Cisco CS-MARS-20-K9 - Security MARS 20, Руководство пользователя

Страница: 426 / 588

21-6
User Guide for Cisco Security MARS Local Controller
78-17020-01
Chapter 21 Rules
Constructing a Rule
(Suspicious Activity[1]..Suspicious Activity[n])
Failures identify an event from a reporting device that the device classifies as a failure. Often, these rules
simply match to known syslog or SNMP messages indicating some failure on the device. You can define
alerts to keep you abreast of device failures. These rules follow one of two general structures: a one line
failure—
Failure
—or multi-line failures separated by the OR operator—
1..
N
Failure OR
Failure
In the HTML interface, system rules are displayed in rows and columns. The row number is called the
Offset. A rule can have more than one row (or offset), as shown in
Figure 21-2 .
Figure 21-2 Rule with Multiple Offsets
Table 21-1 Rule Fields and Arguments
Rule Field Field Description and Arguments Argument Descriptions
Offset The row number.
Open ( Identifies the open of a clause.
Clauses are used to compare one or
more compound conditions in a rule. Displays the open braces you create a
clauses.