Hi, anybody tried to create a custom rule/report on MARS based on netflow information?
My intent is to detect some port scans and other malicious activities based on L4 netflow information, without additional products logs and events. I know how the product works, and that an IPS/IDS and firewall log could help me on this configuration...
In example, a tried to create a rule that detects if a same source send packets to a single destination on TCP ports 135 and 445 (or 137 or 138 or 139) [simple expression, right?]. This example could detect attempts of exploitation on Windows systems [access to RPC then CIFS].
Another example could detect a same source sending packets to a destination on TCP ports 22, 23, 80 and 443, this could fire a rule reporting administrative access attempt.
The required information is already on the CS-MARS database but I am not able to create a rule according to these examples. The syntax on the rules seems simple but even on the CS MARS books and PDFs I found no advanced rule example...
There are no detailed explanations for the available operators and variables.
Any examples or documentation that covers this kind of config will be welcome! :D