I typically let MARS run 'passively' for at least 2 weeks, but preferably for about a month. I do this so that MARS can attempt to learn about network patterns, etc. Most of the implementations I have done are centered around the networking equipment, firewalls, IDS/IPS, VPN, etc... but I have done a few with Windows servers/desktops. I have had pretty good success with basic Windows server/desktop logging using Snare. I haven't had much success at all with database servers. Oracle database servers, for example, are only supported currently with one database instance per server. In every instance except one that I have run into, the Oracle servers have more than one database instance running on them. In that case, you can only get logs from the first instance you create on that server (in MARS). Currently there is no SQL database support in MARS at all. This is rather frustrating in my opinion. I'm not sure the real reasoning behind this, but it's not there. All of that being said, I have had several instances where MARS was able to detect malicious activity going on and let me know exactly where it was coming from and how. One instance was a desktop that was running RDP. A user was attempting to log into servers repeatedly with user accounts. MARS flagged this and alerted us it was going on. This happened within about 30 minutes of MARS being installed. The security team went to that workstation and they fired that guy that day. I have also had great success tracking down devices with viruses. I am a believer in MARS, but still think it has some shortcomings when it comes to applications and databases. Hopefully 6.0 will open this up for us with the parser import/export ability.
Yes, I completely forgot to mention that. I do send netflow to MARS as it does help greatly with the correlation of events that MARS receives. It give MARS that 'snapshot' of the traffic at that moment. That way you are also seeing the traffic pattern through routers/switches that normally wouldn't log that traffic.
If you have a FWSM etc. sending level 7 messages to the MARS, you can (sometimes) skip the netflow part.
We have not enabled Netflow on one of our customers and the MARS is able to generate alarms for all sorts of traffic anomalies. However we might not be able to know about any DOS attacks on our perimeter router tough!
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...