03-16-2007 07:50 AM - edited 03-10-2019 03:31 AM
I wrote a rule with the intent of it firing upon events originating only from public ip addresses AND only for yellow OR red severity levels. However this rule still fires on green severity events. Can any one see why from looking at the rule in the attached graphic?
Thank you,
Mike
03-19-2007 08:29 PM
Hi Mike,
I hope you are doing fine.
I guess you are talking about MARS here.
Could you please attach the graphic?
Thank you.
Edward
03-20-2007 06:31 AM
Edward,
Glad I checked this! Actually what happened is that posted this before attaching and discovered that you can't attach after the fact. The full post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddde4e8
Check out this TAC case (this is about something else): SR 605613157 - CSMARS-rule building
It led to an enhancement request: CSCsi17878 - Rules should have 'NOT-FOLLOWED-BY' operator
-mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide