Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
10
Helpful
7
Replies

Delete a rule

lm20ele
Level 1
Level 1

‎07-31-2008 08:23 AM

How can I delete a rule I created previously? Is it possible? I know I can mark them as Inactive but that is not what I need?

Labels:
0 Helpful
7 Replies 7

mhellman
Level 7
Level 7

‎07-31-2008 10:15 AM

Unfortunately, you cannot. You can only inactive them.

pmccubbin
Level 5
Level 5
In response to mhellman

‎07-31-2008 12:49 PM

Hi Luis,

Matthew is correct. The reason being is that if you were able to delete a rule you would then corrupt the MARS database. Keeping the MARS database uncorrupted is useful in forensic investigations where a database needs to be restored to a MARS box. This is how they designed the box originally though Cisco has a fix on their roadmap to remedy this situation.

Hope this helps.

Best,

Paul

0 Helpful

IliaYablonko
Level 1
Level 1
In response to pmccubbin

‎08-03-2008 02:09 AM

we are waiting for this option :)

0 Helpful

mhellman
Level 7
Level 7

‎07-31-2008 10:16 AM

Unfortunately, you cannot. You can only inactive them.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎07-31-2008 06:28 PM

The theory they present is the non-repudiation sort of thing, but it makes no sense if you ask me. You can go ahead and edit that rule to modify the source/dest IPs etc. to fool the auditor :). Of course this change might be logged somewhere in the MARS system events, but what guarantee is there that this log message is still there when the big guys visit ? :)

What I usually do is to re-use an old 'drop-rule' that I no longer want for something else, as long as the fields im changing are one of those that can be modified. Otherwise the only way is to de-active them.

Regards

Farrukh

0 Helpful

mhellman
Level 7
Level 7
In response to Farrukh Haroon

‎08-01-2008 05:07 AM

You're right, it doesn't make a lot of sense and that answer, while true, is a bit of a cop-out because it's a normal FEATURE of relational databases. I believe it's called "referential constraint" in the relational db world. Of course you can't just delete the rule and that's all. Believe it or not, Cisco has already solved a nearly identical problem with the inspection rules (and multiple other places in MARS). When you change an inspection rule, it actually COPIES it. The old rule is left unchanged so any records (i.e. incidents) with foreign keys pointing to it are not orphaned or left pointing to a rule that doesn't match. Also, try deleting a user who has cases assigned...you should notice that you have to re-assign the cases to someone else. That's because otherwise it would leave orphaned records. IMO, the correct answer from Cisco should be "we just haven't added that functionality yet"...not "it's so we don't leave orphaned records or for non-repudiation".

My 2 cents, and probably grossly oversimplified, add a column to the inspection rule record that stores the last incident created by it. When deleting a rule, is the incident still in the dynamic data?...yes...can't delete or ask user if okay to delete incident too.

pmccubbin
Level 5
Level 5
In response to mhellman

‎08-04-2008 02:05 PM

Matthew,

Thanks for the clarification and the suggested improvement to the product. A "5" from NYC.

Best,

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents