Netflow granularity

Unanswered Question
Apr 15th, 2009
User Badges:

I have a student who wants to turn on Netflow on his WAN links but he has a concern. The WAN is not heavily utilized during the day, file sharing and Citrix traffic are not heavy. However, during the night traffic levels spike due to backup traffic and iSCSI replication. I understand that MARS baselines traffic with Netflow for 7 days and then starts generating anomaly based incidents. My question: what does MARS do for the baseline? Is it an average amount of traffic for the 7 day period? Is it an average based on different time periods during the day?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading. Tue, 04/21/2009 - 15:17
User Badges:
  • Silver, 250 points or more

When MARS is configured to work with NetFlow, you can take advantage of NetFlow's anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks. MARS uses NetFlow data to accomplish the following:

• Profile the network usage to determine a usage baseline

• Detect statistically significant anomalous behavior in comparison to the baseline

• Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems

dougnotini Sun, 05/03/2009 - 16:45
User Badges:

Thank you for the response. However, I understood all of that before I posted the question. My question is rather specific about how MARS does those things. Do you have any information along those lines? Thanks again.


This Discussion