CS-MARS NEtflow and Rules Associated With it

Unanswered Question
May 15th, 2008

Hello All,

Does anyone know which rules in CS-MARS or Which Rule group is associated with Netflow. i.e. which rule or rules will trigger an incident when a Netflow Event is detected?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Thu, 05/15/2008 - 04:33

FWIW, there's a new MARS group here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=MARS&topic=Discussions

I can't say that I know them all, but I think this is the main one:

netflow events get mapped to the "Built/teardown/permitted IP connection" event type, which in turn is part of the "Info/AllSession" event type group. Look for the event type and the event type group in inspection rules to find out where they apply.

Actions

This Discussion