Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hello. I need to determine who is using pptp and would like to do this by running a MARS query. What's the best way to set up a query to detemrine this? I didn't see GRE listed in the MARS services but I did see ms-pptp (basically dst port 1723). Is ...
Hello. I duplicated the system rule "Sudden increase of traffic to a port" in MARS and it blew out the original system rule and now shows up as a user rule. It doesn't appear to be working either. It is active. Not sure what to make of this, and neit...
Hi. I'm having trouble with "Sudden increase of traffic to a port" rule not firing. I think there is an issue with the event itself. I'd like to verify the event ID and groups associated with it. Can someone please provide me with this info? Thanks!C...
It seems that 1330 and other normalizer sigs are causing Cicso (and myself) some grief (as evident in CSCsc37875). I am wondering if I can just disable 1330 and all the subs entirely. I am seeing this sig (1330/14 in particular) fire alot. I set the ...
After my IDSM-2 crashed, I got a dump and noticed the following error:13Sep2006 15:35:11.250 2.010 sensorApp[13544] sensorApp/W errWarning Producer appears to be out of superblocks...consider configuring TCPReassemblyMode to loose FreeBlocks: 9Can an...
I upgraded to 4.2.2 and the rule seems to have been restored as a system rule. I noticed that it is showing up in our morning report (Event Types Ranked by Sessions), but we are not recieving an email or page for this rule firing (email/SMS notifica...
Nope, I duplicated it and it blew out the original rule! After I duplicated it, I could no longer find the original one. The rule shows up as a user rule, the duplicate I created. And it doesn't appear to be working.
Got alerts from CSM stating that "the sensor reports that it is running low on resources." Measure of resource utilization on the virtual sensor was 22. After disabling 5170 it's down to 0.
