MARS Web Audit/Alert

Unanswered Question
May 7th, 2009
User Badges:

Hi All,


I need to be able to alert on large bandwidth spikes for specific WAN traffic and also alert when the same ip accesses a internal webserver multiple times within a time frame or exceeds a bandwidth limit.


Could anyone tell me if this possible to achive with MARS? All comms is IOS and ASA, no netflow from switches as 3750's and webservers IIS.


Any advice would be appreciated.


Thanks


Lee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Mon, 05/18/2009 - 08:26
User Badges:
  • Blue, 1500 points or more

"I need to be able to alert on large bandwidth spikes for specific WAN traffic"


If the WAN traffic crosses a firewall (ASA), the MARS may be able to already do this. Otherwise, netflow is your best chance for this in the MARS environment. See event "sudden increase in traffic to a port". The problem is that it is not configurable (and the incidents are barely comprehensible IMHO). You might look to other tools to gather this information from existing logs or netflow and then send alerts to MARS.


"alert when the same ip accesses a internal webserver multiple times within a time frame"


multiple accesses within a timeframe is easy. create an inspection rule that uses SAME for source ip address, webserver ip for destination IP, 80 for destination port and appropriate count and time values. what are you after here though? HTTP in general requires multiple requests to display even a single "page" (browser must download images, css, javascript, etc).


"or exceeds a bandwidth limit."


exceeds a bandwidth limit, AFAIK can't do with MARS. I would look to an another tool to solve this need. You can probably feed that tools "alerts" into MARS.


Actions

This Discussion