Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MARS Tuning

I have recently setup MARS and I am working on getting some of the tuning done so I don't get as many incidents created. Some of the typical stuff I want to tune out is general Windows network stuff, like SMB Remote SAM service access, since this traffic is normal on an internal windows network. The problem I am running into is not being able to define the networks to tune.

For example, I query for all the incidents matching the referenced event, and once the query is returned, I click on the False Positive Tuning link on the right. After that, a window pops up and I can select the event using a check box and then I can select the source and destination. The problem I have is that is seems I can only do a one to many approach. Instead of being able to say anything to, log to DB only, it seems I can only do a single host to a subnet, or vice versa. Is this the way its supposed to work? if so, how would I go about tuning out an entire subnet from certain events?

New Member

Re: MARS Tuning

I found that I continue through the rule, I got to a more advanced tuning window, that looks like the query event data options.

Re: MARS Tuning

MARS lets you enter individual hosts or IP ranges when tuning.

However it is highly recommended to tune stuff at the 'reporting device' before it reaches the MARS box. For example the SMB events should be filtered out at the IPS using event action filters, reducing the load on MARS and on your network.




Re: MARS Tuning

I completely endorse Farrukh's recommendation and give it a "5" from NYC.