Re: CS-Mars <- Netflow

curt · ‎11-13-2006

I'm having a problem understanding what Mars does with netflow information it receives (from routers).

As recommended, we configured Mars to process but not save netflow into db. The statistics do seem to appear in standard and scheduled reports ... e.g., events and netflow, top IP sources/destinations, and custom scheduled reports.

These reports list sessions from IP addresses on our private network (inside). Inline query on these reported addresses yield zero results of events, sessions, or raw data.

My assumption is that Mars receives the (completed) netflow session info from the router(s) and does something with it ... my question is, where does it go, and how can I query it?

In practical terms, the top source/dest reports itemize certain of our host (IPs) that generate > 100,000's of sessions each day and we'd like to find out what they're doing, but inline queries don't yield anything.

TIA

john.stark · ‎11-13-2006

Check out the following chapter for Cisco MARS on netflow.

Understanding NetFlow Anomaly Detection

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008075038a.html

NetFlow Performance Analysis

http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb9.shtml

NetFlow Services Solutions Guide

http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html

curt · ‎11-13-2006

John, thanks for the references.

I had read much of it and had subsequently directed NetFlow from the routers to our Mars. The data must be arriving because of the info that is being presented in the reports.

The problem is that I can't figure out how to "drill down" to investigate hosts/sessions ... nothing is ever returned. The data must be there in some form because the report "window" can be changed, with results.

In the "deep dark hours of the night", I turned-on saving of NetFlow for a while. I was still unable to query anything (and turned it off).

If you have any idea of where (on Mars) we can get at the data, it would be appreciated. If not, thanks very much for your effort anyway.

john.stark · ‎11-14-2006

It does take a while before Cisco MARS has enough traffic to make proper use of it. The first time I setup Netflow it took three weeks before I would see events with netflow data. It takes a while to baseline the traffic. It will find things like port scanners etc..

You should be able to see the data in raw logs for each device.

curt · ‎11-14-2006

Thank you for the follow-up.

It appears I'm just too impatient.

racquel.mays · ‎10-22-2010

I'm having the exact same issue. Allegedly there are devices that are exporting Netflow data, but I can not 'see' it and I am in dire need of help.

Ronald Anthony · ‎10-22-2010

Hi Kurt and Racquel,

As you know, Netflow is not stored by default and this is why you have trouble viewing it in a query. However, even in this state you can view it, albeit in real time only. So, if you were to set up a real time query and filter on a device sending Netflow, it should show up in the query. To further filter, you can add a keyword of "Netflow" (case sensitive) to the query under the keyword heading on the query page, so, you can narrow the results. Here is the link on real time queries:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/user/guide/combo/q_report.html#wp682040

Here is an example of the query and you can see the Netflow showing up (taken from my MARS NOT storing Netflow):

Query Event Data
Click the cells below to change query criteria:

Query type: Event Raw Messages ranked by Time, Real Time(raw events) Edit Clear
Source IP Destination IP Service Events Device Reported User IPS Risk Rating IPS Threat Rating IPS Global Correlation Score Keyword Operation Rule Action

ANY ANY ANY ANY ANY ANY ANY ANY ANY Netflow None ANY ANY

Query Results

Event ID Event Type Time Reporting Device Raw Message
1032448044 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 504 , packets: 2
1032448045 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 504 , packets: 2
1032448046 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 410 , packets: 2
1032448047 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 120 , packets: 2
1032448048 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 120 , packets: 2
1032448049 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 60 , packets: 1
1032448050 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 432 , packets: 1
1032448051 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 432 , packets: 1
1032448052 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 207 , packets: 1
1032448053 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 227 , packets: 1
1032448054 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 227 , packets: 1
1032448055 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 60 , packets: 1
1032448056 Built/teardown/permitted IP connection Oct 22, 2010 6:00:08 PM CDT name Cisco Netflow : bytes: 60 , packets: 1
1032448057 Built/teardown/permitted IP connection Oct 22, 2010 5:59:54 PM CDT name Cisco Netflow : bytes: 206 , packets: 5

Once you change your settings to store Netflow as it sounds like you have done, the Netflow events are stored in the database just as any other event. In fact the performance numbers go way down on MARS because of this. So, take for example a MARS 110 specs:

Events Per Second Netflow Events Per Second

4500

75,000

When you store Netflow, all events including netflow are limited to the 4500 number. So, this is why it is not recommended to do so in most cases. However, when you store netflow, you should then be able query them as you would any event as it is treated pretty much like any other event. You can always do a "all matching events raw message" query and use a keywork "Netflow" to find these events if need be.

Don't forget to narrow down your query enough so that you don't return too many events. So, in addition to putting in a keyword of "Netflow", also filter on a single device (perhaps a slower device in terms of EPS), to help reduce the amount of events. Note that my example above was done in a lab.

I hope this helps,

Ron

Racquel_Mays · ‎10-25-2010

Thank you sooo much, Ron! I had been pulling my hair out with this one. I will give it a go and let you know!

Racquel_Mays · ‎11-02-2010

Ron,

Thank you so much. I am now able to see the realtime messages in MARS. Thank you again sooo much!

Rodrigo Gurriti · ‎11-18-2010

Ron,

This is good information, I have a similar case that I think is caused by the information from netflow.

https://supportforums.cisco.com/thread/2050285

Basically when I do a query I don't get as any "hits" as pre configured query. Would bat be the same case ?

Thank you

PS. People there is a button that marks if your question is answered let use it, makes easy to find similar cases to ours!

Racquel_Mays · ‎11-18-2010

As a matter of fact I have looked for that button! Where is it? I do want to mark this as answered.

Rodrigo Gurriti · ‎11-18-2010

Racquel,

Only the owner of the post can do mark as answered, but we readers can rate with the "starts"