Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

MARS query - Save as rule

Right now most of the rules I am creating are drop rules while doing the initial tuning of my MARS box. When I use the query to save as a rule, it apprears that you can only save it as an inspection rule and never as a drop rule. Am I missing something?

2 REPLIES
New Member

Re: MARS query - Save as rule

No, that is the correct operation of the MARS appliance.

Drop rules are only configured on the rules tab.

Chris

ciscomars.blogspot.com

New Member

Re: MARS query - Save as rule

Hi,

That's a question in very relationship with another I've posted. I can create lots of inspection rules based on keywords but I can not create a drop rule based on that. P.e. There's a lot of logs originated in domain controllers that I'm able to classify them based on "User Name: Local-Admin" words and their source IP. I'm sure that's correct and I want to drop all events. It's not possible. I can only create an inpection rule, not a drop rule.

Thanks a lot.

173
Views
0
Helpful
2
Replies
CreatePlease login to create content