CSA Rule Exception issue

kerraj2004 · ‎07-19-2007

Is it possible when creating an exception with the Rule Wizard to not have it create a new rule module every time a rule is created.

I would like to just add rules to an Exceptions policy that is applied to the group with out it creating a new rule module every time.

Bradley Spencer · ‎07-19-2007

It is not possible.

You have the choice of a new rule module (the exception module) or add it to the module containing the rule that triggered the event(not recommended).

You just have to go through the wizard, copy where you want it and delete the exception created by the wizard.

kerraj2004 · ‎07-19-2007

Bradley,

I thought so and that is what i have been doing is copying the rule and deleting the other rule module.

Thanks

Adam

tsteger1 · ‎07-19-2007

I took a slightly different path with CSA 5.2 than I did with 4.0 and I feel it makes less work after creating exceptions with the wizard.

The wizard will create only one exception module per rule module and will put all subsequent wizard created exceptions in that module.

You may conceivably end up with double the number of rule modules if you create exceptions for every module (not very likely) but it keeps them in easily identifiable locations.

Just my two cents worth..

Tom

kerraj2004 · ‎07-19-2007

So Tom,

Basically you are saying create a Network Access Control Rule Module one time and then all the exception that pertain to that module will fall underneath that Module automatically?

Thanks,

Adam

jwalker · ‎07-19-2007

The way we do it is by creating an exception policy for each system or group of systems that we want exceptions for then adding the exceptions there. This is very easy if you make exceptions manually (recommended), but is more difficult if you do it with the crappy wizard.

Jay

tsteger1 · ‎07-20-2007

Hi Adam

Yes, it says that in the user guide and I experienced the same thing when doing it.

Part of the user guide seems a bit confusing to me though.

The 1st statement on page 10-22 in the CSA 5.2 User guide is correct:

You can create a new rule module (an "exception rule module") which

would contain the new exception rule. (This is the default and recommended choice.)

The 2nd statement is (I feel) incorrect:

"This new module would be attached to a new exception policy which is then

attached to the group(s) containing the host from which the event was received."

I've done this several times and have yet to see it create an separate exception policy

And the 3rd statement is correct:

"If you choose to create this exception module, all subsequent exception rules you

create through the wizard will be added to the same exception module and policy

if the group it is to be applied to is also the same. Therefore, a group could only

have one exception policy, but contain an exception rule module with any number

of exception allow rules created through the wizard."

Tom

jan.nielsen · ‎07-21-2007

Like someone has suggested, the proper way to do this is to create your own rule module with execptions, maybe do several based on what policy they belong to or what application it is concerning, then just hit copy the text of the event, hit the rule number, choose the rule, copy to your own rule module and tune it with the info from the event text you just copied. This is how i work with csa, in my eyes the wizard is really just for learning purposes.