Hiding top talking ports in reports

Unanswered Question
Jun 18th, 2008

I may be on the wrong route here, but I am setting up mars for the first time. Now that I have a couple of devices sending logs and netflow, how do I hide the hight traffic ports in reports that I know is regular traffic. Like in the system report, Destination Ports ranked by Sessions, port 1720 is all the voice traffic, which is 10x more than any other traffic on the network. Is there a way to hide that from the reports so that I can easily see irregular traffic? Or will that go away after MARS "baselines"?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Farrukh Haroon Wed, 06/18/2008 - 18:33

Hello Ben

If you make a drop rule for traffic coming to this port then it will stop showing in the report (but this will not really hide it). Like we have a FWSM sending level 7 syslogs to the MARS. We says a lot of 'sessions' were related to SNMP, Proxy 8080. So we just made a drop rule for both and this greatly reduced the load on our MARS, reducing I think about 2 million events per day.

Also just to 'hide', you can most probably edit the Query, click on destination port and add "NOT EQUAL" Port 1720. You can also filter by source IP/Destination (for example exclude traffic directed/sourced from the IPT server).




This Discussion