Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
1
Replies

MARS - "Sudden increase of traffic to a port" rule

cniblo1975
Level 1
Level 1

‎11-28-2006 11:34 AM - edited ‎03-09-2019 04:57 PM

Hello. I duplicated the system rule "Sudden increase of traffic to a port" in MARS and it blew out the original system rule and now shows up as a user rule. It doesn't appear to be working either. It is active. Not sure what to make of this, and neither is TAC. Anybody every mess up a system rule like this? Anyway to recover it? Thanks!

Labels:
0 Helpful
1 Reply 1

cniblo1975
Level 1
Level 1

‎11-29-2006 09:07 AM

I upgraded to 4.2.2 and the rule seems to have been restored as a system rule. I noticed that it is showing up in our morning report (Event Types Ranked by Sessions), but we are not recieving an email or page for this rule firing (email/SMS notification works for all other rules). I ran a query for this event for the time period of the report it showed up on and no results were returned. Any thoughts would be appreciated. Thanks.

Christine

0 Helpful
Customers Also Viewed These Support Documents