topic Re: Creating a query or report in MARS in Network Security

Creating a query or report in MARS

dfreemire — Sun, 10 Mar 2019 10:14:09 GMT

I need to create reports for two things:

How many users (IPs) hit our website more than once per day,

and How many users browse our site for more than 20 minutes at a time.

Since these "events" are normal and not breaking any "rules" can I query or report on them?

I have an FWSM and an IDSM2 behind that (inside) logging to the MARS.

mhellman — Fri, 22 Sep 2006 17:34:05 GMT

Because of the way the HTTP protocol works,

what you're asking for would be very difficult [if not impossible] to do reliably based soley on events coming info CSMARS from FWSM and IDSM2.

If you really want to do this, your best bet is to use a tool to analyze the actual web server logs.

dfreemire — Fri, 22 Sep 2006 19:21:55 GMT

Thanks, I needed a sanity check.

I was able to do a query that I believe gave me the "top source" ip's for my site but the duration was not doable.

-Scott