pmccubbin Thu, 07/31/2008 - 12:49

Hi Luis,

Matthew is correct. The reason being is that if you were able to delete a rule you would then corrupt the MARS database. Keeping the MARS database uncorrupted is useful in forensic investigations where a database needs to be restored to a MARS box. This is how they designed the box originally though Cisco has a fix on their roadmap to remedy this situation.

Hope this helps.



Farrukh Haroon Thu, 07/31/2008 - 18:28

The theory they present is the non-repudiation sort of thing, but it makes no sense if you ask me. You can go ahead and edit that rule to modify the source/dest IPs etc. to fool the auditor :). Of course this change might be logged somewhere in the MARS system events, but what guarantee is there that this log message is still there when the big guys visit ? :)

What I usually do is to re-use an old 'drop-rule' that I no longer want for something else, as long as the fields im changing are one of those that can be modified. Otherwise the only way is to de-active them.



mhellman Fri, 08/01/2008 - 05:07

You're right, it doesn't make a lot of sense and that answer, while true, is a bit of a cop-out because it's a normal FEATURE of relational databases. I believe it's called "referential constraint" in the relational db world. Of course you can't just delete the rule and that's all. Believe it or not, Cisco has already solved a nearly identical problem with the inspection rules (and multiple other places in MARS). When you change an inspection rule, it actually COPIES it. The old rule is left unchanged so any records (i.e. incidents) with foreign keys pointing to it are not orphaned or left pointing to a rule that doesn't match. Also, try deleting a user who has cases should notice that you have to re-assign the cases to someone else. That's because otherwise it would leave orphaned records. IMO, the correct answer from Cisco should be "we just haven't added that functionality yet"...not "it's so we don't leave orphaned records or for non-repudiation".

My 2 cents, and probably grossly oversimplified, add a column to the inspection rule record that stores the last incident created by it. When deleting a rule, is the incident still in the dynamic data?...yes...can't delete or ask user if okay to delete incident too.

pmccubbin Mon, 08/04/2008 - 14:05


Thanks for the clarification and the suggested improvement to the product. A "5" from NYC.




This Discussion