Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 426

Constructing a Rule
(Suspicious Activity[1]..Suspicious Activity[n])
Failures identify an event from a reporting device that the device classifies as a failure. Often, these rules
simply match to known syslog or SNMP messages indicating some failure on the device. You can define
alerts to keep you abreast of device failures. These rules follow one of two general structures: a one line
failure—
Failure
—or multi-line failures separated by the OR operator—
N
1..
Failure
In the HTML interface, system rules are displayed in rows and columns. The row number is called the
Offset. A rule can have more than one row (or offset), as shown in
Figure 21-2
Table 21-1
Rule Field
Offset
Open (
User Guide for Cisco Security MARS Local Controller
21-6
Failure OR
Rule with Multiple Offsets
Rule Fields and Arguments
Field Description and Arguments
The row number.
Identifies the open of a clause.
Clauses are used to compare one or
more compound conditions in a rule.
Chapter 21
Figure 21-2.
Argument Descriptions
Displays the open braces you create a
clauses.
Rules
78-17020-01