I am having trouble understanding the different Event Type Groups used in the different Mars Rules. For example When Looking throught incidents generated I found
server scans for specific ports
that are all being fired under the rule
System Rule: Network Activity: P2P File Sharing - Active
or under the rule
System Rule: Network Activity: Excessive Denies - Host Compromise Likely.
When looking closer at these rules I have noticed the contain some (what I thought were) very generic event type groups.
Is there a resource that you guys know of that describes or goes into details about the event type groups? I have tried most of the Cisco recommended mars books, and havent found much detail.
There is only limited description about these at the end of the MARS user guide.
These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.