cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
648
Views
10
Helpful
3
Replies

MARS Tuning

patwill66_2
Level 1
Level 1

I have recently setup MARS and I am working on getting some of the tuning done so I don't get as many incidents created. Some of the typical stuff I want to tune out is general Windows network stuff, like SMB Remote SAM service access, since this traffic is normal on an internal windows network. The problem I am running into is not being able to define the networks to tune.

For example, I query for all the incidents matching the referenced event, and once the query is returned, I click on the False Positive Tuning link on the right. After that, a window pops up and I can select the event using a check box and then I can select the source and destination. The problem I have is that is seems I can only do a one to many approach. Instead of being able to say anything 192.168.1.0/24 to 192.168.1.0/24, log to DB only, it seems I can only do a single host to a subnet, or vice versa. Is this the way its supposed to work? if so, how would I go about tuning out an entire subnet from certain events?

3 Replies 3

patwill66_2
Level 1
Level 1

I found that I continue through the rule, I got to a more advanced tuning window, that looks like the query event data options.

MARS lets you enter individual hosts or IP ranges when tuning.

However it is highly recommended to tune stuff at the 'reporting device' before it reaches the MARS box. For example the SMB events should be filtered out at the IPS using event action filters, reducing the load on MARS and on your network.

Regards

Farrukh

I completely endorse Farrukh's recommendation and give it a "5" from NYC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: