I am wading into the art of rule creation in MARS. I wrote a rule and it doesn't seem to work. Then I took everything out of the rule such that it is "any" all the way across. Then I ran an "any" query using this "any" rule and I get no results but without the rule attached to the query I get a flood of results as expected with an open query.
I am using a count of 1 and time range of 30 seconds. Any help is appreciated.
Great to hear your trying to dive in and create some MARS rules. It's truley an art to design an advanced rule. I have a fairly basic example on my blog at http://cs-mars.blogspot.com . My recommendation is to view the raw logs and find the entry you're looking to generate a rule about. Let's say you want to generate a rule whenever an IOS device updates it's clock using NTP. When you view a the raw events... you'll see:
Sep 29 12:08:42: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:08:43 EDT Fri Sep 29 2006 to 12:08:42 EDT Fri Sep 29 2006, configured from NTP by 220.127.116.11
To write this rule I would use any across the board much like you do but under "Keyword" have the rule looks for "%SYS-6-CLOCKUPDATE" Your counts are correct along with the time range. From here save it and always make sure to use the "Activate" button in the upper-right of the console to activate the rules.
I know this is a rather basic example but it should get you started. You'll find you'll make your rules more and more complex as you attempt to narrow your incidents to more specific security events. It just takes time and testing. Anything else I can help with let me know.
Thanks for the input. What I experienced over the weekend is that my rules finally got going over the weekend. I guess it just takes a while get "primed". I am eager to learn more about how MARS processes data from reporting devices so I can more accurately predict the behaviors that result from buiding new rules. I am also glad to know about your blogspot. THanks!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...