Mars Rules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2010 03:04 AM - edited 02-21-2020 03:53 AM
Hello Dear's
There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.
Thanks,

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2010 03:51 AM
Hello Dear's
There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.
Thanks,
Hi,
Check ou the below link on MARS rule configuration hope that helps.
http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044
Remember to rate the helpful post
Ganesh.H
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2010 04:41 AM
Thanks ganesh,
There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.
I have not worked on MARS ,i will be going to install soon,making things clear before implementation.
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2010 07:00 AM
Thanks ganesh,
There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.
I have not worked on MARS ,i will be going to install soon,making things clear before implementation.
Thanks
Hi Thomas,
Check out the below link hope that helps
http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044
Ganesh.H
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2010 09:31 AM
There's a "False Positive Tuning" link to the right of each incident. You will need to review the data provided in the incident to decide if the information is relative to an attack. The false positives, based on your discretion, can be logged but not alerted, or completely dropped. You can configure false positives based on port information, IP, time/date, reporting device, etc.
