MARS Tuning

Unanswered Question
Dec 15th, 2008
User Badges:

I have recently setup MARS and I am working on getting some of the tuning done so I don't get as many incidents created. Some of the typical stuff I want to tune out is general Windows network stuff, like SMB Remote SAM service access, since this traffic is normal on an internal windows network. The problem I am running into is not being able to define the networks to tune.

For example, I query for all the incidents matching the referenced event, and once the query is returned, I click on the False Positive Tuning link on the right. After that, a window pops up and I can select the event using a check box and then I can select the source and destination. The problem I have is that is seems I can only do a one to many approach. Instead of being able to say anything to, log to DB only, it seems I can only do a single host to a subnet, or vice versa. Is this the way its supposed to work? if so, how would I go about tuning out an entire subnet from certain events?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
patwill66_2 Mon, 12/15/2008 - 11:03
User Badges:

I found that I continue through the rule, I got to a more advanced tuning window, that looks like the query event data options.

Farrukh Haroon Mon, 12/15/2008 - 22:52
User Badges:
  • Red, 2250 points or more

MARS lets you enter individual hosts or IP ranges when tuning.

However it is highly recommended to tune stuff at the 'reporting device' before it reaches the MARS box. For example the SMB events should be filtered out at the IPS using event action filters, reducing the load on MARS and on your network.



pmccubbin Tue, 12/16/2008 - 07:11
User Badges:
  • Silver, 250 points or more

I completely endorse Farrukh's recommendation and give it a "5" from NYC.


This Discussion