cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
0
Helpful
1
Replies

Parenthesis confusion.

RicheeJJJ_2
Level 1
Level 1

I am confused at what the parenthesis mean within a MARS rule.

Consider the following rule:

System Rule: Password Attack: Mail Server - Success Likely.

The logic/clauses look like this:

(( 1 followed-by 2 ) or 3 ) followed-by 4

I don't understand what this means at all. I think that MARS doesn't use the parenthesis in a standard logic operation.

I think it means:

( ( Probe1 followed-by Attack2 ) or ( Probe1 followed-by Attack3 ) ) followed-by offset4

Which could also be written: (( 1 followed-by ( 2 or 3 )) followed-by 4

But it very well may also mean:

(1 followed by 2) or (3 followed by 4)

Either way I have to assume the parenthesis are screwed up. Can someone clarify this for me?

Also when this rule is fired I only see in the incident that offset 4 was triggered. Why don't I see the information about what triggered offset 1, followed-by offset 2, and finally followed by offset 4?

1 Reply 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: