Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Tuning Sudden Increase to Port Traffic

I am looking for suggestions on tuning sudden increase to port traffic for MARS.

We have a third party that we do not want to be actively alerted when they perform their scan. This gives us one set of IP addresses they use to scan.

Next is our internal networks that are the target of those scans. Which gives us a second source.

Unforunately, Mars is reporting these flows as Source 0.0.0.0 Target (Int Host) and Source (Scan Co.) Target 0.0.0.0.

Anyone have any suggestions? I'm worried if I filter by source, I'll loose that portion of the correlation and be left with just the victim IP of the scan, which tells me little.

1 REPLY
Community Member

Re: Tuning Sudden Increase to Port Traffic

Have you tried to set that particular session as false positive? (i hope you know that) You can tune the false positive for particular source/destination on per session basis. Once you do that, try and see if it still reports as a scan.

Mohsin

208
Views
0
Helpful
1
Replies
CreatePlease to create content