Event Type Groups / Rule behavior

Answered Question

Hello All,

I am having trouble understanding the different Event Type Groups used in the different Mars Rules. For example When Looking throught incidents generated I found

port Scans

ping sweeps

server scans for specific ports

and others

that are all being fired under the rule

System Rule: Network Activity: P2P File Sharing - Active

or under the rule

System Rule: Network Activity: Excessive Denies - Host Compromise Likely.

When looking closer at these rules I have noticed the contain some (what I thought were) very generic event type groups.

Is there a resource that you guys know of that describes or goes into details about the event type groups? I have tried most of the Cisco recommended mars books, and havent found much detail.

-Thanks.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 3 months ago

There is only limited description about these at the end of the MARS user guide.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html

These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 08/21/2008 - 12:39

There is only limited description about these at the end of the MARS user guide.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html

These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.

Regards

Farrukh

Actions

This Discussion