MARS - drop rules

Similar Messages

• MARS DROP RULE QUESTION

  When you configure a drop rule, lets say you configure several.  If something happens to the software, is there a way to backup the drop rules that you have created?

  Hi,
  you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
  check archiving configuration for the mars:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
  regards
  Gabor
  /vote if it helps/

• CS-MARS - Drop rule keyword based

  Hi all,
  I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.
  Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.
  Any idea?
  Thanks a lot.

  Hi Beth,
  Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.
  Sorry again if I don't understand what you mean or where apply the regex string you're talking about.
  Thanks a lot.

• MARS drop rules problem

  Hi All,
  we were receiving lots of false positive, so I've created drop rules in MARS. still it is generating incident, but I am sure drop rule should cover based on source/dest and port number. I've activated, rebooted, but still the same issue.
  any suggestion would be very appreciated.
  Alex

  did you click "activate"?

• MARS: Tweaking rules on subnets internal to firewall to be less sensitive

  The MARS alerts are firing as rapidly on the internal networks as they do for external networks. Is there a global command to make the MARS less sensitive to hits from the internal subnets, or does a rule have to be customized? Thanks again.

  You could create a MARS drop rule to ignore messages where the src = internal network(s). That is certainly not how I would recommend tuning your environment, but it will cut down on the number of incidents;-) It sounds to me like the devices reporting into MARS could use some tuning.

• MARS General FP Drop Rule vs. Listed Unconf. FPs

  I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.
  It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.
  But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:
  1. It will take a long time.
  2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.
  Any ideas?
  Paul Trivino

  Try this to prevent System Determined False Positives from displaying as incidents?
  If you confirm what was previously an unconfirmed false positive, then a
  drop rule is created. That drop rule should prevent any further incidents
  of that type. So, this shouldn't be happening. Please make sure you've
  clicked `Activate'.
  Check the related bug-id:CSCsc74104

• Drop rule using keyword?

  I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.
  I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.
  Is there any way to configure a false positive drop rule based on a
  keyword in the raw message? I have a user that consistantly pushes the
  switch port interface utilization above 90% - this is normal activity
  that happens throughout the day. We get 20 - 30 email alerts per day
  on this. I would like to configure a drop rule that will just drop
  this incident if this user's interface is specified in the raw
  message. Or maybe there is another way to get the same result?

  hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.
  If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...
  I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.
  There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.
  Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.

• ADDING DROP RULES

  Hi, I added a drop rule in CSMARS, Just want to clarify it will automatically be used by CS-MARS for correlation.
  thanks and best regards

  It will be applied, but to commit the changes (in running memory) you have to click the Activate button on the top right of your screen.
  It will automatically turn red  when you make any changes in MARS (requiring activation).
  Please rate if you find the post helpful.
  Regards
  Farrukh

• Removing Drop Rules

  Hi,
  I am very new to configuring our MARS. I recently added a drop rule by mistake. I've tried marking it inactive, but it's still showing as a false positive. I would like to completely delete the rule all together if that is possible.
  Thanks!

  I don't know what do you mean by 'its still showing as false positive'? Can you please clarify.
  Drop rules cannot be deleted in MARS. However you can make them inactive (which will functionally have the same effect). Just make sure you hit the 'Activate' button on the top right after marking the change.
  Please rate if you find the post helpful.
  Regards
  Farrukh

• Drop rule set

  Hi,
  I have only the following object (rule set) on my schema.
  OBJECT_NAME     OBJECT_TYPE
  DEV_QUEUE_R     RULE SET
  I tried to drop with with following syntax:
  exec DBMS_RULE_ADM.DROP_RULE_SET(
  rule_set_name => 'DEV1.DEV_QUEUE_R',
  delete_rules  => false);
  But following error shown:
  ORA-24170
  string.string is created by AQ, cannot be dropped directly
  Cause: This object is created by AQ, thus cannot be dropped directly
  Action: use dbms_aqadm.drop_subscriber to drop the object
  And I couldn't find the exact syntaxt of this. Can anyone help me with the exact syntax of DBMS_AQADM.DROP_SUBSCRIBER?
  Thanks.
  BANNER
  Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
  PL/SQL Release 11.1.0.6.0 - Production
  CORE     11.1.0.6.0     Production
  TNS for Linux: Version 11.1.0.6.0 - Production
  NLSRTL Version 11.1.0.6.0 - Production
  Edited by: Nadvi on Jul 22, 2010 4:03 PM

  Ok, I found the solution.
  select * from user_objects;
  OBJECT_TYPE OBJECT_NAME STATUS
  ------------------------------ RULE AQ$WF_DEFERRED_QUEUE_M$1 VALID
  RULE SET AQ$WF_DEFERRED_QUEUE_M$1 INVALID
  1.Set the following event at session level:
  alter session set events '25475 trace name context forever, level 2';
  2. Drop rule:
  execute DBMS_RULE_ADM.DROP_RULE('.AQ$WF_DEFERRED_QUEUE_M$1',TRUE);
  commit;
  3.Drop rule set :
  execute DBMS_RULE_ADM.DROP_RULE_SET('AQ$WF_DEFERRED_QUEUE_M$1');
  commit;
  4. Connect as SYSTEM or SYSDBA and try to drop user again.
  drop user <user> cascade;
  Thanks

• WMS dropping rules execution time.

  Hi Community!
  We're facing problem in our OEBS 12.1.3 production environment with dropping rules execution time.
  Execution can take a long time (10-15 minutes) if it started from standart interface by warehouse worker, but from the other side same query executes in few seconds in sqlplus.
  I'll be very grateful if someone helps me to find problem source.
  Kind regards.

  Well, these rules are not unique – most of them are executed repeatedly for various Entities. In whole, it is a big budget calculation model.
  It surely can be and must be optimized, but it will take some time (I started to administrate this outsource-developed Planning system not long ago).
  But the question now is not in the amount of BRs, but in the execution delay.
  I tried to run a singe rule the same way, and got _18 sec in CmdLineLauncher vs 1 sec in EAS Console_.
  Just can't get the delay reason...

• MARS - Understanding Rules and Incidents

  I've been doing some testing, trying to develop a detailed understanding of how rules work in CSMARS. I'm getting inconsistent results. Let's assume I have the ability to create the EXACT same event 5 times in CSMARS at 10 second intervals. The only difference in the events is when they are received by CSMARS. The inspection rule is quite simple; look for this event type, count = 1 and time range = 5 minutes.
  The events in CSMARS are always part of the same session. However, sometimes I get just 1 incident that fires right way. Other times I get 2 incidents, one that fires right away and another that fires after the 5 minute time range has elapsed. When there are 2 incidents, the time range for each incident is always from a subset of the events in the session. So for example, the first incident's time range might have a time range from the first 3 events and the second incident would have a time range from the last 2 events.
  The end result though is that I have a single session that triggered the same rule twice. How is this possible?

  V.K. wrote:
  Entire message - contains - pizza
  and
  Entire message - does not contain - burger
  And now I get only the burger stuff
  that's how it should be. I don't understand the problem.
  Then I think you didn't accurately read the description of the problem. If one criterion is "Entire message - does not contain - burger", and the criteria are joined with an "and", then he should not be seeing only messages with "burger" in them.
  evilme, my question for you is, you said "and"... but when editing a Mail rule, it does not use that same language. Where it says "If any/all of the following conditions are met:", does the pop-up menu say "any" or "all"? Can you post a screen shot of the rule settings?

• IPS - Event Action Filters. Which alerts do you supress

  Currently we have three IPS sensors consolidating all of our information into MARS and it is working quite well.
  The question that I am wondering is if anyone has a suggestion for what is the best practice for tuning signatures at the IPS appliances and what alerts to surpress.
  For example, our internal IPS has fired off a signature in regards to network scanning from our Orion NPM server. In the past I would filter out all alerts from this source IP to respective destination networks.
  Looking at things again, is it best to just surpress the alert and still log the packets, or just remove all of the alerts, packet logging, etc. because it is a false positive.
  Thanks in advance,
  Matt

  I think everyone has a different opinion about where and how to best tune the "SIM" environment. My 2 cents...
  Think about how many places you'd have to make a change in order to effectively tune out what your after.
  Reserve your MARS drop rules for more "broad" filtering that would otherwise require changes to multiple devices and device types. For example, you might have a drop rule for all devices that perform network management-like processes. These devices can create lots of firewall accept (and sometimes denies). Lots of netflows. They often trigger various IDS signatures. This is perfect for a MARS drop rule. Some changes may only require a change in one place (i.e. tune one reporting device). Cisco IDS alarms are a common one. You have a specific signatures triggering a single rule in MARS. In this situation, if you have the ability to do it(time,know-how,access to device,etc), do your tuning as close to the reporting device as possible. Research alarms and tune on the sensor itself. Disable irrelevant or false-positive prone signatures. Create event filters where necessary.

• How you handle your signatures

  What are you doing with your signatures which fire and are false positives? Are you using event action filters or are you disabling the signature? In some cases I see where disabling that signature would be fine. Like if you have a DNS box which is patched and not susceptible to a exploit being noticed by IPS - Since your system is patched and no other boxes are susceptible to the exploit then it seems only logical to disable the signature, yes? But event action filters come into place for signatures like sig-3030 which, in most cases, should only fire when the source is from outside your network. Just want to make sure Im on the right track. Anyone know of a good site which discusses IPS best practice, administration and policy?
  Also how many of ya'll monitor your internal network?
  Thanks

  When I'm troubleshooting a new alert I usually enable 'log pair packets' so I can put more context around the alert itself. Although they get correlated in MARS I use CSM to tune the sensors and signatures. I'll cross-launch to IDM to pull down the packet captures, saving them with somewhat descriptive names in case I need to revisit them later. I also use a great netflow reporting engine (mazu networks) to see where else the suspect PC has been going, and then use online tools like dnsstuff.com, spamhaus DROP lists, Dshield, to see if the IP address is on any block lists. This tool (as well as Arbor Networks, Lancope, etc) also do their own non-signature-based network behavior analysis, and sometimes (not always) something with correlate here too.
  After I get enough information I try to tune the actions on the sensor itself. Sometimes you have to fall back on a MARS drop rule, just to screen out false positives or handle special cases, but I think its better to keep the alert from occuring in the first place. Having too many filters gets ugly fast.
  You should also be leveraging Cisco's Intellishield service ; each IPS sig subscription gives you (free) access to detailed information on the IPS sigs and the vulnerabilities that prompted the sig in the first place. Great service. I've been able to disable a bunch of sigs using this alone.
  Good luck.

• How many rules in MARS by default? How/where to upgrade?

  I am taking over management of a MARS running 3.4 code. There are 102 system inspection rules, no user inspection rules, and no drop rules. How many are there by default? This doesn't seem like very many, at least compared to another vendor's system I've used in the past. Is there a site that has predefined rules (outside of having smartnet), as I'd prefer to not have to generate them (or at least many) manually?
  Thank you.

  didn't you have to create/configure the rules with acid/snort? It's no different with the csmars. It ships with some, yes...but you have to configure it to your needs. Hell, the thing is how many signatures back from the Cisco IPS?...every one of those signatures it doesn't understand requires you own custom rule if you plan to do anything with the alarms.