Dear's</P><P></P><P>There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.</P><P></P><P>Thanks,</P> Fri, 21 Feb 2020 11:53:22 GMT https://community.cisco.com/t5/network-security/mars-rules/m-p/1402346#M923792 thomasandy32 2020-02-21T11:53:22Z https://community.cisco.com/t5/network-security/mars-rules/m-p/1402347#M923793 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><DIV class="jive-rendered-content"><P>Hello Dear's</P><P></P><P>There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.</P><P></P><P>Thanks,</P></DIV><P></P></PRE><P></P><P>Hi,</P><P></P><P>Check ou the below link on MARS rule configuration hope that helps.</P><P></P><P><A class="jive-link-external-small" href="http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044">http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044</A></P><P></P><P>Remember to rate the helpful post</P><P></P><P>Ganesh.H</P></BODY></HTML> Tue, 02 Mar 2010 11:51:49 GMT https://community.cisco.com/t5/network-security/mars-rules/m-p/1402347#M923793 Ganesh Hariharan 2010-03-02T11:51:49Z https://community.cisco.com/t5/network-security/mars-rules/m-p/1402348#M923795 <HTML><HEAD></HEAD><BODY><P>Thanks ganesh,</P><P></P><P>There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.</P><P></P><P>I have not worked on MARS ,i will be going to install soon,making things clear before implementation.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 02 Mar 2010 12:41:56 GMT https://community.cisco.com/t5/network-security/mars-rules/m-p/1402348#M923795 thomasandy32 2010-03-02T12:41:56Z https://community.cisco.com/t5/network-security/mars-rules/m-p/1402349#M923797 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><DIV class="jive-rendered-content"><P>Thanks ganesh,</P><P></P><P>There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.</P><P></P><P>I have not worked on MARS ,i will be going to install soon,making things clear before implementation.</P><P></P><P>Thanks</P></DIV><P></P></PRE><P>Hi Thomas,</P><P></P><P>Check out the below link hope that helps</P><P></P><P><A class="jive-link-external-small" href="http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044">http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044</A></P><P></P><P>Ganesh.H</P></BODY></HTML> Fri, 05 Mar 2010 15:00:23 GMT https://community.cisco.com/t5/network-security/mars-rules/m-p/1402349#M923797 Ganesh Hariharan 2010-03-05T15:00:23Z https://community.cisco.com/t5/network-security/mars-rules/m-p/1402350#M923798 <HTML><HEAD></HEAD><BODY><P>There's a "False Positive Tuning" link to the right of each incident.&nbsp; You will need to review the data provided in the incident to decide if the information is relative to an attack.&nbsp; The false positives, based on your discretion, can be logged but not alerted, or completely dropped.&nbsp; You can configure false positives based on port information, IP, time/date, reporting device, etc.</P></BODY></HTML> Mon, 15 Mar 2010 16:31:22 GMT https://community.cisco.com/t5/network-security/mars-rules/m-p/1402350#M923798 chris.cumbaa 2010-03-15T16:31:22Z