MARS, netflow and rules

Unanswered Question
Jun 20th, 2007

I've recently implemented a CS-MARS, and have a question regarding the amount of netflow data the system receives. There are around 20 routers sending netflow to the box, and the amount of netflow data received over the last month shows a downward trend.

I'm not sure why this should be, I've been told that its to do with the MARS learning its baseline, but I'm not convinced by this comment. The counter I'm referring to is the daily one under the events on the summary page.

Can altering the rules by restricting the source IP addresses affect the received netflow event counter? I would have thought not, but again I'm not sure.

Its possible that the variance in the daily netflow event rate is due to normal network traffic rates.

I just need to understand if the rate change is due normal traffic patterns or something I have changed on the MARS. If altering rules on the MARS doesnt affect the received netflow event counter then it must be the day to day traffic rates.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 06/26/2007 - 06:02

An inspection rule is a real-time filter that detects interesting patterns of network activity. These patterns can signify attacks or false positives, and they inform you of network configuration errors and other anomalous network behavior. An attack might be straightforward, or it could be a probe, an attack, and then a follow-up to the attack. Whatever the method of attack, attacks share common traits, and you can use rules to define these traits to identify and mitigate attacks.

Refer to this link for more information

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008053f1a1.html

Actions

This Discussion