Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Event sessionization time frame

Hi, everybody.

According to the docs, a session is a collection of events withing a predefined time frame that share a common end-to-end information. Does anybody know this time frame?

I didn't find it using google :)

Thanks in advance!

2 REPLIES
Cisco Employee

Re: Event sessionization time frame

Hi,

Sessions are based off of a 5 tuple match: Source IP address, Destination IP address, Source Port, Destination Port, and timestamp. Timestamps are figured based on time the packets were received as timestamps could be off on the reporting devices.

Additionally there is some room to account for devices that do not send data immediately such as when polling Windows servers for log files instead of using a Snare agent.

New Member

Re: Event sessionization time frame

Thanks for your answer!

But I still have not clear understanding.

Imagine, that the processing was as follows:

1. At 9:30:31 MARS polls for IPS before NAT via SDEE and receives an alert with particular AaBb

2. At 9:31:15 MARS polls for IPS after NAT via SDEE and receives an alert for the same attack with AaB`b

3. At 9:32:10 MARS receives event from CSA MC indicating the same attack is in progress.

4. MARS consults NAT translation table and determines that all three events have the same AaBb.

The questions are:

1. The events will be sessionized based on the timestamps in these alerts (and these events will be closer) or based on the MARS receive time (and these events will be treated as for a longer period)?

2. And if the second action will take place - what is the deadline, after which the alert from the IPS after NAT will be considered as an event from a new session?

Thnaks in advance!

235
Views
0
Helpful
2
Replies