03-31-2009 06:42 AM
Hi all, i've a problem with mars...
i'm auditing a windows server with snare client.
i would like to change the green flag to red of a normaly event like "new process created"
and i don't know it .
somebody can help me?
Thanks.
04-02-2009 03:49 AM
I think you can modify the related 'Rule' in MARS from Green to Red (High severity). Everytime the incident is fired, you will see the pertaining rule at the top of the page (if you click on that particular incident ID). Just edit the rule' severity. Here is a sample incident (Host evasion rule RED severity):
http://www.cisco.com/warp/public/707/cisco-amb-20070905-csm-01b.gif
Regards
Farrukh
04-06-2009 07:10 AM
Thanks for answer, I try to do the same but the rule don't permit changes.
I think that the incident of the screenshot is a red rule, can you explain me how change it to green?.
Regards.
04-06-2009 10:24 AM
You have to do it from the Rules page and not the Incidents page. I just pasted that link to show the relation between Rules and Incidents.
Regards
Farrukh
04-07-2009 08:55 AM
Thanks for the early answer,
I can't follow you Farrukh.
In the drop rules if I change the severity to red
I don't understand that...
When i create a rule, It's for drop the traffic not for change severity in dashboard.
please can you explain me step by step?
sorry for de inconvenience
Regards
04-08-2009 05:12 AM
I did not understand your initial requirement clearly. What I proposed is not possible. I will find a better solution and get back to you.
Regards
Farrukh
04-08-2009 07:25 PM
Dear
I noticed this problem too.
There are some relationship w/ Rule, Event ID severity.
We cannot just modify the Rule severity to be shown on the Incidents.
Because the Rule severity is meanful for "matching the Event ID severity".
When Rule Severity = Any ... it matches the severity what Event ID is triggerred with its respective severity.
Or
it matches the severity what Event ID is triggerred in an Event Group with its respective severity.
The hard is ... it's difficult to modify the default Event ID severity.
I'm still trying it out ...
FYI ~
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: