Hi Tom

Thanks, what do you mean i have to many items in my installations. No hotfixes applied as of yet.

What are these errors associated with ?

Hi Peter

It means you have too many groups, rules, app classes, variables, etc..

You need to reduce the number of individual items registered in the database in order to process the rules.

Try to consolidate and/or delete unused items.

If you don't have any Solaris or Linux hosts, that would be a good place to start.

Once you fall below this limit, it will allow you to generate the rules.

Tom

Ok thanks very much for the information, i will keep you posted.

Peter

HOw do i remove the linux groups, can i remove the test_mode_desktop for windows as well, were do i remove the app classes and variables from.

I initially went into alert kits and removed the Solaris but i still receive the same error. However it seems to be only for the Test_mode_Desktop for the windows rule. I'm some what confused how to proceed.

No fixes applied and i am not running R2 on my windows 2003 server.

I'm talking about deleting rules, variables, policies, etc, not agent kits.

DO NOT remove the test_mode_desktop kit.

If you are confused about how to proceed, you should probably either attend a two day HIPS class or get one of the Cisco Press or other good books available.

If you decide to proceed, make sure you have a good full system and database backup before you start.

Good Luck,

Tom

I understand, however in your firat email you said that i had to many things in my installation, and that i should remove things that are associated the the OS's.

This not what you are saying in your last post, you are now saying cleanup my Rules, variables and policies. These are not all the same thing.

So please clarify.

regards

Peter

When I refer to 'items', I'm referring to rules, variables, policies, groups, hosts, etc...

Go to the search page and search for It will tell you the number of results and that is the number of 'items' you have.

Some are applicable only to a certain OS (Solaris, Linux or Windows) and you can modify your search to find just those.

I was suggesting deleting items for OSs you do not have.

That's what you need to work on getting below 7500 in order to generate your rules.

The test_mode_desktop agent kit for Windows (and Linux) are the default agent deployment kits that're created when you install the MC.

If you deploy agents with it and then delete it, any agents that re-register with the MC won't know which groups they belong to so will belong to none.

Tom

Tom,

You are spot-on. Thanks for the explanation. I rate it a "5" for clarity.

Paul

Thanks Paul

Tom

These are the two books which Tom is suggesting you peruse:

“Cisco Security Agent” by Chad Sullivan. Publisher: Cisco Press, 2005

“Advanced Host Intrusion Prevention With CSA” by Chad Sullivan. Publisher: Cisco Press, 2006.

They have helped me on numerous occasions.

Hope this helps.

Thanks i will check them out.

I know this may be a stupid quesrtions however what is the puspose of the test_mode_desktop Kit anyway.

Peter

Peter,

It's a good question so no worries.

The Test Mode Desktop Agent is an economizing device for rolling out CSA. It allows you to see how policies will effect your end users without negatively impacting them. Remember that in Test Mode the agent actively inspects but does not enforce rules.

You can easily begin a deployment with the Test Mode Agent and be fairly certain you are not going to have any issues. This is why I call it an economizing device as it saves you time and usually a lot of headaches.

Hope this helps.

Paul

Thanks Paul

Have a good one.

Peter