07-31-2008 08:23 AM
How can I delete a rule I created previously? Is it possible? I know I can mark them as Inactive but that is not what I need?
07-31-2008 10:15 AM
Unfortunately, you cannot. You can only inactive them.
07-31-2008 12:49 PM
Hi Luis,
Matthew is correct. The reason being is that if you were able to delete a rule you would then corrupt the MARS database. Keeping the MARS database uncorrupted is useful in forensic investigations where a database needs to be restored to a MARS box. This is how they designed the box originally though Cisco has a fix on their roadmap to remedy this situation.
Hope this helps.
Best,
Paul
08-03-2008 02:09 AM
we are waiting for this option :)
07-31-2008 10:16 AM
Unfortunately, you cannot. You can only inactive them.
07-31-2008 06:28 PM
The theory they present is the non-repudiation sort of thing, but it makes no sense if you ask me. You can go ahead and edit that rule to modify the source/dest IPs etc. to fool the auditor :). Of course this change might be logged somewhere in the MARS system events, but what guarantee is there that this log message is still there when the big guys visit ? :)
What I usually do is to re-use an old 'drop-rule' that I no longer want for something else, as long as the fields im changing are one of those that can be modified. Otherwise the only way is to de-active them.
Regards
Farrukh
08-01-2008 05:07 AM
You're right, it doesn't make a lot of sense and that answer, while true, is a bit of a cop-out because it's a normal FEATURE of relational databases. I believe it's called "referential constraint" in the relational db world. Of course you can't just delete the rule and that's all. Believe it or not, Cisco has already solved a nearly identical problem with the inspection rules (and multiple other places in MARS). When you change an inspection rule, it actually COPIES it. The old rule is left unchanged so any records (i.e. incidents) with foreign keys pointing to it are not orphaned or left pointing to a rule that doesn't match. Also, try deleting a user who has cases assigned...you should notice that you have to re-assign the cases to someone else. That's because otherwise it would leave orphaned records. IMO, the correct answer from Cisco should be "we just haven't added that functionality yet"...not "it's so we don't leave orphaned records or for non-repudiation".
My 2 cents, and probably grossly oversimplified, add a column to the inspection rule record that stores the last incident created by it. When deleting a rule, is the incident still in the dynamic data?...yes...can't delete or ask user if okay to delete incident too.
08-04-2008 02:05 PM
Matthew,
Thanks for the clarification and the suggested improvement to the product. A "5" from NYC.
Best,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide