Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
2
Replies

Event Type Groups / Rule behavior

Go to solution
lewko98
Level 1
Level 1

‎08-21-2008 06:11 AM

Hello All,

I am having trouble understanding the different Event Type Groups used in the different Mars Rules. For example When Looking throught incidents generated I found

port Scans

ping sweeps

server scans for specific ports

and others

that are all being fired under the rule

System Rule: Network Activity: P2P File Sharing - Active

or under the rule

System Rule: Network Activity: Excessive Denies - Host Compromise Likely.

When looking closer at these rules I have noticed the contain some (what I thought were) very generic event type groups.

Is there a resource that you guys know of that describes or goes into details about the event type groups? I have tried most of the Cisco recommended mars books, and havent found much detail.

-Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-21-2008 12:39 PM

There is only limited description about these at the end of the MARS user guide.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html

These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.

Regards

Farrukh

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-21-2008 12:39 PM

There is only limited description about these at the end of the MARS user guide.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html

These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.

Regards

Farrukh

0 Helpful

Go to solution
lewko98
Level 1
Level 1
In response to Farrukh Haroon

‎08-25-2008 05:22 AM

Thanks, although not the answer I was hoping for, Ill look into tuning these rules.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents