Sending alerts with CS-MARS

Unanswered Question
Jan 7th, 2008

Hi people,

I have a CS-MARS and need to send alerts when specific events occurs. Using the action field in the inspection rules, this is achieved without problems.

But, I need configure alerts by a most general way, like for events of a specific severity or rule group, and not rule by rule. How can I configure CS-MARS by this way?

I'm waiting for a reply.

Regards,

brHS.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Mon, 01/07/2008 - 11:59

You cannot do this in ether case AFAICT. What you might be able to do is configure the action for all inspection rules to send a syslog to the ip address of the MARS box. Then create a "keyword" inspection rule to specifically fire based on the severity shown in the syslog message. Here is an example of what the syslogs look like:

<34>Mon Jan 7 13:51:08 2008 %MARS-1-101: Rule 205795 (Local Administrators group - membe­rship modified) fired and caused yellow Incident 747340504, starting from Mon Jan 7 13:50:57 2008 t­o Mon Jan 7 13:50:57 2008

The rule name is "Local Administrators group - membership modified" and the Severity of the incident is yellow.

Actions

This Discussion