Right now most of the rules I am creating are drop rules while doing the initial tuning of my MARS box. When I use the query to save as a rule, it apprears that you can only save it as an inspection rule and never as a drop rule. Am I missing something?
That's a question in very relationship with another I've posted. I can create lots of inspection rules based on keywords but I can not create a drop rule based on that. P.e. There's a lot of logs originated in domain controllers that I'm able to classify them based on "User Name: Local-Admin" words and their source IP. I'm sure that's correct and I want to drop all events. It's not possible. I can only create an inpection rule, not a drop rule.
Thanks a lot.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
