Rules for host.domain.com have complexity 7525 which exceeds

Unanswered Question
Feb 5th, 2007

Has anyone seen this issue in CSA 5.0 when generating rules?

Rules for host.domain.com have complexity 7525 which exceeds the maximum of 7500

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
tsteger1 Mon, 02/05/2007 - 16:59

No, but how many rules do you have or how many rule changes were pending?

CSA won't generate rules in some conditions. Too short of a polling interval is one.

Perhaps there is a maximum rule change or rule limit as well.

Yes, there is a complexity limit of 7500. We hit it a few months ago. What we did to fix it was to go through all the rules and wild card where we could and combine rules where we could. There is a value for each rule module/rule/app class/network address set/etc. and each line in each of those. So for example if you have an app class with @program files\abc.exe and **\temp\abc.exe that counts as 2 complexity points. Our biggest issue is network address sets. Its an ongoing battle.

Cisco says its there so the hosts don't have too much information to process and slow the machine down.

Shelly

tsteger1 Thu, 02/22/2007 - 12:08

Shelly, thanks for the good information.

We delete everything associated with OSs we will never use (Linux, Solaris).

After each upgrade, everything is deleted if it's not needed and associated with new items if it is.

This keeps the MC pretty lean and rule generation is much faster. We have 388 rules on a 4.0.3 MC and 690 on a 5.1. All told there are 794 items on the 4.0.3 MC and 2121 items on the 5.1 MC.

Tom

Actions

This Discussion