CSA 5.0: Complexity Exceeds Maximum

Unanswered Question
Nov 12th, 2007
User Badges:

Recently I was tuning out some false positives and was unable to generate the rules due to a complexity of greater than 7500 exceeds maximum of 7500.


I searched the forum and found out the there is a limit to the number of complexity points set at 7500.


The post says to remove old Rules/Groups and Rule Modules or try condesing all of those.


I have gone through and made the changes that would put me under the limit. But when I attempt to generate these rules to move under the limit I receive the same warning.


How can I get under the limit if I cannot generate any changes?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
eaglesecure Mon, 11/12/2007 - 12:14
User Badges:

Response from Cisco Tech Support.


This happens when there are too many literals in the ruleset. A literal is anything defined in a fileset. For example, foo.exe is 1 literal. foo.exe, foo2.exe are two literals. To reduce the literals and thus generate rules successfully, one needs to wildcard and generalize when possible. So foo*.exe would change the literals to 1 from 2 (from foo.exe and foo2.exe for example). The maximum literals is 7500.

Basically, for a little insight into why the value of 7500 was selected. The default rule sets have a complexity of no more than 2500. The internal Cisco Policy is not even double that value. So triple the default was selected to allow plenty of rule for customization.


If you exceed 7500 literals, rule generation would be extremely slow and would most likely timeout.

As a rule of thumb: always wildcard where possible.


Actions

This Discussion