Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


MARS, netflow and rules

I've recently implemented a CS-MARS, and have a question regarding the amount of netflow data the system receives. There are around 20 routers sending netflow to the box, and the amount of netflow data received over the last month shows a downward trend.

I'm not sure why this should be, I've been told that its to do with the MARS learning its baseline, but I'm not convinced by this comment. The counter I'm referring to is the daily one under the events on the summary page.

Can altering the rules by restricting the source IP addresses affect the received netflow event counter? I would have thought not, but again I'm not sure.

Its possible that the variance in the daily netflow event rate is due to normal network traffic rates.

I just need to understand if the rate change is due normal traffic patterns or something I have changed on the MARS. If altering rules on the MARS doesnt affect the received netflow event counter then it must be the day to day traffic rates.


Re: MARS, netflow and rules

An inspection rule is a real-time filter that detects interesting patterns of network activity. These patterns can signify attacks or false positives, and they inform you of network configuration errors and other anomalous network behavior. An attack might be straightforward, or it could be a probe, an attack, and then a follow-up to the attack. Whatever the method of attack, attacks share common traits, and you can use rules to define these traits to identify and mitigate attacks.

Refer to this link for more information