Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
579
Views
3
Helpful
2
Replies

MARS rules

mmorris11
Level 4
Level 4

‎09-29-2006 07:15 AM - edited ‎03-10-2019 03:15 AM

I am wading into the art of rule creation in MARS. I wrote a rule and it doesn't seem to work. Then I took everything out of the rule such that it is "any" all the way across. Then I ran an "any" query using this "any" rule and I get no results but without the rule attached to the query I get a flood of results as expected with an open query.

I am using a count of 1 and time range of 30 seconds. Any help is appreciated.

Labels:
0 Helpful
2 Replies 2

wiluszm
Level 1
Level 1

‎09-29-2006 11:34 AM

Hi mmorris11,

Great to hear your trying to dive in and create some MARS rules. It's truley an art to design an advanced rule. I have a fairly basic example on my blog at http://cs-mars.blogspot.com . My recommendation is to view the raw logs and find the entry you're looking to generate a rule about. Let's say you want to generate a rule whenever an IOS device updates it's clock using NTP. When you view a the raw events... you'll see:

Sep 29 12:08:42: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:08:43 EDT Fri Sep 29 2006 to 12:08:42 EDT Fri Sep 29 2006, configured from NTP by 63.139.0.1

To write this rule I would use any across the board much like you do but under "Keyword" have the rule looks for "%SYS-6-CLOCKUPDATE" Your counts are correct along with the time range. From here save it and always make sure to use the "Activate" button in the upper-right of the console to activate the rules.

I know this is a rather basic example but it should get you started. You'll find you'll make your rules more and more complex as you attempt to narrow your incidents to more specific security events. It just takes time and testing. Anything else I can help with let me know.

-Mike

http://cs-mars.blogspot.com

mmorris11
Level 4
Level 4
In response to wiluszm

‎10-02-2006 05:48 AM

Thanks for the input. What I experienced over the weekend is that my rules finally got going over the weekend. I guess it just takes a while get "primed". I am eager to learn more about how MARS processes data from reporting devices so I can more accurately predict the behaviors that result from buiding new rules. I am also glad to know about your blogspot. THanks!

-mike

0 Helpful
Related community topics
Review Cisco Networking for a $25 gift card
Top