I have recently setup MARS and I am working on getting some of the tuning done so I don't get as many incidents created. Some of the typical stuff I want to tune out is general Windows network stuff, like SMB Remote SAM service access, since this traffic is normal on an internal windows network. The problem I am running into is not being able to define the networks to tune.
For example, I query for all the incidents matching the referenced event, and once the query is returned, I click on the False Positive Tuning link on the right. After that, a window pops up and I can select the event using a check box and then I can select the source and destination. The problem I have is that is seems I can only do a one to many approach. Instead of being able to say anything 192.168.1.0/24 to 192.168.1.0/24, log to DB only, it seems I can only do a single host to a subnet, or vice versa. Is this the way its supposed to work? if so, how would I go about tuning out an entire subnet from certain events?
MARS lets you enter individual hosts or IP ranges when tuning.
However it is highly recommended to tune stuff at the 'reporting device' before it reaches the MARS box. For example the SMB events should be filtered out at the IPS using event action filters, reducing the load on MARS and on your network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...