Unanswered Question
Dec 30th, 2005
User Badges:

Does anyone know how CS-MARS displays anomalies detected through NetFlow? Documentation says the HTML interface will display NetFlow anomaly detection, but I do not see where a specific NetFlow report is displayed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
l.warner Wed, 01/04/2006 - 10:22
User Badges:

You'll see the sudden increase in traffic to port event fire once an anomaly is detected. If you then look at the details of the event you'll see output that looks something like this:

Traffic anomaly to host x.x.x.x at port 80. Flow/Session count this hour is 9164, Mean is 0, Variance is 0.


This Discussion