12-08-2006 02:01 PM - edited 03-10-2019 03:21 AM
Is there a way to exclude certain IP Address's from mars? For instance i want to exclude the 200 events that Nessus scans produce, i cant seem to find a way to do this. Any help would be great thanks.
Solved! Go to Solution.
12-09-2006 05:18 AM
Please take mhellman's advice and read the Users Guide to get a better understanding of how Drop Rules work.
Though even better than the Users Guide is the book from Cisco Press, "Security Threat Mitigation and Response" by Dale Tesch. You should also certainly read the Users Guide but sometimes a second source helps to improve your understanding of a security device like MARS.
Hope this helps.
12-08-2006 07:01 PM
yes, it is called a drop rule. Have you read the users guide yet?...it's in there. You can completely drop the events or just "log to db" (don't process inspection rules).
12-09-2006 05:18 AM
Please take mhellman's advice and read the Users Guide to get a better understanding of how Drop Rules work.
Though even better than the Users Guide is the book from Cisco Press, "Security Threat Mitigation and Response" by Dale Tesch. You should also certainly read the Users Guide but sometimes a second source helps to improve your understanding of a security device like MARS.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide