Constructing a Rule
Working Examples
The examples in this section demonstrate the use of variables, in particular, how to use variables to
detect Deny patterns.
We recommend that you study the system inspection rules for more complex examples. To view a list
Note
of system rule names and descriptions, see
For a single offset rule, the variables SAME and SAME_ANY_DEST_PORT can be substituted in any
Note
of the examples for $TARGET01 and $ANY_DEST_PORT1, respectively. The "ANY" in
$ANY_DEST_PORT1 means either UDP or TCP protocol.
Example A: Excessive Denies to a Particular Port on the Same Host
Figure 21-3
In this example, the rule fires when 100 of the specified events occur from any source IP address to the
same destination IP address, and the destination port numbers are identical.
Example B: Same Source Causing Excessive Denies on a Particular Port
Figure 21-4
In this example, the rule fires when 100 of the specified events occur that have the source IP address,
any Destination IP address, and identical destination port numbers.
Example C: Same Host, Same Destination, Same Port Denied
Figure 21-5
In this example, the rule fires when 20 of the specified events occur that have the same source and
destination addresses, and identical destination port numbers.
User Guide for Cisco Security MARS Local Controller
21-16
Rule for Excessive Denies to a Particular Port on the Same Host
Rule for Same Source Doing Excessive Denies on a Particular Port
Rule for Same Host, Destination, Same Port Denied
Appendix D, "System Rules and Reports."
Chapter 21
Rules
78-17020-01