MARS DROP RULE QUESTION

When you configure a drop rule, lets say you configure several. If something happens to the software, is there a way to backup the drop rules that you have created?

Hi,
you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
check archiving configuration for the mars:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
regards
Gabor
/vote if it helps/

Similar Messages

CS-MARS - Drop rule keyword based

Hi all,
I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.
Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.
Any idea?
Thanks a lot.

Hi Beth,
Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.
Sorry again if I don't understand what you mean or where apply the regex string you're talking about.
Thanks a lot.

MARS drop rules problem

Hi All,
we were receiving lots of false positive, so I've created drop rules in MARS. still it is generating incident, but I am sure drop rule should cover based on source/dest and port number. I've activated, rebooted, but still the same issue.
any suggestion would be very appreciated.
Alex

did you click "activate"?

MARS - drop rules

I have a MARS20 configured to a IPS4240 placed between internet & LAN, and i want to stop my internal network to stop triggering the incidents and stop producing false positive; based on the assumption that my LAN is secure.
So I have created a drop rule to log to DB, source-192.168.0.0 255.255.0.0, remaining parameters as Any.
The rule is active, but i still get incidents w source from LAN.
am i missing something?
Cash

did you click "activate"?

MARS: Tweaking rules on subnets internal to firewall to be less sensitive

The MARS alerts are firing as rapidly on the internal networks as they do for external networks. Is there a global command to make the MARS less sensitive to hits from the internal subnets, or does a rule have to be customized? Thanks again.

You could create a MARS drop rule to ignore messages where the src = internal network(s). That is certainly not how I would recommend tuning your environment, but it will cut down on the number of incidents;-) It sounds to me like the devices reporting into MARS could use some tuning.

MARS General FP Drop Rule vs. Listed Unconf. FPs

I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
1. It will take a long time.
2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
Any ideas?
Paul Trivino

Try this to prevent System Determined False Positives from displaying as incidents?
If you confirm what was previously an unconfirmed false positive, then a
drop rule is created. That drop rule should prevent any further incidents
of that type. So, this shouldn't be happening. Please make sure you've
clicked `Activate'.
Check the related bug-id:CSCsc74104

Drop rule using keyword?

I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.
I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.
Is there any way to configure a false positive drop rule based on a
keyword in the raw message? I have a user that consistantly pushes the
switch port interface utilization above 90% - this is normal activity
that happens throughout the day. We get 20 - 30 email alerts per day
on this. I would like to configure a drop rule that will just drop
this incident if this user's interface is specified in the raw
message. Or maybe there is another way to get the same result?

hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.
If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...
I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.
There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.
Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.

ADDING DROP RULES

Hi, I added a drop rule in CSMARS, Just want to clarify it will automatically be used by CS-MARS for correlation.
thanks and best regards

It will be applied, but to commit the changes (in running memory) you have to click the Activate button on the top right of your screen.
It will automatically turn red when you make any changes in MARS (requiring activation).
Please rate if you find the post helpful.
Regards
Farrukh

Removing Drop Rules

Hi,
I am very new to configuring our MARS. I recently added a drop rule by mistake. I've tried marking it inactive, but it's still showing as a false positive. I would like to completely delete the rule all together if that is possible.
Thanks!

I don't know what do you mean by 'its still showing as false positive'? Can you please clarify.
Drop rules cannot be deleted in MARS. However you can make them inactive (which will functionally have the same effect). Just make sure you hit the 'Activate' button on the top right after marking the change.
Please rate if you find the post helpful.
Regards
Farrukh

WMS dropping rules execution time.

Hi Community!
We're facing problem in our OEBS 12.1.3 production environment with dropping rules execution time.
Execution can take a long time (10-15 minutes) if it started from standart interface by warehouse worker, but from the other side same query executes in few seconds in sqlplus.
I'll be very grateful if someone helps me to find problem source.
Kind regards.

Well, these rules are not unique – most of them are executed repeatedly for various Entities. In whole, it is a big budget calculation model.
It surely can be and must be optimized, but it will take some time (I started to administrate this outsource-developed Planning system not long ago).
But the question now is not in the amount of BRs, but in the execution delay.
I tried to run a singe rule the same way, and got _18 sec in CmdLineLauncher vs 1 sec in EAS Console_.
Just can't get the delay reason...

I am trying to complete a form but can't get to the final drop down question as it is not displayed because it falls below where my screen ends. i have tried changing the resolution but that doesn't work. any suggestions?

i am trying to complete a form but can't get to the final drop down question as it is not displayed because it falls below where my screen ends. i have tried changing the resolution but that doesn't work. any suggestions?

brilliant
google chrome works where safari doesn't on my macbook air. many thanks
i now have an embarrassing qu. have dowloaded spider solitaire (sad!) and i can't add cards at the bottom of a column for the same reason - the display cuts short. i have tried to extend it with the arrows in the bottom corners but it makes no difference. any ideas?

Drop rule set

Hi,
I have only the following object (rule set) on my schema.
OBJECT_NAME     OBJECT_TYPE
DEV_QUEUE_R     RULE SET
I tried to drop with with following syntax:
exec DBMS_RULE_ADM.DROP_RULE_SET(
rule_set_name => 'DEV1.DEV_QUEUE_R',
delete_rules => false);
But following error shown:
ORA-24170
string.string is created by AQ, cannot be dropped directly
Cause: This object is created by AQ, thus cannot be dropped directly
Action: use dbms_aqadm.drop_subscriber to drop the object
And I couldn't find the exact syntaxt of this. Can anyone help me with the exact syntax of DBMS_AQADM.DROP_SUBSCRIBER?
Thanks.
BANNER
Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
PL/SQL Release 11.1.0.6.0 - Production
CORE     11.1.0.6.0     Production
TNS for Linux: Version 11.1.0.6.0 - Production
NLSRTL Version 11.1.0.6.0 - Production
Edited by: Nadvi on Jul 22, 2010 4:03 PM

Ok, I found the solution.
select * from user_objects;
OBJECT_TYPE OBJECT_NAME STATUS
------------------------------ RULE AQ$WF_DEFERRED_QUEUE_M$1 VALID
RULE SET AQ$WF_DEFERRED_QUEUE_M$1 INVALID
1.Set the following event at session level:
alter session set events '25475 trace name context forever, level 2';
2. Drop rule:
execute DBMS_RULE_ADM.DROP_RULE('.AQ$WF_DEFERRED_QUEUE_M$1',TRUE);
commit;
3.Drop rule set :
execute DBMS_RULE_ADM.DROP_RULE_SET('AQ$WF_DEFERRED_QUEUE_M$1');
commit;
4. Connect as SYSTEM or SYSDBA and try to drop user again.
drop user <user> cascade;
Thanks

Mail Rules Question

I have a lot of email on my Gmail account. A semi significant portion of them are status updates, such as Facebook, Pownce, Netflix, and other site updates. In the past when I used POP, it wasn't such a big deal to keep these emails because Gmail offers something like 4GB of space. However, now that I am switching to IMAP, it's taken me forever sync with all 14,000 emails on the Gmail server.
I don't want to have to do that again, especially not on my iPhone.
My question is this: Is it theoretically possible to setup a mail rule to have a specific folder delete all its contents after a specified amount of time? Looking in the default mail rule options, there is the ability to delete email as it comes in, but not necessarily after, say, 30 days. I'm looking for something along the lines of, "every 30 days, delete everything in this mail folder."
Any ideas?

David Gimeno Gost wrote:
Mail doesn’t provide that functionality, but you may set up a smart mailbox that displays the messages to be deleted, then manually delete whatever shows up there every once in a while.
Yeah, that's what I figured.
Another option is writing an AppleScript and selecting the "Run AppleScript" rule option, but I'm a) not 100% it's even possible, and b) rusty on AppleScript.

Dynamic Drop Down question

I have a drop down that is populated from one of our
tables... it's just a
simple list of our store locations... in order by store
location( each
market )
We have a total of 40 locations, corporate and 1 Distribution
center
Currently since Distribution is after all the locations that
start with A
and B they want to make the drop down a little more legible
So they want to split the drop down into something like this:
=====================
Corporate
Distribution Center
Stores
Austin Store#1
Houston Store#2
=====================
Instead of this:
Austin Store#1
Dallas Distribution Center
Houston Store#2
Houston Corporate Office
North Carolina Store#3
=====================
Reminder that the list is orderby location name, they want to
split the list
into 3 sections... ( corp, distro and stores )
So without making any changes to my table since its
maintained by another
department and is already linked to a number of pages that
are used to
maintain and update..
Is there any way to accomplish this? maybe something within
my Store
Procedure that is displaying the list?
is this a question for the SQL newsgroup?
ASP, SQL2005, DW8 VBScript

That seems to have worked.. is that the best solution for
this?
Now i need to redo my validation to not allow the selection
of ------------
to be invalid selection...
thanks for the suggestion...
ASP, SQL2005, DW8 VBScript
"TC2112" <[email protected]> wrote in message
news:[email protected]...
> Hello,
>
> You can add a simple table to the database.
>
> Example: table name = tblLine
>
> In the table is one field, named Line.
> There is just one record and the value in the field
"line"
> is -------------------
>
> Then just insert this after the second SELECT, right
after WHERE Location
> = 'Distribution Center'
>
> UNION ALL SELECT DISTINCT Line FROM tblLine
>
>
> That will produce:
>
> Corporate
> Distribution Center
> --------------------
> A
> B
> C
> etc
>
> You can have your form validation return an error if the
user actually
> selects that line.
>
> Take care,
> Tim
>
>
>
> "Daniel" <[email protected]> wrote in message
> news:[email protected]...
>> Thank you very much,
>> This has gotten me closer..
>>
>> here is a few of the results
>> Corporate Office
>> Dallas Distribution Center - 90
>> Atlanta/Kennesaw - 20
>> Atlanta/Norcross - 21
>> Atlanta/Stockbridge - 22
>> Austin/Round Rock - 6
>> Austin/South - 32
>>
>>
>>
>> Is there anyway to add a seperating line between the
top 2 in the drop
>> down and the stores like so?
>>
>> Corporate Office
>> Dallas Distribution Center - 90
>>
>> ========================
>> Atlanta/Kennesaw - 20
>> Atlanta/Norcross - 21
>> Atlanta/Stockbridge - 22
>> Austin/Round Rock - 6
>> Austin/South - 32
>>
>>
>>
>>
>> --
>> ASP, SQL2005, DW8 VBScript
>> "TC2112" <[email protected]> wrote in message
>> news:[email protected]...
>>> Hello,
>>>
>>> Perhaps something like this SQL statement in
your recordset would help.
>>>
>>> This assumes that in your table the location
names are in one field
>>> (column) so there are 42 records (40 locations +
corporate +
>>> distribution)
>>> This also assumes that the table in the database
has the locations in
>>> ascending order.
>>>
>>> For this example, the table is named tblCompany
and the field with the
>>> location names is named Location
>>>
>>> "SELECT DISTINCT Location FROM tblCompany WHERE
Location = 'Corporate'
>>> UNION ALL SELECT DISTINCT Location FROM
tblCompany WHERE Location =
>>> 'Distribution Center' UNION ALL SELECT DISTINCT
Location FROM tblCompany
>>> WHERE Location not like 'Corporate' AND Location
not like 'Distribution
>>> Center'"
>>>
>>> This will return Corporate, then Distribution
Center and then all the
>>> rest in ascending order excluding Corporate and
Distribution:
>>>
>>> Corporate
>>> Distribution Center
>>> A
>>> B
>>> C
>>> ..and so on.
>>>
>>>
>>> Take care,
>>> Tim
>>>
>>>
>>>
>>> "Daniel" <[email protected]> wrote in message
>>> news:[email protected]...
>>>>I have a drop down that is populated from one
of our tables... it's just
>>>>a simple list of our store locations... in
order by store location( each
>>>>market )
>>>>
>>>>
>>>>
>>>> We have a total of 40 locations, corporate
and 1 Distribution center
>>>>
>>>>
>>>>
>>>> Currently since Distribution is after all
the locations that start with
>>>> A and B they want to make the drop down a
little more legible
>>>>
>>>>
>>>>
>>>> So they want to split the drop down into
something like this:
>>>>
>>>> =====================
>>>>
>>>> Corporate
>>>>
>>>> Distribution Center
>>>>
>>>>
>>>> Stores
>>>>
>>>> Austin Store#1
>>>>
>>>> Houston Store#2
>>>>
>>>> =====================
>>>>
>>>> Instead of this:
>>>>
>>>>
>>>>
>>>> Austin Store#1
>>>>
>>>> Dallas Distribution Center
>>>>
>>>> Houston Store#2
>>>>
>>>> Houston Corporate Office
>>>>
>>>> North Carolina Store#3
>>>>
>>>> =====================
>>>>
>>>> Reminder that the list is orderby location
name, they want to split the
>>>> list into 3 sections... ( corp, distro and
stores )
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> So without making any changes to my table
since its maintained by
>>>> another department and is already linked to
a number of pages that are
>>>> used to maintain and update..
>>>>
>>>>
>>>>
>>>> Is there any way to accomplish this? maybe
something within my Store
>>>> Procedure that is displaying the list?
>>>>
>>>>
>>>>
>>>> is this a question for the SQL newsgroup?
>>>>
>>>>
>>>> --
>>>> ASP, SQL2005, DW8 VBScript
>>>>
>>>
>>>
>>
>>
>
>

Currency Converion and Business Rule questions

Hi all,
I am new to BPC and would appreciate if you can help me answer few of my questions. I was going through how to documents on currency conversion and Business Rules.
1. The Flow in Currency Conversion and Business Rules different?
2. Can Currency conversion be done without defining the Currency Rules?
3. In Business Rules Detail there is a cloumn for Sign. How should one determine what sign should go for a given account?
Thanks,
Diksha.

Venkatesh,
It seems like you are using Company as your Entity type dimension.
Try to change your code to look like this
*RUN_PROGRAM CURR_CONVERSION
     CATEGORY = %CATEGORY_SET%
     SELECT(%CURRENCY_SET_ID%,"[ID]",CURRENCY,"CURRENCY_TYPE='R'")
     TID_RA = %TIME_SET%
     RATEENTITY = GLOBAL
    OTHER = [COMPANY=%COMPANY_SET%]
*ENDRUN_PROGRAM

MARS DROP RULE QUESTION

Similar Messages

Maybe you are looking for