Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

MARS rules

I am wading into the art of rule creation in MARS. I wrote a rule and it doesn't seem to work. Then I took everything out of the rule such that it is "any" all the way across. Then I ran an "any" query using this "any" rule and I get no results but without the rule attached to the query I get a flood of results as expected with an open query.

I am using a count of 1 and time range of 30 seconds. Any help is appreciated.


Re: MARS rules

Hi mmorris11,

Great to hear your trying to dive in and create some MARS rules. It's truley an art to design an advanced rule. I have a fairly basic example on my blog at . My recommendation is to view the raw logs and find the entry you're looking to generate a rule about. Let's say you want to generate a rule whenever an IOS device updates it's clock using NTP. When you view a the raw events... you'll see:

Sep 29 12:08:42: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:08:43 EDT Fri Sep 29 2006 to 12:08:42 EDT Fri Sep 29 2006, configured from NTP by

To write this rule I would use any across the board much like you do but under "Keyword" have the rule looks for "%SYS-6-CLOCKUPDATE" Your counts are correct along with the time range. From here save it and always make sure to use the "Activate" button in the upper-right of the console to activate the rules.

I know this is a rather basic example but it should get you started. You'll find you'll make your rules more and more complex as you attempt to narrow your incidents to more specific security events. It just takes time and testing. Anything else I can help with let me know.



Re: MARS rules

Thanks for the input. What I experienced over the weekend is that my rules finally got going over the weekend. I guess it just takes a while get "primed". I am eager to learn more about how MARS processes data from reporting devices so I can more accurately predict the behaviors that result from buiding new rules. I am also glad to know about your blogspot. THanks!


CreatePlease to create content