CS-MARS NEtflow and Rules Associated With it

Unanswered Question
May 15th, 2008
User Badges:

Hello All,

Does anyone know which rules in CS-MARS or Which Rule group is associated with Netflow. i.e. which rule or rules will trigger an incident when a Netflow Event is detected?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Thu, 05/15/2008 - 04:33
User Badges:
  • Blue, 1500 points or more

FWIW, there's a new MARS group here:


I can't say that I know them all, but I think this is the main one:

netflow events get mapped to the "Built/teardown/permitted IP connection" event type, which in turn is part of the "Info/AllSession" event type group. Look for the event type and the event type group in inspection rules to find out where they apply.


This Discussion