Re: Inactive CS-MARS reporting device (again)

laamidd2003 · ‎09-19-2006

I created a drop rule, dest and src ip's are "ANY", and the hostnames as seen in MARS. I chose to "drop" as action...not "log to db only". The event is "Inactive CS-MARS reporting device, device is "ANY", severity is "ANY", time range is "ANY" I clicked apply, submit and activate.

How come on my Summary | dashboard screen I still see these incidences. I was hoping this would stop. Is this expected behavior, or have I done something incorrectly?

Thanks,

Bob

mhellman · ‎09-19-2006

I vaguely recall reading something about not being able to use a drop rule to prevent these. You have to inactivate the rule.

mhellman · ‎09-20-2006

Here is the bug id. It appears to have been fixed now based on your results.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc49248&cco_product=Cisco+Security+Monitoring,+Analysis+and+Response+System&fset=&swver=&keyw=reporting&target=&train=

JUCETA · ‎09-19-2006

I've solved that problem including "ANY" and "0.0.0.0" in the source address. CS-MARS doesn't understand that ANY must include 0.0.0.0.

Concerning to the dashboard you'll see the events for a time, and previous incidents will be saved in the incident list. Since you add "0.0.0.0" in source address, you won't see any inactive cs-mars event. The most important issue filtering that event is that it is a very high amount of events and all reports must be created using "!=Inactive CS-MARS reporting device".

As I told you, from now you won't see that event any more.

Good luck!!

ps: Please, rate the post.

laamidd2003 · ‎09-20-2006

Thanks Juceta,

That seems to have solved the problem, no new incidences for the last couple of hours.

Thanks,

Bob