Rules for host.domain.com have complexity 7525 which exceeds

taylr · ‎02-05-2007

Has anyone seen this issue in CSA 5.0 when generating rules?

Rules for host.domain.com have complexity 7525 which exceeds the maximum of 7500

tsteger1 · ‎02-05-2007

No, but how many rules do you have or how many rule changes were pending?

CSA won't generate rules in some conditions. Too short of a polling interval is one.

Perhaps there is a maximum rule change or rule limit as well.

taylr · ‎02-06-2007

There are 52 rules pending.

tsteger1 · ‎02-06-2007

How many do rules do you have total?

shelly.kane · ‎02-22-2007

Yes, there is a complexity limit of 7500. We hit it a few months ago. What we did to fix it was to go through all the rules and wild card where we could and combine rules where we could. There is a value for each rule module/rule/app class/network address set/etc. and each line in each of those. So for example if you have an app class with @program files\abc.exe and **\temp\abc.exe that counts as 2 complexity points. Our biggest issue is network address sets. Its an ongoing battle.

Cisco says its there so the hosts don't have too much information to process and slow the machine down.

Shelly

tsteger1 · ‎02-22-2007

Shelly, thanks for the good information.

We delete everything associated with OSs we will never use (Linux, Solaris).

After each upgrade, everything is deleted if it's not needed and associated with new items if it is.

This keeps the MC pretty lean and rule generation is much faster. We have 388 rules on a 4.0.3 MC and 690 on a 5.1. All told there are 794 items on the 4.0.3 MC and 2121 items on the 5.1 MC.

Tom