MARS drop rules problem

Hi All,
we were receiving lots of false positive, so I've created drop rules in MARS. still it is generating incident, but I am sure drop rule should cover based on source/dest and port number. I've activated, rebooted, but still the same issue.
any suggestion would be very appreciated.
Alex

did you click "activate"?

Similar Messages

  • CS-MARS - Drop rule keyword based

    Hi all,
    I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.
    Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.
    Any idea?
    Thanks a lot.

    Hi Beth,
    Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.
    Sorry again if I don't understand what you mean or where apply the regex string you're talking about.
    Thanks a lot.

  • MARS DROP RULE QUESTION

    When you configure a drop rule, lets say you configure several.  If something happens to the software, is there a way to backup the drop rules that you have created?

    Hi,
    you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
    check archiving configuration for the mars:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
    regards
    Gabor
    /vote if it helps/

  • MARS - drop rules

    I have a MARS20 configured to a IPS4240 placed between internet & LAN, and i want to stop my internal network to stop triggering the incidents and stop producing false positive; based on the assumption that my LAN is secure.
    So I have created a drop rule to log to DB, source-192.168.0.0 255.255.0.0, remaining parameters as Any.
    The rule is active, but i still get incidents w source from LAN.
    am i missing something?
    Cash

    did you click "activate"?

  • MARS: Tweaking rules on subnets internal to firewall to be less sensitive

    The MARS alerts are firing as rapidly on the internal networks as they do for external networks. Is there a global command to make the MARS less sensitive to hits from the internal subnets, or does a rule have to be customized? Thanks again.

    You could create a MARS drop rule to ignore messages where the src = internal network(s). That is certainly not how I would recommend tuning your environment, but it will cut down on the number of incidents;-) It sounds to me like the devices reporting into MARS could use some tuning.

  • MARS General FP Drop Rule vs. Listed Unconf. FPs

    I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
    It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
    But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
    1. It will take a long time.
    2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
    Any ideas?
    Paul Trivino

    Try this to prevent System Determined False Positives from displaying as incidents?
    If you confirm what was previously an unconfirmed false positive, then a
    drop rule is created. That drop rule should prevent any further incidents
    of that type. So, this shouldn't be happening. Please make sure you've
    clicked `Activate'.
    Check the related bug-id:CSCsc74104

  • Drop rule using keyword?

    I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.
    I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.
    Is there any way to configure a false positive drop rule based on a
    keyword in the raw message? I have a user that consistantly pushes the
    switch port interface utilization above 90% - this is normal activity
    that happens throughout the day. We get 20 - 30 email alerts per day
    on this. I would like to configure a drop rule that will just drop
    this incident if this user's interface is specified in the raw
    message. Or maybe there is another way to get the same result?

    hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.
    If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...
    I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.
    There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.
    Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.

  • ADDING DROP RULES

    Hi, I added a drop rule in CSMARS, Just want to clarify it will automatically be used by CS-MARS for correlation.
    thanks and best regards

    It will be applied, but to commit the changes (in running memory) you have to click the Activate button on the top right of your screen.
    It will automatically turn red  when you make any changes in MARS (requiring activation).
    Please rate if you find the post helpful.
    Regards
    Farrukh

  • Removing Drop Rules

    Hi,
    I am very new to configuring our MARS. I recently added a drop rule by mistake. I've tried marking it inactive, but it's still showing as a false positive. I would like to completely delete the rule all together if that is possible.
    Thanks!

    I don't know what do you mean by 'its still showing as false positive'? Can you please clarify.
    Drop rules cannot be deleted in MARS. However you can make them inactive (which will functionally have the same effect). Just make sure you hit the 'Activate' button on the top right after marking the change.
    Please rate if you find the post helpful.
    Regards
    Farrukh

  • WMS dropping rules execution time.

    Hi Community!
    We're facing problem in our OEBS 12.1.3 production environment with dropping rules execution time.
    Execution can take a long time (10-15 minutes) if it started from standart interface by warehouse worker, but from the other side same query executes in few seconds in sqlplus.
    I'll be very grateful if someone helps me to find problem source.
    Kind regards.

    Well, these rules are not unique – most of them are executed repeatedly for various Entities. In whole, it is a big budget calculation model.
    It surely can be and must be optimized, but it will take some time (I started to administrate this outsource-developed Planning system not long ago).
    But the question now is not in the amount of BRs, but in the execution delay.
    I tried to run a singe rule the same way, and got _18 sec in CmdLineLauncher vs 1 sec in EAS Console_.
    Just can't get the delay reason...

  • AirTunes with AirportExpress cut or drop out problems - my solution...

    I buyed 2 of the Airport Extreme one month ago (Firmware 6.3, Itunes 7.1.1), never got them working fine, till yesterday...
    I have A Zyxel ADSL WLAN Router Switch. WPA-PSK as I wanted a secure Network. Both of the AX were connected with static IPs. WLAN was always working fine, but I had many cut outs with airtunes. I wanted a solution with lossles streaming audio with the possibility to connect my Receiver digitally. That's why I bought my first Apple hardware, as I was always told, Apple=Plug'n play. Very frustrating!
    I tried other switches, Routers, WLAN adapters and cards, nothing worked. Airfoil does not support multiple speakers yet, so it's useless for me.
    In the FAQ of the Airtunes, Apple mentioned to use lower security, as some Computers probably do not have enough power to stream music flawlessly. But my Computers really do have enough power! I think the AX does not have enough power to do that. So I created another wireless network with one of my AX. I set the security to WEP-40bit key and joined this new Network with my other AX. Not the best solution, as I'm now connected to the Internet or to the AX to use Airtunes. Cables could fix that problem, but then I could use a wired system instead...
    I use Channel 11 for the AX WLAN (the only clean channel in my area), Multicast to 11, only G mode for Wireless and a 5 characters WEP-40 key and no WDS. Seems to work at the moment.
    I hope this will help others with the cut or drop out problem. If you have a working AirTunes system, please post your setup. Mostly I'm interested in a Setup with working WPA...

    Thanks, I hope I can help others with this annoying problem...
    Sorry, I forgot to write about the RF Interference. Belive me, I spent hours and hours searching for a solution in the Internet and every checkbox the Admin utility offered me to try out... I'm working as a system engineer, and supporting computer systems since the early 90ties, so I'd say I have a bit knowledge about all the networking, WLAN, Audio... In school we had the Apple Mac I with the 12" monochrome monitor and appletalk for networking quite funny!
    But back to the RF interference: At the moment I activated it on both AX I own. I have a microwave, wireless phone and I'm living in a Area with many WLAN access points. I can choose between 6 networks!
    I'm the only one with a network higher than channel 6, so this area is clean at least.
    As my AirTunes do work at the moment, I'm not going to try if I could also deactivate it.
    Next step is to try if I can connect the AX Router to the internet. A connection to my ADSL router should do that, but up to now I had very strange behavior when plugging in a ethernet cable to the AX. If this will work, it will be my final solution, at the moment I only see it as a workaround...

  • Drop rule set

    Hi,
    I have only the following object (rule set) on my schema.
    OBJECT_NAME     OBJECT_TYPE
    DEV_QUEUE_R     RULE SET
    I tried to drop with with following syntax:
    exec DBMS_RULE_ADM.DROP_RULE_SET(
    rule_set_name => 'DEV1.DEV_QUEUE_R',
    delete_rules  => false);
    But following error shown:
    ORA-24170
    string.string is created by AQ, cannot be dropped directly
    Cause: This object is created by AQ, thus cannot be dropped directly
    Action: use dbms_aqadm.drop_subscriber to drop the object
    And I couldn't find the exact syntaxt of this. Can anyone help me with the exact syntax of DBMS_AQADM.DROP_SUBSCRIBER?
    Thanks.
    BANNER
    Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
    PL/SQL Release 11.1.0.6.0 - Production
    CORE     11.1.0.6.0     Production
    TNS for Linux: Version 11.1.0.6.0 - Production
    NLSRTL Version 11.1.0.6.0 - Production
    Edited by: Nadvi on Jul 22, 2010 4:03 PM

    Ok, I found the solution.
    select * from user_objects;
    OBJECT_TYPE OBJECT_NAME STATUS
    ------------------------------ RULE AQ$WF_DEFERRED_QUEUE_M$1 VALID
    RULE SET AQ$WF_DEFERRED_QUEUE_M$1 INVALID
    1.Set the following event at session level:
    alter session set events '25475 trace name context forever, level 2';
    2. Drop rule:
    execute DBMS_RULE_ADM.DROP_RULE('.AQ$WF_DEFERRED_QUEUE_M$1',TRUE);
    commit;
    3.Drop rule set :
    execute DBMS_RULE_ADM.DROP_RULE_SET('AQ$WF_DEFERRED_QUEUE_M$1');
    commit;
    4. Connect as SYSTEM or SYSDBA and try to drop user again.
    drop user <user> cascade;
    Thanks

  • Sudden Dropped Frames Problem with 720p24 material

    After sailing along for months with perfect operation from Final Cut Pro, editing 720p24 (I'm still running 5.0.4), I have encountered a mysterious hangup that I can't seem to solve. It probably began shortly after I was doing a test on a new project and mistakenly used a 44khz sound file rather than a 48khz. That project ran fine for a couple of days as I played with it, then abruptly began to drop frames at very particular points. I trashed the sound file and reimported it as a 48khz file and that seemed to fix things for a day or two. Then, to my utter horror, when I opened a very large ongoing project that I needed to tweak, I found that the dropped file problem has corrupted my entire FCP operation. I have tried changing various settings, such as unlimited RT, and trashed the preferences as well, but none of the straightforward cures seems to make a difference. I've also looked at all the suggestions in the Apple dropped frames article at [docs.info.apple.com]. I have never had a problem with dropped frames prior to this.
    My scratch disk is a raided SATA drive with plenty of space to spare. This setup has worked flawlessly since July. I have jumped around over the past 10 days from work on old SD projects to 720p24 projects and have been changing settings here and there to accomodate this. Nothing else seems to have been changed that may account for the glitch.
    I have not reinstalled the software.
    Anything that comes to mind as a logical next step would be most appreciated!

    Yes during panning or zooming I can see that frames are dropping in the stats panel.
    I'm encoding at 500kbps video + 48 audio, outputting only one stream.
    The content in the input monitor shows exactly what the cam is seeing, with the pan and/or zoom correctly displayed. On the output monitor side the action will freeze momentarily when frames are dropped. Then the display will skip to the point where no more frames are being dropped.
    The native frame rate for the cam is 29.97, but as an output, averaging in the dropped frames the rate may drop as low as 27 or 28fps according to the stats panel. The difference being the number of dropped frames.
    FMLE is installed on a Dell Studio 15 with 4 GB RAM, which I would think would be plenty adequete.
    Thanks for your response.
    Adninjastrator

  • Drop Float Problem

    Can someone help me with a drop float problem I am having in
    the old version of internet explorer? Please see this website:
    http://003a17b.netsolhost.com/kwdwebsite/index.html
    The green navigation bar should be lined up with the green
    bar in the logo (at the top). IE 6.0 is dropping it down lower. Can
    anyone help resolve this issue? Thanks!

    [email protected] posted in macromedia.dreamweaver
    > Can someone help me with a drop float problem I am
    having in the
    > old version of internet explorer? Please see this
    website:
    >
    http://003a17b.netsolhost.com/kwdwebsite/index.html
    > The green navigation bar should be lined up with the
    green bar in
    > the logo (at
    > the top). IE 6.0 is dropping it down lower. Can anyone
    help
    > resolve this issue? Thanks!
    (My IE6 box finally went to pasture, so I'll look into
    installing
    multiple IEs on one of my boxes this week)
    I would concentrate on creating valid code before trying to
    deal with
    cross-browser compatibility. You'll often find that that is
    all it
    takes.
    Enter your URL here:
    http://validator.w3.org
    For instance, you have several redundant, illegal instances
    of
    <link href="css/KWD.css" rel="stylesheet"
    type="text/css">
    inside the body element.
    It looks as if that might be part of a library item? If so,
    take it
    out.
    Reply back if that doesn't do it for you.
    Sidenote:
    Your excessive use of META keywords may be considered Meta
    tag stuffing
    or spamdexing and may not be as useful as you hope. Likewise
    for the
    double META Description where the second seems excessive. No
    links to
    back it up at the moment, but you might want to look into it.
    Mark A. Boyd
    Keep-On-Learnin' :)

  • Update rule problem - validation of "sales/cost w/ tax" keyfigure

    BW Gurus,
        Hi to all, i have this update rule problem at "sales/cost w/tax" keyfigure here is the senario.
        Our Goverment mandatory implemented an additional 2% tax from the original 10%, this will affect our report on sales, and also the BW "sales/cost w/ tax" key figure.
        My question is How can I validated the effectivity of the new tax? i have tax 10% from previous sales and 12% on the current sales. What "date field" can I use to validated this. I am using /BIC/CS2LIS_13_VDITM stucture to get the data i need.
    Thanks in Advance
    Joven

    Hi,
    Till to day how are extracting the data for tax(original 10%) is it available directly in 2LIS_13_VDITM ?
    Usually all taxes( condition types) can be extracted by the data source 2LIS_13_VDKON.Discuss with SD team, they may give the condition type used for different taxes.
    With rgds,
    Anil Kumar sharma .P

Maybe you are looking for

  • Itunes wont download because Apple Mobile Support Device cannot be removed

    I had an older version of itunes but an update came up. It said in order to download the update i had to uninstall the older version of itunes. I did but once i tried to upload the newer version, the installer said it could not be installed because t

  • How can I view the photos contained in a backup without restoring my iPhone?

    I've had a new iPhone for a while now, and have recently remembered that I had backed up quite a few photos on iCloud in the past. I can see that my backup takes up a lot of memory through the iCloud app for windows. My question is: How can I view a

  • High I/O  waits

    Any thoughts about why, when Streams capture processes are started up, the disk activity pegs i/o waits constantly high. It is pretty much slow down the whole database server. This is the state of CPU when we have streams instance up and without any

  • Server with a frontend GUI

    I have an application which maintains a database of objects as an ArrayList. I'm trying to add a sort of background server, which would accept requests for information from this database and provide responses, and also be able to store new objects in

  • APEXExport character set bug?

    Hello, I'm having problems with the APEXExport utility. The resulting application is exported into some strange character set ... The character I am having problems with is U+2019, RIGHT SINGLE QUOTATION MARK, ' The character is represented in the ex