MARS General FP Drop Rule vs. Listed Unconf. FPs

Similar Messages

• MARS DROP RULE QUESTION

  When you configure a drop rule, lets say you configure several.  If something happens to the software, is there a way to backup the drop rules that you have created?

  Hi,
  you can configure archiving and if the Mars fails you can restore OS,configurations,events,reports and rules from the archive.
  check archiving configuration for the mars:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html
  regards
  Gabor
  /vote if it helps/

• CS-MARS - Drop rule keyword based

  Hi all,
  I need to create a new rule based on a keyword. I'm able to add an inspection rule but not a drop rule. The problem is Cisco MARS is showing up lots of events from a reporting IPS who is blocking that events. In this manner, the IPS is tagging all traffic blocked and when it gets the MARS, I have to open the event to see if it's a real threat or it's just a event blocked by IPS.
  Now, all tagged traffic is matching with my inspection rule but I don't want to see more events from that rule, just log into the database, I mean, the alternate action to "drop" in a drop rule.
  Any idea?
  Thanks a lot.

  Hi Beth,
  Excuse me but I don't understand what you mean with that string. What I'm saying is there's no way to create a drop rule using a keyword. P.e. I want to drop all events from the matching rule called "Password scan" where the keyword "Administrator" is used. You can only apply an action in drop rules, and using a keyword in inspection rules.
  Sorry again if I don't understand what you mean or where apply the regex string you're talking about.
  Thanks a lot.

• MARS drop rules problem

  Hi All,
  we were receiving lots of false positive, so I've created drop rules in MARS. still it is generating incident, but I am sure drop rule should cover based on source/dest and port number. I've activated, rebooted, but still the same issue.
  any suggestion would be very appreciated.
  Alex

  did you click "activate"?

• MARS - drop rules

  I have a MARS20 configured to a IPS4240 placed between internet & LAN, and i want to stop my internal network to stop triggering the incidents and stop producing false positive; based on the assumption that my LAN is secure.
  So I have created a drop rule to log to DB, source-192.168.0.0 255.255.0.0, remaining parameters as Any.
  The rule is active, but i still get incidents w source from LAN.
  am i missing something?
  Cash

  did you click "activate"?

• Drop rule using keyword?

  I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.
  I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.
  Is there any way to configure a false positive drop rule based on a
  keyword in the raw message? I have a user that consistantly pushes the
  switch port interface utilization above 90% - this is normal activity
  that happens throughout the day. We get 20 - 30 email alerts per day
  on this. I would like to configure a drop rule that will just drop
  this incident if this user's interface is specified in the raw
  message. Or maybe there is another way to get the same result?

  hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.
  If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...
  I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.
  There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.
  Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.

• ADDING DROP RULES

  Hi, I added a drop rule in CSMARS, Just want to clarify it will automatically be used by CS-MARS for correlation.
  thanks and best regards

  It will be applied, but to commit the changes (in running memory) you have to click the Activate button on the top right of your screen.
  It will automatically turn red  when you make any changes in MARS (requiring activation).
  Please rate if you find the post helpful.
  Regards
  Farrukh

• Removing Drop Rules

  Hi,
  I am very new to configuring our MARS. I recently added a drop rule by mistake. I've tried marking it inactive, but it's still showing as a false positive. I would like to completely delete the rule all together if that is possible.
  Thanks!

  I don't know what do you mean by 'its still showing as false positive'? Can you please clarify.
  Drop rules cannot be deleted in MARS. However you can make them inactive (which will functionally have the same effect). Just make sure you hit the 'Activate' button on the top right after marking the change.
  Please rate if you find the post helpful.
  Regards
  Farrukh

• MARS query - Save as rule

  Right now most of the rules I am creating are drop rules while doing the initial tuning of my MARS box. When I use the query to save as a rule, it apprears that you can only save it as an inspection rule and never as a drop rule. Am I missing something?

  Hi,
  That's a question in very relationship with another I've posted. I can create lots of inspection rules based on keywords but I can not create a drop rule based on that. P.e. There's a lot of logs originated in domain controllers that I'm able to classify them based on "User Name: Local-Admin" words and their source IP. I'm sure that's correct and I want to drop all events. It's not possible. I can only create an inpection rule, not a drop rule.
  Thanks a lot.

• Views Status at MARA general info segment level

  Hi all,
  Please guide me how to maintain Views Status at MARA general info segment level.I am extending standard MATMAS IDOC for my own fields.
  Thank you.

  You actually need to run it with "check -access"; memuse and leaks won't help with the crash, which happens because of illegal memory access. Hopefully, "check -access" will help you to locate the bad guy, but that's not panacea either.
  To be precise:
  - start dbx
  $ dbx <your app>
  - issue
  (dbx) check -access
  (dbx) run
  and wait for dbx to stop and report suspicious memory access.

• Drag and Drop in hero list.

  Hi,
  I am working on a mobile project which requires drag and drop in same list. Has anyone implemented this in their project. Please share your experience.
  Thanks,
  Mahesh.

  OK, I've fixed this in the following way.
  In the createDragIndicator() function, I've grabbed the element from the layout and set the dragImage's x and y to the same:
  public override function createDragIndicator():IFlexDisplayObject
       var dragItem:IVisualElement = selectedItem;
       var dragImage : UIBitmap = new UIBitmap( dragItem, PixelSnapping.NEVER );
       if (dragImage is IVisualElement)
            IVisualElement(dragImage).owner = this;
       var element:ILayoutElement;
       if (layout.useVirtualLayout)
            element = layout.target.getVirtualElementAt(selectedIndex);
       else
            element = layout.target.getElementAt(selectedIndex);
       dragImage.x = element.getLayoutBoundsX();
       dragImage.y = element.getLayoutBoundsY();
       return dragImage;

• [svn:fx-trunk] 10876: Add support for drag-and-drop from Spark List to Spark List.

  Revision: 10876
  Author:   [email protected]
  Date:     2009-10-05 15:20:07 -0700 (Mon, 05 Oct 2009)
  Log Message:
  Add support for drag-and-drop from Spark List to Spark List.
  - List drop related handlers
  - LayoutBase APIs
  - VerticalLayout DND support
  Notes:
  - ListSkin is not final.
  - Drag-scrolling not yet implemented.
  QE notes: Only VerticalLayout works, HorizontalLayout still not implemented.
  Doc notes: None
  Bugs: None
  Reviewer: Deepa
  Tests run: checkintests
  Is noteworthy for integration: No
  Modified Paths:
      flex/sdk/trunk/frameworks/projects/spark/src/spark/components/List.as
      flex/sdk/trunk/frameworks/projects/spark/src/spark/layouts/VerticalLayout.as
      flex/sdk/trunk/frameworks/projects/spark/src/spark/layouts/supportClasses/LayoutBase.as
      flex/sdk/trunk/frameworks/projects/spark/src/spark/skins/spark/ListSkin.mxml
      flex/sdk/trunk/frameworks/spark-manifest.xml
  Added Paths:
      flex/sdk/trunk/frameworks/projects/spark/src/spark/layouts/supportClasses/DropLocation.as

  Whoops, disregard my question - I just read the spec that indicates drag and drop is scheduled for later work.
  David

• Drag and Drop between two list boxes

  Hi all
  I am working over Drag and Drop .. i have to implement Drag and Drop between two list boxes .. both list box exist in same page ..each list box have number of rows.. please give me some idea ... as i am new for JSP and Servlet...
  Thanks in advance
  Regards
  Vaibhav

  Hi all
  I am working over Drag and Drop .. i have to
  implement Drag and Drop between two list boxes ..
  both list box exist in same page ..each list box have
  number of rows.. please give me some idea ... as i am
  new for JSP and Servlet...
  Something close to what you are looking for is Select Mover in Coldtags suite:
  http://www.servletsuite.com/jsp.htm

• Select customer name from a drop down Select List or be able to type it in

  Hi,
  Is there a way to allow my users to have an option to either select a customer name from a drop down Select List or be able to type it in...
  Thanks in advance

  This is an excellent option for another application but in this one I would prefer a drop down list to allow my users to see all the orders (to pick from the list) or type it in if they can't find it in the list...
  I know how to create a drop down select list but not sure what to do to allow users to be able to manually type in as well...
  Thanks

• TS1368 My account keeps asking for Region but the drop down menu lists Cities in China. I can,'t cange the region in my account because it asks me to check the date and time but these are correct. Any answers please?

  My account keeps asking for Region but the drop down menu lists Cities in China. I can,'t cange the region in my account because it asks me to check the date and time but these are correct. Any answers please?

  Look, I understand I still need a card attached to the account. The problem is, it won't accept my card because I only have 87 cents in my bank account right now.
  If I had known there would be so much trouble with the iTunes card, I would have just put the cash in my bank account in the morning instead of buying an iTunes card (I didn't expect the banks to be open on Thanksgiving of course).
  Apple will only accept cards that have a balance. The balance is so small in my account that it won't accept it as a valid card.
  I'm going to have to contact Apple anyway to reset the security questions. That's obvious. Your answers were not exactly helpful. You didn't tell me anything I don't already know, but thanks for trying to be helpful.