MARS Custom reports and rules

Unanswered Question
May 28th, 2007

Hi, anybody tried to create a custom rule/report on MARS based on netflow information?

My intent is to detect some port scans and other malicious activities based on L4 netflow information, without additional products logs and events. I know how the product works, and that an IPS/IDS and firewall log could help me on this configuration...

In example, a tried to create a rule that detects if a same source send packets to a single destination on TCP ports 135 and 445 (or 137 or 138 or 139) [simple expression, right?]. This example could detect attempts of exploitation on Windows systems [access to RPC then CIFS].

Another example could detect a same source sending packets to a destination on TCP ports 22, 23, 80 and 443, this could fire a rule reporting administrative access attempt.

The required information is already on the CS-MARS database but I am not able to create a rule according to these examples. The syntax on the rules seems simple but even on the CS MARS books and PDFs I found no advanced rule example...

There are no detailed explanations for the available operators and variables.

Any examples or documentation that covers this kind of config will be welcome! :D


Roberto Correa

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion