MARS - changing the severity of a system rule?

Unanswered Question
Jul 19th, 2006
User Badges:

I would like to change the severity of a system rule from yellow to red. After investigating it doesn't look like the system rules can be changed. So my thought was to copy this rule to a user rule and inactivate the system rule. Is this the best way to go about this?


Also, does anyone know the order in which rules are processed? Are system rules looked at first then user? Is it based on first match? I couldn't find anything on Cisco's website discussing this.


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.kiprawih Wed, 07/19/2006 - 16:41
User Badges:
  • Gold, 750 points or more

Hi Kurt,


Making a copy of the rule(s) is a better way to do it as you can always revert back to the original rule (set it back to active). This allows you to modify/change any parameters, especially when you're doing testing.


As for how MARS prioritize the rule, I am not sure either (doc?), but it probably uses user-defined rules first before moving to other system rules.


User-define rules should be more specific to suit the filtering requirements in specific network environment.



Rgds,

AK

Actions

This Discussion