Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Silver

Need help with a rule..

I wrote a rule with the intent of it firing upon events originating only from public ip addresses AND only for yellow OR red severity levels. However this rule still fires on green severity events. Can any one see why from looking at the rule in the attached graphic?

Thank you,

Mike

2 REPLIES
Cisco Employee

Re: Need help with a rule..

Hi Mike,

I hope you are doing fine.

I guess you are talking about MARS here.

Could you please attach the graphic?

Thank you.

Edward

Silver

Re: Need help with a rule..

Edward,

Glad I checked this! Actually what happened is that posted this before attaching and discovered that you can't attach after the fact. The full post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddde4e8

Check out this TAC case (this is about something else): SR 605613157 - CSMARS-rule building

It led to an enhancement request: CSCsi17878 - Rules should have 'NOT-FOLLOWED-BY' operator

-mike

141
Views
5
Helpful
2
Replies
CreatePlease to create content