Solved: MARS Exclusions?

anthonysgroi · ‎12-08-2006

Is there a way to exclude certain IP Address's from mars? For instance i want to exclude the 200 events that Nessus scans produce, i cant seem to find a way to do this. Any help would be great thanks.

pmccubbin · ‎12-09-2006

Please take mhellman's advice and read the Users Guide to get a better understanding of how Drop Rules work.

Though even better than the Users Guide is the book from Cisco Press, "Security Threat Mitigation and Response" by Dale Tesch. You should also certainly read the Users Guide but sometimes a second source helps to improve your understanding of a security device like MARS.

Hope this helps.

View solution in original post

mhellman · ‎12-08-2006

yes, it is called a drop rule. Have you read the users guide yet?...it's in there. You can completely drop the events or just "log to db" (don't process inspection rules).

pmccubbin · ‎12-09-2006

Please take mhellman's advice and read the Users Guide to get a better understanding of how Drop Rules work.

Though even better than the Users Guide is the book from Cisco Press, "Security Threat Mitigation and Response" by Dale Tesch. You should also certainly read the Users Guide but sometimes a second source helps to improve your understanding of a security device like MARS.

Hope this helps.