04-15-2009 10:49 AM
I have a student who wants to turn on Netflow on his WAN links but he has a concern. The WAN is not heavily utilized during the day, file sharing and Citrix traffic are not heavy. However, during the night traffic levels spike due to backup traffic and iSCSI replication. I understand that MARS baselines traffic with Netflow for 7 days and then starts generating anomaly based incidents. My question: what does MARS do for the baseline? Is it an average amount of traffic for the 7 day period? Is it an average based on different time periods during the day?
04-21-2009 03:17 PM
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks. MARS uses NetFlow data to accomplish the following:
⢠Profile the network usage to determine a usage baseline
⢠Detect statistically significant anomalous behavior in comparison to the baseline
⢠Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems
05-03-2009 01:29 AM
Hi,
Can you just tell, how can we configure baselining in MARS ???
Regards,
Mubasher
05-03-2009 04:45 PM
Thank you for the response. However, I understood all of that before I posted the question. My question is rather specific about how MARS does those things. Do you have any information along those lines? Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: