ADDING DROP RULES

Hi, I added a drop rule in CSMARS, Just want to clarify it will automatically be used by CS-MARS for correlation.
thanks and best regards

It will be applied, but to commit the changes (in running memory) you have to click the Activate button on the top right of your screen.
It will automatically turn red  when you make any changes in MARS (requiring activation).
Please rate if you find the post helpful.
Regards
Farrukh

Similar Messages

  • Removing Drop Rules

    Hi,
    I am very new to configuring our MARS. I recently added a drop rule by mistake. I've tried marking it inactive, but it's still showing as a false positive. I would like to completely delete the rule all together if that is possible.
    Thanks!

    I don't know what do you mean by 'its still showing as false positive'? Can you please clarify.
    Drop rules cannot be deleted in MARS. However you can make them inactive (which will functionally have the same effect). Just make sure you hit the 'Activate' button on the top right after marking the change.
    Please rate if you find the post helpful.
    Regards
    Farrukh

  • MARS - drop rules

    I have a MARS20 configured to a IPS4240 placed between internet & LAN, and i want to stop my internal network to stop triggering the incidents and stop producing false positive; based on the assumption that my LAN is secure.
    So I have created a drop rule to log to DB, source-192.168.0.0 255.255.0.0, remaining parameters as Any.
    The rule is active, but i still get incidents w source from LAN.
    am i missing something?
    Cash

    did you click "activate"?

  • MARS DROP RULE QUESTION

    When you configure a drop rule, lets say you configure several.  If something happens to the software, is there a way to backup the drop rules that you have created?

    Hi,
    you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
    check archiving configuration for the mars:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
    regards
    Gabor
    /vote if it helps/

  • CS-MARS - Drop rule keyword based

    Hi all,
    I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.
    Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.
    Any idea?
    Thanks a lot.

    Hi Beth,
    Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.
    Sorry again if I don't understand what you mean or where apply the regex string you're talking about.
    Thanks a lot.

  • Drop rule set

    Hi,
    I have only the following object (rule set) on my schema.
    OBJECT_NAME     OBJECT_TYPE
    DEV_QUEUE_R     RULE SET
    I tried to drop with with following syntax:
    exec DBMS_RULE_ADM.DROP_RULE_SET(
    rule_set_name => 'DEV1.DEV_QUEUE_R',
    delete_rules  => false);
    But following error shown:
    ORA-24170
    string.string is created by AQ, cannot be dropped directly
    Cause: This object is created by AQ, thus cannot be dropped directly
    Action: use dbms_aqadm.drop_subscriber to drop the object
    And I couldn't find the exact syntaxt of this. Can anyone help me with the exact syntax of DBMS_AQADM.DROP_SUBSCRIBER?
    Thanks.
    BANNER
    Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
    PL/SQL Release 11.1.0.6.0 - Production
    CORE     11.1.0.6.0     Production
    TNS for Linux: Version 11.1.0.6.0 - Production
    NLSRTL Version 11.1.0.6.0 - Production
    Edited by: Nadvi on Jul 22, 2010 4:03 PM

    Ok, I found the solution.
    select * from user_objects;
    OBJECT_TYPE OBJECT_NAME STATUS
    ------------------------------ RULE AQ$WF_DEFERRED_QUEUE_M$1 VALID
    RULE SET AQ$WF_DEFERRED_QUEUE_M$1 INVALID
    1.Set the following event at session level:
    alter session set events '25475 trace name context forever, level 2';
    2. Drop rule:
    execute DBMS_RULE_ADM.DROP_RULE('.AQ$WF_DEFERRED_QUEUE_M$1',TRUE);
    commit;
    3.Drop rule set :
    execute DBMS_RULE_ADM.DROP_RULE_SET('AQ$WF_DEFERRED_QUEUE_M$1');
    commit;
    4. Connect as SYSTEM or SYSDBA and try to drop user again.
    drop user <user> cascade;
    Thanks

  • Drop rule using keyword?

    I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.
    I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.
    Is there any way to configure a false positive drop rule based on a
    keyword in the raw message? I have a user that consistantly pushes the
    switch port interface utilization above 90% - this is normal activity
    that happens throughout the day. We get 20 - 30 email alerts per day
    on this. I would like to configure a drop rule that will just drop
    this incident if this user's interface is specified in the raw
    message. Or maybe there is another way to get the same result?

    hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.
    If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...
    I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.
    There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.
    Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.

  • MARS General FP Drop Rule vs. Listed Unconf. FPs

    I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
    It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
    But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
    1. It will take a long time.
    2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
    Any ideas?
    Paul Trivino

    Try this to prevent System Determined False Positives from displaying as incidents?
    If you confirm what was previously an unconfirmed false positive, then a
    drop rule is created. That drop rule should prevent any further incidents
    of that type. So, this shouldn't be happening. Please make sure you've
    clicked `Activate'.
    Check the related bug-id:CSCsc74104

  • MARS drop rules problem

    Hi All,
    we were receiving lots of false positive, so I've created drop rules in MARS. still it is generating incident, but I am sure drop rule should cover based on source/dest and port number. I've activated, rebooted, but still the same issue.
    any suggestion would be very appreciated.
    Alex

    did you click "activate"?

  • WMS dropping rules execution time.

    Hi Community!
    We're facing problem in our OEBS 12.1.3 production environment with dropping rules execution time.
    Execution can take a long time (10-15 minutes) if it started from standart interface by warehouse worker, but from the other side same query executes in few seconds in sqlplus.
    I'll be very grateful if someone helps me to find problem source.
    Kind regards.

    Well, these rules are not unique – most of them are executed repeatedly for various Entities. In whole, it is a big budget calculation model.
    It surely can be and must be optimized, but it will take some time (I started to administrate this outsource-developed Planning system not long ago).
    But the question now is not in the amount of BRs, but in the execution delay.
    I tried to run a singe rule the same way, and got _18 sec in CmdLineLauncher vs 1 sec in EAS Console_.
    Just can't get the delay reason...

  • Dealing with errors due to newly added/dropped columns

    DB version:11g
    I am not sure if i have created an unnecessarily large post to explain a simple issue. Anway, here it is.
    I have been asked to code a package for Archiving .
    We'll have two schemas;The original schema and an Archive schema (connected via a DB Link)
    ORIGINAL Schema -------------------------> ARCHIVE Schema
                   via DB Link          When records of certain tables in the ORIGINAL schema meet the archiving criteria (based on Number of Days Old, Status Code etc), it will be moved ('archived') to the ARCHIVE schema using the INSERT syntax
    insert into arch_original@dblink
    col1,
    col2,
    col3,
    select col1,
    col2,
    col3,
    from original_tableThe original table and its archive table has the same structure, except that the Archive table has an additional column called archived_date which just records when a record got archived.
    create table original
    col1 varchar2(33),
    col2 varchar2(35),
    empid number
    create table arch_original
    col1 varchar2(33),
    col2 varchar2(35),
    empid number,
    archived_date date default sysdate not null
    );We have tables with lots of columns(there are lots of tables with more than 100 columns) and when all column names are explicitly listed like the above syntax, the code becomes huge.
    Alternative Syntax:
    So i thougt of using the syntax
    insert into arch_original select original.*,sysdate from original;  -- sysdate will populate archived_date columnEventhough the code looks simple and short, i've noticed a drawback to this approach.
    Drawback:
    For the next release, if developers decide to add/drop a column in the ORIGINAL table in the Original Schema, that change should be reflected in the archive_table's (ARCHIVE schema) DDL script as well. It is practically impossible to keep track of all these changes during the development phase.
    If i use
    insert into arch_original select original.*,sysdate from original;  syntax, you will realise that there is change in the table structure only when you encounter an error(due to missing/new column) in the Runtime. But, if you have all the column names listed explicitly like
    insert into arch_original@dblink
    (col1,
    col2,
    col3,
    select col1,
    col2,
    col3,
    from original_tablethen you'll encounter this error during the Compilation itself. I prefer the error due to a missing/new column during the Compilation itself rather than in Runtime.
    So what do you guys think? I shouldn't go for
    insert into arch_original select original.*,sysdate from original; syntax because of the above Drawback. Right?

    What advantage would it bring if i make ARCHIVED_DATE as the first column in the ARCHIVE tables?The advantage is that if you'll add a column in the future on both original and archived tables the insert statement will work anyway...
    SQL> create table x (a number, b number);
    Table created.
    SQL> create table y (arc_date date, a number, b number);
    Table created.
    SQL> insert into x values (1,1);
    1 row created.
    SQL> insert into x values (2,2);
    1 row created.
    SQL> select * from x;
             A          B
             1          1
             2          2
    SQL> insert into y select sysdate, x.* from x;
    2 rows created.
    SQL> alter table x add (c number);
    Table altered.
    SQL> alter table y add (c number);
    Table altered.
    SQL> alter table x drop column b;
    Table altered.
    SQL> alter table y drop column b;
    Table altered.
    SQL> insert into x values (3,3);
    1 row created.
    SQL> insert into y select sysdate, x.* from x
      2  where a=3;
    1 row created.
    SQL> select * from x;
             A          C
             1
             2
             3          3
    SQL> select * from y;
    ARC_DATE           A          C
    25-JAN-10          1
    25-JAN-10          2
    25-JAN-10          3          3Max
    [My Italian Oracle blog|http://oracleitalia.wordpress.com/2010/01/23/la-forza-del-foglio-di-calcolo-in-una-query-la-clausola-model/]
    Edited by: Massimo Ruocchio on Jan 25, 2010 12:44 PM
    Added more explicative example

  • Adding more rules, makes less songs in smart playlists?

    Every time I add a condition to a smart playlist, the song count drops, instead of increases, I want to make sure I get all of a certain type of song, and my music collection is far too big to go through and edit all of them.  There was a trick to this, but I've forgotten it, can anyone help me out?

    You use match all to narrow down a selection with multiple rules, or match any to join the results of several rules together. Sometimes to get exactly what you want you need nested combinations of both options.
    E.g.
    Match any
         Match all
              Rule 1
              Rule 2
         Match all
              Rule 3
              Rule 4
    Would list anything that matches (rule 1 and rule 2) or (rule 3 and rule 4).
    tt2

  • Trouble adding drop shadows to buttons

    I am creating DVD menus for the first time in Encore CS4. I want the (=1) version of the buttons -- when you put the cursor over them-- to have a drop shadow so I added one in my Photoshop file. But the effect does not appear when I preview it in my Encore project. And when I tried to add it within Encore, it wouldn't let me. (The "drop shadow" option appeared gray and un-clickable.)
    Is it possible to do what I'm trying to do? If so, any ideas how?

    Unfortunately, there are grave limitations, regarding what can be part of a Sub-picture Highlight. It can ONLY be 8-bit color on a DVD, and can ONLY have one level of Transparency/Opacity.
    There are some workarounds, such as duplicate Menus, linked from an Auto-Activate Button, but in your case, you might get what you want from some tips in this ARTICLE. It starts with "Punching a Hole in Sub-Picture Highlights," but does cover adding a "Glow," that appears to be a Gradient. It is not, but rather looks like it is. You could substitute that Gradient Glow for your Drop Shadow.
    Good luck, and hope that it helps,
    Hunt

  • [SOLVED]system fails to boot since adding udev rules for automounting

    Hello
    I have recently been trying to use udev rules to automount, and putting together stuff from the wiki, forums and general googling around have produced the following set of rules:
    # automounts usb hdd and pendrives as usbhd-sdx; no messing around with
    # volume labels or other confusing stuff
    # matches all sdx devices except the internal hdd, sda
    KERNEL=="sd[b-z]", NAME="%k", SYMLINK+="usbhd-%k", GROUP="users", OPTIONS="last_rule"
    # imports filesystem information
    ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N"
    # creates mount points and sets up symlinks
    ACTION=="add", KERNEL=="sd[b-z][0-9]", SYMLINK+="usbhd-%k", GROUP="users", NAME="%k"
    ACTION=="add", KERNEL=="sd[b-z][0-9]", RUN+="/bin/mkdir -p /media/usbhd-%k"
    ACTION=="add", KERNEL=="sd[b-z][0-9]", RUN+="/bin/ln -s /media/usbhd-%k /mnt/usbhd-%k"
    # global mount options
    ACTION=="add", ENV{mount_options}="relatime"
    # filesystem-specific mount options (777/666 dir/file perms for ntfs/vfat)
    ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},gid=100,dmask=000,fmask=111,utf8"
    # automount ntfs filesystem with ntfs-3g driver
    ACTION=="add", KERNEL=="sd[b-z][0-9]", ENV{ID_FS_TYPE}=="ntfs", RUN+="/bin/mount -t ntfs-3g -o %E{mount_options} /dev/%k /media/usbhd-%k", OPTIONS="last_r$
    # automount all other file systems
    ACTION=="add", KERNEL=="sd[b-z][0-9]", ENV{ID_FS_TYPE}!="ntfs", RUN+="/bin/mount -t auto -o %E{mount_options} /dev/%k /media/usbhd-%k", OPTIONS="last_rule"
    # unmounts and removes the mount points
    ACTION=="remove", KERNEL=="sd[b-z][0-9]", RUN+="/bin/rm -f /mnt/usbhd-%k"
    ACTION=="remove", KERNEL=="sd[b-z][0-9]", RUN+="/bin/umount -l /media/usbhd-%k"
    ACTION=="remove", KERNEL=="sd[b-z][0-9]", RUN+="/bin/rmdir /media/usbhd-%k", OPTIONS="last_rule"
    This seemed to be working very well unitl I tried to boot this morning and the boot process stopped at "processing UDev events" with the following message:
    iTCO_wdt: Unexpected close, not stopping watchdog!
    It pauses at this point for 10-15 seconds and then reboots.
    Having searched a bit, I found the following similar post on the forums:  http://bbs.archlinux.org/viewtopic.php?pid=459375
    Which suggests that the problem might lie with this line:
    ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N"
    I have renamed the file so that it no longer has the udev .rules extension and now the system boots fine.  Does anyone have any suggestions as to why the above rules might be causing this behaviour and how I might go about fixing it?
    Thanks
    Last edited by useradded (2010-07-02 22:58:14)

    Hey falconindy
    That was the final kick up the logical a$$ that I needed to get some kind of grip on udev rules.  I now have a fully functional rule that applies only to /dev/sdxy and not to everything else as well, so no more boot trauma, THANK YOU.
    I will mark this thread as solved and post my new rule for the benefit of anyone who might read this.
    New rule (no boot problems):
    # automounts usb hdd and pendrives as label or as usbhd-sdxy if no label present
    # ensures the following is _only_ run for sdxy devices excluding internal hdd, sda
    KERNEL!="sd[b-z][0-9]", GOTO="personal_usb_automount_settings_end"
    # imports filesystem information
    # provides access to following variables:
    # ID_FS_UUID; ID_FS_UUID_ENC; ID_FS_VERSION; ID_FS_TYPE; ID_FS_VERSION; ID_FS_LABEL
    # accessible via ENV{variable}; $env{variable}|%E{variable}
    IMPORT{program}="/sbin/blkid -o udev -p %N"
    # Get a label if present, otherwise name usbhd-%k
    ENV{ID_FS_LABEL}!="", ENV{dir_name}="%E{ID_FS_LABEL}"
    ENV{ID_FS_LABEL}=="", ENV{dir_name}="usbhd-%k"
    # creates mount points and sets up symlinks
    ACTION=="add", SYMLINK+="%E{dir_name}", GROUP="users", NAME="%k"
    ACTION=="add", RUN+="/bin/mkdir -p /media/%E{dir_name}"
    ACTION=="add", RUN+="/bin/ln -s /media/%E{dir_name} /mnt/%E{dir_name}"
    # global mount options
    ACTION=="add", ENV{mount_options}="relatime"
    # filesystem-specific mount options (777/666 dir/file perms for ntfs/vfat)
    ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},gid=100,dmask=000,fmask=111,utf8"
    # automount ntfs filesystem with ntfs-3g driver
    ACTION=="add", ENV{ID_FS_TYPE}=="ntfs", RUN+="/bin/mount -t ntfs-3g -o %E{mount_options} /dev/%k /media/%E{dir_name}", OPTIONS="last_rule"
    # automount all other file systems
    ACTION=="add",ENV{ID_FS_TYPE}!="ntfs", RUN+="/bin/mount -t auto -o %E{mount_options} /dev/%k /media/%E{dir_name}", OPTIONS="last_rule"
    # unmounts and removes the mount points
    ACTION=="remove", RUN+="/bin/rm -f /mnt/%E{dir_name}"
    ACTION=="remove", RUN+="/bin/umount -l /media/%E{dir_name}"
    ACTION=="remove", RUN+="/bin/rmdir /media/%E{dir_name}", OPTIONS="last_rule"
    # exit
    LABEL=="personal_usb_automount_settings_end"
    Last edited by useradded (2010-07-02 22:59:20)

  • Adding drop-down list in a custom schema

    Is it possible to create a field with a drop-down list of items in a Prelude custom schema? Or, perhaps the ability is provided in the styles: (Integer, Real, Text, Boolean) and I am just not selecting or using those properly.
    I notice it is done in some Adobe-provided meta tags, like this one named >Script...
    Thanks!
    Bobby

    Hi Bobby -
    Unfortunately it is not currently possible to create an array of items for a given custom metadata field. We do have some feature backlog items in our XMP team to look at making such things possible in the future.
    Regards,
    Michael

Maybe you are looking for