Cs-Mars Problem

Unanswered Question
Apr 16th, 2009

Im working on Cs-Mars version 6.0. after setting some drop rules to avoid having incidents on the dashboard. i figure out that incident are not matching the drop rule even if the incident details are exactly in the scope of the drop rule. is there any where to look to see how Cs-mars parse and treat the events as they gets to incidents ??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Wed, 04/22/2009 - 12:21

Drop rules allow false positive tuning on a MARS, and are defined only on the Local Controller Drop Rules page. They allow you to refine the inspected event stream by specifying events and streams to be ignored and whether those data should be stored in the database or discarded entirely. Drop rules are applied to events as they come in from a reporting device, after they have been parsed and before they have been sessionized. Events that match active drop rules are not used to construct incidents. Because the Global Controller does not receive events from reporting devices, rather it receives them from Local Controllers, you cannot define drop rules for the Global Controller.

To display incidents that occur from the firing of rules in a specific rule group:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp533079

Actions

This Discussion