Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
3
Replies

CS-MARS : Inactive User-Defined Rules/Drop Rules/False Positive

a.kiprawih
Level 7
Level 7

‎03-30-2006 06:29 AM - edited ‎03-09-2019 02:27 PM

Hi,

I have created dummy rules to drop any events that is rated as normal activities such as when switch interface status changed to up/down everytime users on/off their PCs, or when firewall translation is expired once the connectivity/sessions is terminated. Same goes to false positives where MARS will either drop or logged the events for any events matched with the customized rules.

However, when I changed the dummy rules to 'inactive' so that MARS will log and display everything back to normal, the status displayed on the main page under "Drop" is still increased. Now, no events are displayed on the main screen like before.

Any suggestions/help?

Thanks

AK

Labels:
0 Helpful
3 Replies 3

s.jankowski
Level 4
Level 4

‎04-05-2006 07:29 AM

Hey, check the link for "HOW QUERY, REPORTS, AND RULES WORK" this will provide a idea

http://www.cisco.com/en/US/products/ps6241/products_qanda_item0900aecd802b7c6b.shtml

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-23-2006 02:15 AM

This was due to a bug (CSCsc31386) in CS-MARS database on v3.4.1. It was fixed by loading v4.1.1.

Rgds,

AK

0 Helpful

a.kiprawih
Level 7
Level 7
In response to a.kiprawih

‎05-23-2006 08:18 PM

Correction - it was v4.1.2, not v4.1.1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents