{"id":469,"date":"2010-07-06T20:20:33","date_gmt":"2010-07-06T20:20:33","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2010\/07\/06\/creating-a-cs-mars-rule\/"},"modified":"2023-02-04T02:10:08","modified_gmt":"2023-02-04T02:10:08","slug":"creating-a-cs-mars-rule","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html","title":{"rendered":"How to create a CS-MARS Inspection Rule"},"content":{"rendered":"

Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as keywords, source, destination etc. Drop rule is an exception rule which MARS uses to ignore a behaviour that would otherwise trigger an event.<\/p>\n

In this example we will configure a Inspection rule. First of all we need to define when this rule will trigger an event. For this example we will create an event every time someone saves an configuration change upon your Netscreen device. The syslog message for this is :<\/p>\n

Jul\u00a0 6 14:17:42 x.x.x.x ns200: NetScreen device_id=006403324004624\u00a0 [Root]system-information-00\r\n767: System configuration saved by [user] via web from host x.x.x.x to x.x.x.x:443 by [user]. \r\n(2010-07-06 19:17:41)<\/pre>\n
Steps<\/strong><\/h3>\n
1. Click Rules | Inspection Rules | Add
\n<\/strong><\/p>\n
 <\/p>\n
2. This will take you through a wizard. For each stage select Any<\/strong>. Until you get to the Keyword section.
\n3. Enter the text you want CS-MARS to trigger on.<\/p>\n
\"CS-MARS <\/picture><\/a><\/p>\n
4. Carry on through the wizard. At the end Apply<\/strong> the changes.<\/p>\n
\"CS-MARS <\/picture><\/a><\/p>\n
5. Now when you go into the Incident Rule section again you will see your new rule. By default your new rule will be activated.<\/p>\n
Additional Notes\u00a0 <\/strong><\/h3>\n
Within the previous syslog message you will notice that the message ID is 00767. CS-MARS has a list of all the device message types\/IDs which is calls event types. This is useful as this allows you to build rules based on event types rather then just using keyword strings.<\/p>\n","protected":false},"excerpt":{"rendered":"
Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as keywords, source, destination etc. Drop rule is an exception rule which MARS uses to ignore a behaviour that would otherwise trigger an event. In this example we will configure … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":463,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"yoast_head":"\nHow to create a CS-MARS Inspection Rule - Fir3net<\/title>\n<meta name=\"description\" content=\"Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to create a CS-MARS Inspection Rule - Fir3net\" \/>\n<meta property=\"og:description\" content=\"Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\" \/>\n<meta property=\"og:site_name\" content=\"Fir3net\" \/>\n<meta property=\"article:published_time\" content=\"2010-07-06T20:20:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-04T02:10:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png\" \/>\n\t<meta property=\"og:image:width\" content=\"922\" \/>\n\t<meta property=\"og:image:height\" content=\"218\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Rick Donato\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rick Donato\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\"},\"author\":{\"name\":\"Rick Donato\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\"},\"headline\":\"How to create a CS-MARS Inspection Rule\",\"datePublished\":\"2010-07-06T20:20:33+00:00\",\"dateModified\":\"2023-02-04T02:10:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\"},\"wordCount\":224,\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png\",\"articleSection\":[\"SIEM\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\",\"url\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\",\"name\":\"How to create a CS-MARS Inspection Rule - Fir3net\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png\",\"datePublished\":\"2010-07-06T20:20:33+00:00\",\"dateModified\":\"2023-02-04T02:10:08+00:00\",\"description\":\"Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as\",\"breadcrumb\":{\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage\",\"url\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png\",\"contentUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png\",\"width\":922,\"height\":218},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.fir3net.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\/\/www.fir3net.com\/security\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SIEM\",\"item\":\"https:\/\/www.fir3net.com\/security\/siem\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"How to create a CS-MARS Inspection Rule\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.fir3net.com\/#website\",\"url\":\"https:\/\/www.fir3net.com\/\",\"name\":\"Fir3net\",\"description\":\"Keeping you in the know\",\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.fir3net.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.fir3net.com\/#organization\",\"name\":\"Fir3net\",\"url\":\"https:\/\/www.fir3net.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"contentUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"width\":390,\"height\":88,\"caption\":\"Fir3net\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\",\"name\":\"Rick Donato\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"caption\":\"Rick Donato\"},\"description\":\"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to create a CS-MARS Inspection Rule - Fir3net","description":"Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html","og_locale":"en_US","og_type":"article","og_title":"How to create a CS-MARS Inspection Rule - Fir3net","og_description":"Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as","og_url":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html","og_site_name":"Fir3net","article_published_time":"2010-07-06T20:20:33+00:00","article_modified_time":"2023-02-04T02:10:08+00:00","og_image":[{"width":922,"height":218,"url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png","type":"image\/jpeg"}],"author":"Rick Donato","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rick Donato","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#article","isPartOf":{"@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html"},"author":{"name":"Rick Donato","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037"},"headline":"How to create a CS-MARS Inspection Rule","datePublished":"2010-07-06T20:20:33+00:00","dateModified":"2023-02-04T02:10:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html"},"wordCount":224,"publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"image":{"@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage"},"thumbnailUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png","articleSection":["SIEM"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html","url":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html","name":"How to create a CS-MARS Inspection Rule - Fir3net","isPartOf":{"@id":"https:\/\/www.fir3net.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage"},"image":{"@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage"},"thumbnailUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png","datePublished":"2010-07-06T20:20:33+00:00","dateModified":"2023-02-04T02:10:08+00:00","description":"Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as","breadcrumb":{"@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#primaryimage","url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png","contentUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2010\/07\/images_legacy_newrule-small.png","width":922,"height":218},{"@type":"BreadcrumbList","@id":"https:\/\/www.fir3net.com\/Security\/Siem\/creating-a-cs-mars-rule.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.fir3net.com\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.fir3net.com\/security"},{"@type":"ListItem","position":3,"name":"SIEM","item":"https:\/\/www.fir3net.com\/security\/siem"},{"@type":"ListItem","position":4,"name":"How to create a CS-MARS Inspection Rule"}]},{"@type":"WebSite","@id":"https:\/\/www.fir3net.com\/#website","url":"https:\/\/www.fir3net.com\/","name":"Fir3net","description":"Keeping you in the know","publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.fir3net.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.fir3net.com\/#organization","name":"Fir3net","url":"https:\/\/www.fir3net.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","contentUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","width":390,"height":88,"caption":"Fir3net"},"image":{"@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037","name":"Rick Donato","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","caption":"Rick Donato"},"description":"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders."}]}},"_links":{"self":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/469"}],"collection":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/comments?post=469"}],"version-history":[{"count":2,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/469\/revisions"}],"predecessor-version":[{"id":3608,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/469\/revisions\/3608"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/media\/463"}],"wp:attachment":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/media?parent=469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/categories?post=469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/tags?post=469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}