I am looking for suggestions on tuning sudden increase to port traffic for MARS.
We have a third party that we do not want to be actively alerted when they perform their scan. This gives us one set of IP addresses they use to scan.
Next is our internal networks that are the target of those scans. Which gives us a second source.
Unforunately, Mars is reporting these flows as Source 0.0.0.0 Target (Int Host) and Source (Scan Co.) Target 0.0.0.0.
Anyone have any suggestions? I'm worried if I filter by source, I'll loose that portion of the correlation and be left with just the victim IP of the scan, which tells me little.