Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
5
Replies

Incidents & Sessions

kerry.kielty
Level 1
Level 1

‎10-08-2010 12:29 PM

I have a question about the MARS device. I'm viewing quite a few sessions that are not included in an incident that I know of. Is there any way to find out if a session is included in an incident? Thank you

Labels:
0 Helpful
5 Replies 5

Scott Fringer
Cisco Employee
Cisco Employee

‎10-11-2010 04:21 AM

Kerry;

  When viewing a session, if it is included in an incident, there should be an identifier of the format I:1179025693 in the "Event/Session/Incident" column.  This ID will be a link to the associated incident.

Scott

0 Helpful

kerry.kielty
Level 1
Level 1
In response to Scott Fringer

‎10-12-2010 01:36 PM

Hi Scott,

Thanks for the reply. So if there is no incident ID already associated with a session, is there a way to do this? I have a server that keeps getting hammered by random ip's and I would like this to come up as an incident in MARS, if that is possible.

Thanks,
Kerry

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to kerry.kielty

‎10-12-2010 05:20 PM

Kerry;

  There is no method to manually assign a session to an incident.  You should be able to create a custom inspection rule that matches on specifics of the behavior for which you want to generate an incident.  For example, you could have an inspection rule that matches when the specific server IP address is seen as the destination along with specific CS-MARS events and this match occurs a certain number of times in a specific time range.

  You can learn more about CS-MARS rules here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html

Scott

0 Helpful

kerry.kielty
Level 1
Level 1
In response to Scott Fringer

‎10-19-2010 03:37 PM

Hi Scott,

I created a rule so the events and sessions would now be put into an incident, but nothing is showing up. When I view the rule, it is not showing up as active, like the rest of the rules that came with the system. How do I make it active?

Thanks,

Kerry

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to kerry.kielty

‎10-21-2010 04:42 AM

Kerry;

  If the rule is listed as Inactive, you should only need to select the rule (check the box next "Rule Name:" and click the "Change Status" button).  You should be prompted as to whether you do wish to change the status of the selected rule.

  If you do not see the rule in the list at all, ensure you have selected "Inactive" in the "View:" drop-down box.

Scott

0 Helpful
Customers Also Viewed These Support Documents