Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Parenthesis confusion.

I am confused at what the parenthesis mean within a MARS rule.

Consider the following rule:

System Rule: Password Attack: Mail Server - Success Likely.

The logic/clauses look like this:

(( 1 followed-by 2 ) or 3 ) followed-by 4

I don't understand what this means at all. I think that MARS doesn't use the parenthesis in a standard logic operation.

I think it means:

( ( Probe1 followed-by Attack2 ) or ( Probe1 followed-by Attack3 ) ) followed-by offset4

Which could also be written: (( 1 followed-by ( 2 or 3 )) followed-by 4

But it very well may also mean:

(1 followed by 2) or (3 followed by 4)

Either way I have to assume the parenthesis are screwed up. Can someone clarify this for me?

Also when this rule is fired I only see in the incident that offset 4 was triggered. Why don't I see the information about what triggered offset 1, followed-by offset 2, and finally followed by offset 4?

1 REPLY
Bronze

Re: Parenthesis confusion.

143
Views
0
Helpful
1
Replies