Constructing a Rule
Table 21-1
Rule Field
Event
User Guide for Cisco Security MARS Local Controller
21-10
Rule Fields and Arguments
Field Description and Arguments
Defined services—One or more
services defined under
Management > Service
Management.
Service groups—One or more
service groups defined under
Management > Service
Management.
Identifies one or more event types. An event type indicates some type of
network activity or condition. Sometimes, events reported from different
devices and different device types identify the same activity or condition,
and therefore, they map to the same event type within MARS. Event types
are sorted into event groups, such as "Probe/PortSweep/Stealth", to catch any
of the network conditions identified by the group.
Variables—Signify any single
event type defined under
Management > Event Management,
only useful for lines in tandem with
the same variable.
Event types—Events that have been
merged into types.
Event type groups—Groups of
event types.
Red Severity Event
Types—Displays all severe event
types
Yellow Severity Event
Types—Displays all yellow event
types
Chapter 21
Argument Descriptions
•
Backdoor
•
Instant Messaging
Mail Retrieval
•
Online Game
•
P2P
•
Recent Backdoor
•
TCP-highport
•
UDP-highport
•
vulnerable-protocols
•
ANY—Any of the active event
•
types can match this rule.
SAME
•
DISTINCT
•
$EVENT_TYPE01,
•
$EVENT_TYPE10
ANY
•
SAME
•
DISTINCT
•
All events
•
ANY
•
SAME
•
•
DISTINCT
Rules
78-17020-01