I've recently implemented a CS-MARS, and have a question regarding the amount of netflow data the system receives. There are around 20 routers sending netflow to the box, and the amount of netflow data received over the last month shows a downward trend.
I'm not sure why this should be, I've been told that its to do with the MARS learning its baseline, but I'm not convinced by this comment. The counter I'm referring to is the daily one under the events on the summary page.
Can altering the rules by restricting the source IP addresses affect the received netflow event counter? I would have thought not, but again I'm not sure.
Its possible that the variance in the daily netflow event rate is due to normal network traffic rates.
I just need to understand if the rate change is due normal traffic patterns or something I have changed on the MARS. If altering rules on the MARS doesnt affect the received netflow event counter then it must be the day to day traffic rates.
An inspection rule is a real-time filter that detects interesting patterns of network activity. These patterns can signify attacks or false positives, and they inform you of network configuration errors and other anomalous network behavior. An attack might be straightforward, or it could be a probe, an attack, and then a follow-up to the attack. Whatever the method of attack, attacks share common traits, and you can use rules to define these traits to identify and mitigate attacks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...