Solved: Re: CSA Tuning

eaglesecure · ‎05-24-2007

What is the best way to tune CSA 5.0 so that the changes that you make for one group dont affect the rules for another group?

Is there a way to create an allow rule for a group? where I could say always allow this application class access to run?

Or will I have to create clones of all the rules and then have each group point to its cloned rules?

Any help is greatly appreciated.

thanks.

tsteger1 · ‎05-24-2007

A rule must belong to a module, and that to a policy, so the answer is no.

You wouldn't need to have all rules cloned, just have the exception rule(s) apply to only one group.

A separate policy for that group with just the exceptions in a rule module would probably work best for this.

Tom

View solution in original post

tsteger1 · ‎05-24-2007

A rule must belong to a module, and that to a policy, so the answer is no.

You wouldn't need to have all rules cloned, just have the exception rule(s) apply to only one group.

A separate policy for that group with just the exceptions in a rule module would probably work best for this.

Tom

eaglesecure · ‎05-24-2007

I dont think I stated my problem clearly initially.

If I have group A and then I cloned out Group B and C from Group A.

All of these groups have the same policies, rule modules and rules.

So what I want to do now is find a way to modify B and not have it affect C or A.

Because these all share the same policies, modules and Rules I am unsure how to tune out my false positives for one group with out having them tune the other groups as well.

tsteger1 · ‎05-24-2007

What I said previously should work for this if you have three distinct groups with different hosts that share the same policies.

Create a new policy with a new rule module and assign it to only one of the groups. Put all your exceptions in the rule module.

This will not affect any of the other policies or groups, only the group it is assigned to.

You can even use the wizard to do this because it will create a new exceptions rule module based on the original policy/module/rule.

During the wizard, it will ask you which policy to assign the new module to and you can assign it to your exceptions policy at that time.

pmccubbin · ‎05-25-2007

As usual, Tom's answer is spot on. If you would like further clarity there are now two books from the Cisco Press on CSA by Chad Sullivan:

1. Cisco Security Agent

2. Advanced Host Intrusion Protection With CSA

Hope this helps.

eaglesecure · ‎05-25-2007

still having issues with this exception rule concept.

I created a new policy called group B exceptions policy.

Then I created a new rule module to add to the policy called group B exceptions rule module.

I then created a new rule and made the exceptions for the rule I wanted to have the exceptions apply to.

Now the rule was initally set to Priority Deny. So I modified it to Deny so that the Allow rule I was creating would take a higher priority. Still, the rule kept showing up test mode denies.

Am I completely doing this incorrectly?

tsteger1 · ‎05-26-2007

You are probably OK. Deny rules in test mode will continue to log to the MC (if they are set to log) until you put them in protect mode with a corresponding allow rule.

Cisco says this by design so you can see what the deny rule would have done. I'd like to see exactly what would happen with the corresponding allow rule in test mode as well, but I sort of understand what they are trying to do.

Tom

eaglesecure · ‎05-29-2007

Thanks for your help with this.

You are correct I do have it set to log all denies.

tsteger1 · ‎05-29-2007

You are quite welcome. Have fun with it...

Tom