I am trying to find a signature that will tell my IPS to notify me when it sees any IP source address come from the network behind my IPS that was not in that subnet range. Is there an existing signature I may have looked over in my IPS or has anyon...
I have my Honeyd servers piping to our MARS box and I am trying to get the reports to show something useful. Currently all I get are a bunch of "Unknown Device Event Types". What must I do in order for MARS to see this as readable data that I can p...
Is there another repor that can be used to track real botnets? The sites they return in this report are not Botnets. Most are ad sites, analytics, etc. Not sure how Cisco is actually calling this report a Botnet Traffic Filter. Any ideas?
Looks like the data is coming over (I have X'ed out my IPs in the data below). I am getting a bunch of data like what is shown below:10:16:42.087672 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 17, length: 171) X.X.X.58.51814 > hqMARSapp....
Siddharth,The servers are added correctly and the Source IP is the IP of the physical server hosting the virtual honeypots. The virtual honeypots do not send the events rather the physical server itself forwards them to MARS.