CS-MARS - Drop rule keyword based

Similar Messages

• MARS drop rules problem

  Hi All,
  we were receiving lots of false positive, so I've created drop rules in MARS. still it is generating incident, but I am sure drop rule should cover based on source/dest and port number. I've activated, rebooted, but still the same issue.
  any suggestion would be very appreciated.
  Alex

  did you click "activate"?

• MARS - drop rules

  I have a MARS20 configured to a IPS4240 placed between internet & LAN, and i want to stop my internal network to stop triggering the incidents and stop producing false positive; based on the assumption that my LAN is secure.
  So I have created a drop rule to log to DB, source-192.168.0.0 255.255.0.0, remaining parameters as Any.
  The rule is active, but i still get incidents w source from LAN.
  am i missing something?
  Cash

  did you click "activate"?

• MARS DROP RULE QUESTION

  When you configure a drop rule, lets say you configure several.  If something happens to the software, is there a way to backup the drop rules that you have created?

  Hi,
  you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
  check archiving configuration for the mars:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
  regards
  Gabor
  /vote if it helps/

• MARS: Tweaking rules on subnets internal to firewall to be less sensitive

  The MARS alerts are firing as rapidly on the internal networks as they do for external networks. Is there a global command to make the MARS less sensitive to hits from the internal subnets, or does a rule have to be customized? Thanks again.

  You could create a MARS drop rule to ignore messages where the src = internal network(s). That is certainly not how I would recommend tuning your environment, but it will cut down on the number of incidents;-) It sounds to me like the devices reporting into MARS could use some tuning.

• Drop rule using keyword?

  I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.
  I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.
  Is there any way to configure a false positive drop rule based on a
  keyword in the raw message? I have a user that consistantly pushes the
  switch port interface utilization above 90% - this is normal activity
  that happens throughout the day. We get 20 - 30 email alerts per day
  on this. I would like to configure a drop rule that will just drop
  this incident if this user's interface is specified in the raw
  message. Or maybe there is another way to get the same result?

  hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.
  If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...
  I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.
  There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.
  Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.

• MARS General FP Drop Rule vs. Listed Unconf. FPs

  I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
  It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
  But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
  1. It will take a long time.
  2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
  Any ideas?
  Paul Trivino

  Try this to prevent System Determined False Positives from displaying as incidents?
  If you confirm what was previously an unconfirmed false positive, then a
  drop rule is created. That drop rule should prevent any further incidents
  of that type. So, this shouldn't be happening. Please make sure you've
  clicked `Activate'.
  Check the related bug-id:CSCsc74104

• ADDING DROP RULES

  Hi, I added a drop rule in CSMARS, Just want to clarify it will automatically be used by CS-MARS for correlation.
  thanks and best regards

  It will be applied, but to commit the changes (in running memory) you have to click the Activate button on the top right of your screen.
  It will automatically turn red  when you make any changes in MARS (requiring activation).
  Please rate if you find the post helpful.
  Regards
  Farrukh

• Removing Drop Rules

  Hi,
  I am very new to configuring our MARS. I recently added a drop rule by mistake. I've tried marking it inactive, but it's still showing as a false positive. I would like to completely delete the rule all together if that is possible.
  Thanks!

  I don't know what do you mean by 'its still showing as false positive'? Can you please clarify.
  Drop rules cannot be deleted in MARS. However you can make them inactive (which will functionally have the same effect). Just make sure you hit the 'Activate' button on the top right after marking the change.
  Please rate if you find the post helpful.
  Regards
  Farrukh

• Populate updatable drop down list based on files in the folder path

  Hi, 
  I am a beginner in labview. I am stuggling on where to start.
  Here's what I need to do. 
  I want to create an updatable drop down list. It can be automatic upon opening the program or manually update by clicking an update button. The drop down list will list all the filenames that are in .cvs format. These files are stored in a folder path.  Insider the folder, they are stored in different subfolders, the drop box should be able to find those files inside the subfolders. Once the user select a filename from the list, the program will read the data inside that file and import into an array so I can display the data. 
  I have an idea on how to display the data, but I don't how to populate the drop down list based on the files in the folder, make it updatable and then import that user selected file's data into the the array. 
  Can anyone help me with this? 
  Thanks, Ruth

  Yup, ListFolder with a pattern of *.csv.  Then use a property node on a combo box or ring to set the items in the drop down.  Here is some free training if you are interested in learning more general LabVIEW tools.
  NI Learning Center
  NI Getting Started
  -Hardware Basics
  -LabVEW Basics
  -DAQ Application Tutorials
  3 Hour LabVIEW Introduction
  6 Hour LabVIEW Introduction
  Self Paced training for students
  Self Paced training beginner to advanced, SSP Required
  LabVIEW Wiki on Training
  Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
  If 10 out of 10 experts in any field say something is bad, you should probably take their opinion seriously.

• SQL 문장이 RULE 에서 COST-BASED로 전환되는 경우

  제품 : ORACLE SERVER
  작성날짜 : 2004-05-28
  SQL 문장이 RULE에서 COST-BASED로 전환되는 경우
  ==============================================
  PURPOSE
  SQL statement 문장이 자동으로 cost-based mode로 전환되는 경우에 대해
  알아보자.
  Explanation
  Rule-based mode에서 sql statement를 실행하더라도 Optimizer에 의해
  cost-based mode로 전환되는 경우가 있다.
  이런 경우는 해당 SQL이 아래와 같은 경우로 사용되는 경우 가능하다.
  - Partitioned tables
  - Index-organized tables
  - Reverse key indexes
  - Function-based indexes
  - SAMPLE clauses in a SELECT statement
  - Parallel execution and parallel DML
  - Star transformations
  - Star joins
  - Extensible optimizer
  - Query rewrite (materialized views)
  - Progress meter
  - Hash joins
  - Bitmap indexes
  - Partition views (release 7.3)
  - Hint (RULE 또는 DRIVING_SITE제외한 Hint가 왔을경우)
  - FIRST_ROWS,ALL_ROWS Optimizer의 경우는 통계정보가 없어도 CBO로 동작
  - TABLE 또는 INDEX에 Parallel degree가 설정되어 있거나,
  INSTANCE가 설정되어 있는 경우(DEFAULT도 해당)
  - Table에 domain index(Text index등) 이 생성되어 있는 경우

• Conditions in rule modeler based on user status

  Hi there,
  We work with incidents and problems in CRM 7.0 and I want to create a rule in the rule modeler based on the user status on my problem ZITP. But when creating the conditions I only get the standard user status from status profile IT00001, -2 and -3. I have created my own Z-status profiles, but I can't select them here.
  Any suggestions ?
  Best regards
  Annette

  Indeed,
  The coding in CL_CRM_SRQM_RULE_FIS_US_STATUS seems a little hardcoded to the standard status schema.
  SELECT stsma estat txt30 FROM tj30t INTO TABLE lt_status WHERE spras = sy-langu AND stsma LIKE *'IT%*'. "#EC CI_GENBUFF
  LIKE 'IT%' makes me think that all user status schemas starting with IT are selected, and not your Z-schema.
  My best guess would be to either create an OSS message to SAP, or create your own class (like the one mentioned, with just slightly different coding), and in customizing (check the note where it mentions settings to ORDER_STATUS_E), assign your own class and reset the valuet to "dropdown box".
  This should fix your problem.
  Regards,
  Pieter

• Drop rule set

  Hi,
  I have only the following object (rule set) on my schema.
  OBJECT_NAME     OBJECT_TYPE
  DEV_QUEUE_R     RULE SET
  I tried to drop with with following syntax:
  exec DBMS_RULE_ADM.DROP_RULE_SET(
  rule_set_name => 'DEV1.DEV_QUEUE_R',
  delete_rules  => false);
  But following error shown:
  ORA-24170
  string.string is created by AQ, cannot be dropped directly
  Cause: This object is created by AQ, thus cannot be dropped directly
  Action: use dbms_aqadm.drop_subscriber to drop the object
  And I couldn't find the exact syntaxt of this. Can anyone help me with the exact syntax of DBMS_AQADM.DROP_SUBSCRIBER?
  Thanks.
  BANNER
  Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
  PL/SQL Release 11.1.0.6.0 - Production
  CORE     11.1.0.6.0     Production
  TNS for Linux: Version 11.1.0.6.0 - Production
  NLSRTL Version 11.1.0.6.0 - Production
  Edited by: Nadvi on Jul 22, 2010 4:03 PM

  Ok, I found the solution.
  select * from user_objects;
  OBJECT_TYPE OBJECT_NAME STATUS
  ------------------------------ RULE AQ$WF_DEFERRED_QUEUE_M$1 VALID
  RULE SET AQ$WF_DEFERRED_QUEUE_M$1 INVALID
  1.Set the following event at session level:
  alter session set events '25475 trace name context forever, level 2';
  2. Drop rule:
  execute DBMS_RULE_ADM.DROP_RULE('.AQ$WF_DEFERRED_QUEUE_M$1',TRUE);
  commit;
  3.Drop rule set :
  execute DBMS_RULE_ADM.DROP_RULE_SET('AQ$WF_DEFERRED_QUEUE_M$1');
  commit;
  4. Connect as SYSTEM or SYSDBA and try to drop user again.
  drop user <user> cascade;
  Thanks

• WMS dropping rules execution time.

  Hi Community!
  We're facing problem in our OEBS 12.1.3 production environment with dropping rules execution time.
  Execution can take a long time (10-15 minutes) if it started from standart interface by warehouse worker, but from the other side same query executes in few seconds in sqlplus.
  I'll be very grateful if someone helps me to find problem source.
  Kind regards.

  Well, these rules are not unique – most of them are executed repeatedly for various Entities. In whole, it is a big budget calculation model.
  It surely can be and must be optimized, but it will take some time (I started to administrate this outsource-developed Planning system not long ago).
  But the question now is not in the amount of BRs, but in the execution delay.
  I tried to run a singe rule the same way, and got _18 sec in CmdLineLauncher vs 1 sec in EAS Console_.
  Just can't get the delay reason...

• Drop down list based on log in username - php mysql

  I have a drop down list of client names on a php page that filters a second drop down list of site names.
  At the moment, any user who logs in can see the entire list of clients, however I want to filter the list based on their username log in.
  This is the entire page code, the section in bold is the drop down list in question:
  <?php
  if (!isset($_SESSION)) {
    session_start();
  $MM_authorizedUsers = "asguser,admin,member";
  $MM_donotCheckaccess = "false";
  // *** Restrict Access To Page: Grant or deny access to this page
  function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
    // For security, start by assuming the visitor is NOT authorized.
    $isValid = False;
    // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
    // Therefore, we know that a user is NOT logged in if that Session variable is blank.
    if (!empty($UserName)) {
      // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
      // Parse the strings into arrays.
      $arrUsers = Explode(",", $strUsers);
      $arrGroups = Explode(",", $strGroups);
      if (in_array($UserName, $arrUsers)) {
        $isValid = true;
      // Or, you may restrict access to only certain users based on their username.
      if (in_array($UserGroup, $arrGroups)) {
        $isValid = true;
      if (($strUsers == "") && false) {
        $isValid = true;
    return $isValid;
  $MM_restrictGoTo = "accessdenied.html";
  if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  
    $MM_qsChar = "?";
    $MM_referrer = $_SERVER['PHP_SELF'];
    if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
    if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
    $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
    $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
    header("Location: ". $MM_restrictGoTo);
    exit;
  ?>
  <html>
  <body>
  <script type="text/javascript">
  function AjaxFunction(client_UID)
  var httpxml;
  try
    // Firefox, Opera 8.0+, Safari
    httpxml=new XMLHttpRequest();
  catch (e)
    // Internet Explorer
            try
                      httpxml=new ActiveXObject("Msxml2.XMLHTTP");
                catch (e)
                  try
                httpxml=new ActiveXObject("Microsoft.XMLHTTP");
                  catch (e)
                alert("Your browser does not support AJAX!");
                return false;
  function stateck()
      if(httpxml.readyState==4)
  var myarray=eval(httpxml.responseText);
  // Before adding new we must remove previously loaded elements
  for(j=document.testform.subcat.options.length-1;j>=0;j--)
  document.testform.subcat.remove(j);
  for (i=0;i<myarray.length;i++)
  var optn = document.createElement("OPTION");
  optn.text = myarray[i];
  optn.value = myarray[i];
  document.testform.subcat.options.add(optn);
      var url="dd.php";
  url=url+"?client_UID="+client_UID;
  url=url+"&sid="+Math.random();
  httpxml.onreadystatechange=stateck;
  httpxml.open("GET",url,true);
  httpxml.send(null);
  </script>
  <form name="testform" method='POST' action='mainck.php'>
  Select first one
    <select name=cat onChange="AjaxFunction(this.value);">
    <option value=''>Select One</option>
  <?
  require "config.php";// connection to database
  $q=mysql_query("SELECT DISTINCT * FROM qry_test GROUP BY client_name ASC");
  while($n=mysql_fetch_array($q)){
  echo "<option value=$n[client_UID]>$n[client_name]</option>";
  ?>
  </select>
  <select name=subcat>
  </select><input type=submit value=submit>
  </form>
  </body>
  </html>
  I think I need to amend the sql statement to something like this - but I haven't quite got it right:
  SELECT DISTINCT * FROM qry_test WHERE username = colname GROUP BY client_name ASC
  Where do I drop the code for the colname info?
  name:colname
  type: text
  default value: -1
  run time value: $_SESSION['MM_Username']
  Thanks!

  I don't do PHP but it would be something like:
  $sql = sprintf (SELECT DISTINCT * FROM qry_test WHERE username = %s GROUP BY client_name ASC, $_SESSION['MM_Username'] );
  or you can just embed the session variable into the sql string.
  But why are you using the GROUP BY clause? If you just need a distinct list of names, use the DISTINCT keyword and reduce your select list to only the needed column.