Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
1
Replies

Viewing Netflow Generated Incidents in MARS

Racquel_Mays
Level 1
Level 1

‎11-03-2010 08:01 AM

Hello,

I am able successfully view Cisco MARS netflow messages in the GUI.  However, how can I tell if any of the netflow details that I am seeing real-time have generated an incident?  I have run the report "Activity: All Events and Netflow- Top Destinations Ports (Peak View)", but I can not distinguish the netflow details.  Is there another report that I can run/rule which either exists or could be created that speaks specifically to Netflow Generated Incidents?

Labels:
0 Helpful
1 Reply 1

Scott Fringer
Cisco Employee
Cisco Employee

‎11-08-2010 04:35 AM

Racquel;

  There is not a specific report that will indicate incidents created specifically on netflow data.  In general, CS-MARS uses netflow data to detect anomalous network behavior through statistical analysis.  Over time, CS-MARS develops a baseline of traffic behavior using the netflow data.  Once the baseline is developed, CS-MARS will compare netflow data against the baseline and alert when an increase in traffic is detected.  This is outlined here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgOver.html#wp180410

  The CS-MARS 'Sudden Traffic Increase...' incidents are related to netflow-based analysis.

  These details are used in conjunction with other events received by the CS-MARS for more effective correlation and incident generation.

Scott

0 Helpful
Customers Also Viewed These Support Documents