Those of you who familiar enough with MARS can you please tell me how come MARS starts creating incidents with the above said event type - Sudden increase of traffic to a port. If I go to the incident details I see that the reporting device is MARS itself. And the raw message that created this incident looks as follows:
%MARS-1-100001 Traffic anomaly from host 10.10.253.90 at port 8080. Flow/Session count this hour is 4140, Mean is 0, Variance is 0.
This IP belongs to the local load balancer devices (Big IP). I understand that MARS treats it as kind of anomaly but how does it know about it ?
If this is its own dynamic anomaly detection mechanism where would know more about it?
As you indicated near the end of your post, this is a CS-MARS generated event based on the CS-MARS anomaly detection routines. These routines use statistical analysis of traffic flows (usually sent to the CS-MARS via netflow). You can find the details in the following link:
I would understand it, Scott, but the point is that no Netflow data are being sent to MARS. It makes me think that MARS does sort of analysis by itself. How, what and how often? Where can see it's configuration and details? This is a question
Are you sure no devices are sending NetFlow? Not just this load balancer, but other reporting devices like switches/routers/ASAs? That seems like the most likely source for this data.
What about SNMP reporting devices? There's an outside chance of some SNMP reported data being the source, but I would doubt it.
I swear it under the oath
We've deployed a demo MARS box and added a few devices only, no Netflow at all. SNMP is configured indeed. I mean SNMP RO and networks to monitor and make discoveries.
The CS-MARS event MARS-1-100001 can be generated as the result of several different incoming device events. You can review the composition of the event type by navigating to:
This should be the first event in the list. Click the event description (Suddent increase of traffic to a port). This will open a new window that will further explain the event. Within this new window you can see the Event Type Groups that feed this event type (DoS/ALL and DoS/Network/Misc). You can further expand the events within these two groups.
CS-MARS may be correlating multiple events over time from these event groups.
Sorry to resurrect this old post, but I'm having the same problem. I'm trying to convert this rule/report over to Splunk since that is what we bought to replace MARS. MARS doesn't seem to give details on exactly what it's doing to trigger this rule. I know it's looking in those event type categories, but I can't find the logic on how many times within X time frame over Y address to Z port. Also, it must be pulling information from the IPS as well as the ASA syslogs. I do not have Netflow going to MARS, but SNMP is. Splunk does have some Netflow going to it, but getting it parse that information and give what we need is another story.
Thanks to anyone that can help.