Table of Contents
Advertisement
Chapter 21
Rules
When the rule is complete, you need to activate it by clicking the Activate button.
Step 7
Figure 21-7
Note
If you are creating or editing several rules, it is better for the system to click the Activate button for
several changes rather than for each individual change.
Working with Drop Rules
Navigate to the Drop Rules page by clicking the Rules > Drop Rules tabs.
Drop rules instruct the MARS to either drop a false positive completely from the appliance, or to keep
it in the database. On the Drop Rules page, you add, edit, duplicate, activate an inactive rule, or inactivate
an active rule. Inactive rules do not fire.
For releases 4.2.3 and earlier of MARS, you cannot define drop rules for a NetFlow-based event. For
Note
these releases, tuning of NetFlow events must be performed on the reporting device.
While working with drop rules is similar to working with inspection rules, it is not identical.
Change Drop Rule Status— Active and Inactive
Check the box next to the rule.
Step 1
Click Change Status.
Step 2
When you change the status to inactive, the rule displays only on the inactive rules page.
Step 3
To display inactive Drop Rules, select Inactive from the View dropdown list.
Duplicate a Drop Rule
Check the box next to the rule.
Step 1
78-17020-01
Click the No button, to create a multi-line rule that uses an operator (OR, AND, or FOLLOWED
–
BY). Return to
Step 4
and continue to make your selections. Continue to add rule information,
and click Submit when finished.
Click the Submit button when finished.
–
Clicking the Activate button
User Guide for Cisco Security MARS Local Controller
Working with Drop Rules
21-21
Advertisement
Table of Contents
Troubleshooting
