Tuning Sudden Increase to Port Traffic

Unanswered Question
Oct 3rd, 2008

I am looking for suggestions on tuning sudden increase to port traffic for MARS.

We have a third party that we do not want to be actively alerted when they perform their scan. This gives us one set of IP addresses they use to scan.

Next is our internal networks that are the target of those scans. Which gives us a second source.

Unforunately, Mars is reporting these flows as Source Target (Int Host) and Source (Scan Co.) Target

Anyone have any suggestions? I'm worried if I filter by source, I'll loose that portion of the correlation and be left with just the victim IP of the scan, which tells me little.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion