Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Delete a rule

How can I delete a rule I created previously? Is it possible? I know I can mark them as Inactive but that is not what I need?

7 REPLIES
Gold

Re: Delete a rule

Unfortunately, you cannot. You can only inactive them.

Silver

Re: Delete a rule

Hi Luis,

Matthew is correct. The reason being is that if you were able to delete a rule you would then corrupt the MARS database. Keeping the MARS database uncorrupted is useful in forensic investigations where a database needs to be restored to a MARS box. This is how they designed the box originally though Cisco has a fix on their roadmap to remedy this situation.

Hope this helps.

Best,

Paul

New Member

Re: Delete a rule

we are waiting for this option :)

Gold

Re: Delete a rule

Unfortunately, you cannot. You can only inactive them.

Re: Delete a rule

The theory they present is the non-repudiation sort of thing, but it makes no sense if you ask me. You can go ahead and edit that rule to modify the source/dest IPs etc. to fool the auditor :). Of course this change might be logged somewhere in the MARS system events, but what guarantee is there that this log message is still there when the big guys visit ? :)

What I usually do is to re-use an old 'drop-rule' that I no longer want for something else, as long as the fields im changing are one of those that can be modified. Otherwise the only way is to de-active them.

Regards

Farrukh

Gold

Re: Delete a rule

You're right, it doesn't make a lot of sense and that answer, while true, is a bit of a cop-out because it's a normal FEATURE of relational databases. I believe it's called "referential constraint" in the relational db world. Of course you can't just delete the rule and that's all. Believe it or not, Cisco has already solved a nearly identical problem with the inspection rules (and multiple other places in MARS). When you change an inspection rule, it actually COPIES it. The old rule is left unchanged so any records (i.e. incidents) with foreign keys pointing to it are not orphaned or left pointing to a rule that doesn't match. Also, try deleting a user who has cases assigned...you should notice that you have to re-assign the cases to someone else. That's because otherwise it would leave orphaned records. IMO, the correct answer from Cisco should be "we just haven't added that functionality yet"...not "it's so we don't leave orphaned records or for non-repudiation".

My 2 cents, and probably grossly oversimplified, add a column to the inspection rule record that stores the last incident created by it. When deleting a rule, is the incident still in the dynamic data?...yes...can't delete or ask user if okay to delete incident too.

Silver

Re: Delete a rule

Matthew,

Thanks for the clarification and the suggested improvement to the product. A "5" from NYC.

Best,

Paul

179
Views
10
Helpful
7
Replies