Mars Rules

thomasandy32 · ‎03-02-2010

Hello Dear's

There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.

Thanks,

Ganesh Hariharan · ‎03-02-2010

Hello Dear's

There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.

Thanks,

Hi,

Check ou the below link on MARS rule configuration hope that helps.

http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044

Remember to rate the helpful post

Ganesh.H

thomasandy32 · ‎03-02-2010

Thanks ganesh,

There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.

I have not worked on MARS ,i will be going to install soon,making things clear before implementation.

Thanks

Ganesh Hariharan · ‎03-05-2010

Thanks ganesh,

There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.

I have not worked on MARS ,i will be going to install soon,making things clear before implementation.

Thanks

Hi Thomas,

Check out the below link hope that helps

http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044

Ganesh.H

chris.cumbaa · ‎03-15-2010

There's a "False Positive Tuning" link to the right of each incident. You will need to review the data provided in the incident to decide if the information is relative to an attack. The false positives, based on your discretion, can be logged but not alerted, or completely dropped. You can configure false positives based on port information, IP, time/date, reporting device, etc.