Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
5
Helpful
2
Replies

Need help with a rule..

mmorris11
Level 4
Level 4

‎03-16-2007 07:50 AM - edited ‎03-10-2019 03:31 AM

I wrote a rule with the intent of it firing upon events originating only from public ip addresses AND only for yellow OR red severity levels. However this rule still fires on green severity events. Can any one see why from looking at the rule in the attached graphic?

Thank you,

Mike

Labels:
0 Helpful
2 Replies 2

edwakim
Cisco Employee
Cisco Employee

‎03-19-2007 08:29 PM

Hi Mike,

I hope you are doing fine.

I guess you are talking about MARS here.

Could you please attach the graphic?

Thank you.

Edward

0 Helpful

mmorris11
Level 4
Level 4
In response to edwakim

‎03-20-2007 06:31 AM

Edward,

Glad I checked this! Actually what happened is that posted this before attaching and discovered that you can't attach after the fact. The full post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddde4e8

Check out this TAC case (this is about something else): SR 605613157 - CSMARS-rule building

It led to an enhancement request: CSCsi17878 - Rules should have 'NOT-FOLLOWED-BY' operator

-mike

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card