Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
4
Replies

Mars Rules

thomasandy32
Level 1
Level 1

‎03-02-2010 03:04 AM - edited ‎02-21-2020 03:53 AM

Hello Dear's

There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.

Thanks,

0 Helpful
4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎03-02-2010 03:51 AM 

Hello Dear's
There are many unwanted incidents generating in my MARS, how can i customized to important's only and to avoid unwanted ones.
Thanks,

Hi,

Check ou the below link on MARS rule configuration hope that helps.

http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044

Remember to rate the helpful post

Ganesh.H

0 Helpful

thomasandy32
Level 1
Level 1
In response to Ganesh Hariharan

‎03-02-2010 04:41 AM

Thanks ganesh,

There are plenty of rules in MARS to trigger the incident,If i deactivate those i wont get any incident from that rule,but what are the most typical one's which are always kept active in view of attack's and service unavailability.

I have not worked on MARS ,i will be going to install soon,making things clear before implementation.

Thanks

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to thomasandy32

‎03-05-2010 07:00 AM 

Thanks ganesh,
There
are plenty of rules in MARS to trigger the incident,If i deactivate
those i wont get any incident from that rule,but what are the most
typical one's which are always kept active in view of attack's and
service unavailability.
I have not worked on MARS ,i will be going to install soon,making things clear before implementation.
Thanks

Hi Thomas,

Check out the below link hope that helps

http://www.sans.org/reading_room/whitepapers/logging/configuring_and_tuning_cisco_csmars_2044

Ganesh.H

0 Helpful

chris.cumbaa
Level 1
Level 1
In response to thomasandy32

‎03-15-2010 09:31 AM

There's a "False Positive Tuning" link to the right of each incident.  You will need to review the data provided in the incident to decide if the information is relative to an attack.  The false positives, based on your discretion, can be logged but not alerted, or completely dropped.  You can configure false positives based on port information, IP, time/date, reporting device, etc.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card