Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
2
Replies

CS-MARS - Drop rule keyword based

JUCETA
Level 1
Level 1

‎10-03-2006 06:34 AM - edited ‎02-21-2020 01:12 AM

Hi all,

I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.

Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.

Any idea?

Thanks a lot.

0 Helpful
2 Replies 2

beth-martin
Level 5
Level 5

‎10-09-2006 07:06 AM

would use the rule with

the "/" since that's the standard format used in Regex string:

[Hh][Oo][Ss][Tt]:\x20.+\.[Rr][Uu][/\r/\n]

0 Helpful

JUCETA
Level 1
Level 1
In response to beth-martin

‎10-09-2006 10:11 PM

Hi Beth,

Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.

Sorry again if I don't understand what you mean or where apply the regex string you're talking about.

Thanks a lot.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card