08-21-2008 06:11 AM
Hello All,
I am having trouble understanding the different Event Type Groups used in the different Mars Rules. For example When Looking throught incidents generated I found
port Scans
ping sweeps
server scans for specific ports
and others
that are all being fired under the rule
System Rule: Network Activity: P2P File Sharing - Active
or under the rule
System Rule: Network Activity: Excessive Denies - Host Compromise Likely.
When looking closer at these rules I have noticed the contain some (what I thought were) very generic event type groups.
Is there a resource that you guys know of that describes or goes into details about the event type groups? I have tried most of the Cisco recommended mars books, and havent found much detail.
-Thanks.
Solved! Go to Solution.
08-21-2008 12:39 PM
There is only limited description about these at the end of the MARS user guide.
These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.
Regards
Farrukh
08-21-2008 12:39 PM
There is only limited description about these at the end of the MARS user guide.
These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.
Regards
Farrukh
08-25-2008 05:22 AM
Thanks, although not the answer I was hoping for, Ill look into tuning these rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide