Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Event Type Groups / Rule behavior

Hello All,

I am having trouble understanding the different Event Type Groups used in the different Mars Rules. For example When Looking throught incidents generated I found

port Scans

ping sweeps

server scans for specific ports

and others

that are all being fired under the rule

System Rule: Network Activity: P2P File Sharing - Active

or under the rule

System Rule: Network Activity: Excessive Denies - Host Compromise Likely.

When looking closer at these rules I have noticed the contain some (what I thought were) very generic event type groups.

Is there a resource that you guys know of that describes or goes into details about the event type groups? I have tried most of the Cisco recommended mars books, and havent found much detail.

-Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Event Type Groups / Rule behavior

There is only limited description about these at the end of the MARS user guide.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html

These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.

Regards

Farrukh

2 REPLIES

Re: Event Type Groups / Rule behavior

There is only limited description about these at the end of the MARS user guide.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_controller/appmars.html

These are the most annoying 'RULES' in MARS and you usually have to tune them using either at the reporting device or on MARS itself. The device-side tuning is more preferred but is not always possible.

Regards

Farrukh

New Member

Re: Event Type Groups / Rule behavior

Thanks, although not the answer I was hoping for, Ill look into tuning these rules.

290
Views
0
Helpful
2
Replies