Change severity events on mars

Unanswered Question
Mar 31st, 2009

Hi all, i've a problem with mars...


i'm auditing a windows server with snare client.


i would like to change the green flag to red of a normaly event like "new process created"


and i don't know it .


somebody can help me?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 04/02/2009 - 03:49

I think you can modify the related 'Rule' in MARS from Green to Red (High severity). Everytime the incident is fired, you will see the pertaining rule at the top of the page (if you click on that particular incident ID). Just edit the rule' severity. Here is a sample incident (Host evasion rule RED severity):


http://www.cisco.com/warp/public/707/cisco-amb-20070905-csm-01b.gif


Regards


Farrukh

cprados2008 Mon, 04/06/2009 - 07:10

Thanks for answer, I try to do the same but the rule don't permit changes.


I think that the incident of the screenshot is a red rule, can you explain me how change it to green?.


Regards.

Farrukh Haroon Mon, 04/06/2009 - 10:24

You have to do it from the Rules page and not the Incidents page. I just pasted that link to show the relation between Rules and Incidents.


Regards


Farrukh

cprados2008 Tue, 04/07/2009 - 08:55

Thanks for the early answer,


I can't follow you Farrukh.


In the drop rules if I change the severity to red


I don't understand that...


When i create a rule, It's for drop the traffic not for change severity in dashboard.


please can you explain me step by step?


sorry for de inconvenience


Regards

Farrukh Haroon Wed, 04/08/2009 - 05:12

I did not understand your initial requirement clearly. What I proposed is not possible. I will find a better solution and get back to you.


Regards


Farrukh

Dear


I noticed this problem too.

There are some relationship w/ Rule, Event ID severity.


We cannot just modify the Rule severity to be shown on the Incidents.

Because the Rule severity is meanful for "matching the Event ID severity".


When Rule Severity = Any ... it matches the severity what Event ID is triggerred with its respective severity.

Or

it matches the severity what Event ID is triggerred in an Event Group with its respective severity.


The hard is ... it's difficult to modify the default Event ID severity.

I'm still trying it out ...


FYI ~

Actions

This Discussion