One of our customers called wanting to know if he could send customized e-mail notifications to the network administrators in charge of different groups of devices within Scrutinizer.

Here’s the situation:

The customer has about five different groups broken down by region like North America, Asia Pac, Europe, and so forth.  These regions are managed by different  teams of administrators in those areas.

When a problem arises on a device in Scrutinizer, he wants e-mails sent to the response team in charge of that area and of that device.  He didn’t want the team to be bombarded with redundant e-mails of the problem.

The solution is to install the Logalot add-on to the Scrutinizer server and configure its notification engine to intelligently route notifications any way you want.

Logalot is a policy-based log manager that can listen for syslogs coming from Scrutinizer when an alarm is triggered.   We can create a Logalot policy for each device in a group that would send an e-mail to the person or group responsible for the device that has triggered the alarm.  We can even color code each device policy the same way for each group for easy identification and management on the Logalot Bulletin Board and policy manager.   Logalot is also flexible enough so that you can configure it to send notifications every 5 minutes, or only once until it’s resolved.

Logalot can do much more than just process Scrutinizer notifications.  It can receive syslogs, SMTP, and SNMP Trap messages from any device as well as monitor Windows Event logs.

For more tips about setting up e-mail notifications see this post about sending alerts from alarms generated by Scrutinizer. And go here for more tips about Scrutinizer, including a sneak peek of Scrutinizer version 7, and Scrutinizer class  map reporting.

Raul J Duran

I am not a sentimental person.

When I receive a greeting card, I offer a big smile and give many thanks…and then immediately wonder if there’s any cash inside.

Best card I ever got was on my wedding day. All it said inside was:
“I hope the color and size is right.” and out fell a $50 bill.

I really didn’t even like the guy who gave it to us, but it meant a lot more than the 400 other wordy cards. Yes, call me shallow.

But there’s seems to be no shortage of sentimentalism flying around the Web in the form of electronic greetings cards. Over the past 6 years however, e-cards have been a channel used to carry various viruses and worms. Here’s a new one to add to the list:

Trojan.Win32.Buzus

This virus is propagated by a person opening a .zip file called either “e-card.zip” or “postcard.zip” that is attached to an e-card sent from e-cards@americangreetings.com or e-cards@hallmark.com.

Once the .zip is opened, the virus will install a micro SMTP client and then harvest all the e-mails stored on that local machine. It will then send the same e-mail to all the new e-mail addresses, thus spreading the cheer…

WHAT TO LOOK FOR:

When the Trojan is downloaded, it will created the following files on the PC:

(Windows TEMP folder)qoMcdExV.bat
(Windows System folder)cbXQiFwT.dll
(Windows System folder)javale.exe
(Windows System folder)javame1.1.exe
(Windows System folder)javase1.1.exe

Keep an eye on your task manager and look for the above running processes.

Not only are those processes installed; there will also be a registry edit that will open TCP ports 1033, 1035, 1062 through 1065 and 1118 through 1120. These ports will then be used by the javale.exe process. This process will use these ports to connect to a host database to request the following Host Names:

www.whatismyip.com
mail.[user's domain]
[user's email address]
mx.[user's domain]
smtp.domain.com
smtp.[user's domain]
mx1.[user's domain]
mxs.[user's domain]
mail1.[user's domain]
relay.[user's domain]
206.137.17.89
americangreetings.com

The process also tries to create connections to the following remote hosts:

206.137.17.89 – port 43
americangreetings.com – port 1049

There will also be a connection to the following domain to download .css, .js and .gif files for the body content of the e-card.

ak.imgag.com – port 80

Already, I’ve heard of reports from Jim, our pre-sales tech that customers are looking for ways to detect this virus on their networks.

Fortunately, Scrutinizer has a custom report engine to help find viruses like this.

Moral of this story: e-cards don’t have money, so don’t open them.

-Nate

If you have forgotten your password, or just would like to change your MySQL password for Denika, Logalot or Scrutinizer, then here are some tips on how to reset your MySQL password.

1) Stop the MySQL service.

2) From a command prompt navigate to the SOEmysqlbin folder. (or scrutinizermysqlbin)

3) Run the following command: “mysqld-nt.exe –skip-grant-tables“. This will start the mySQL server running and the command prompt will appear to hang; this is normal.

4) Open another command prompt and navigate to the same folder as step 2.

5) Run the following command: “mysql -u root mysql“. This will bring up a command line MySQL session and the prompt will change to mysql>.

6) Copy and paste the following command: “UPDATE user SET Password=PASSWORD(‘mynewpassword’) where user=’root’;”
<ENTER>

** where mynewpassword is your new password

7) You should see the following output:
Query OK, 2 rows affected (0.05 sec)

Type “quit”, and you will return to a command prompt.

9) Enter “mysqladmin shutdown”. You will see the other command session return to the prompt.

10) Start the mySQL service and dependent services.

11) Write down your new password so you don’t have to go through these steps again. 

Milton

The desktop as you know it will likely change in about four years, if virtualization vendors have their way.  VMware and Citrix are working with Intel to put desktops in the cloud, which means that you could be buying desktop time from a service provider. End users could run their virtualized desktop environments on client machines in online or offline modes, while IT administrators will manage these environments from a central location, according to VMware.

At VMware’s VMworld conference in Cannes this week, the virtualization software maker said it is developing with Intel a VMware Client Virtualization Platform, a bare-metal client hypervisor for desktop and notebook PCs. It is also working with Teradici to develop a display protocol aimed at improving the user experience when running the desktop on a virtualized server.

VMware rival Citrix is also working with Intel to develop its own CVP, which, like VMware’s product, is expected to ship in the second half of 2009, reports Computerworld. The paper also cites a VMware executive as saying that virtualized desktops could appear in four years or perhaps sooner.

According to a VMware survey of its customers, the top reasons why customers are using desktop virtualization are to help boost employee productivity and to improve data accessibility. Other reasons include centralized desktop deployment, increased application and data security, and to enable employees to access their desktops from any network device. Enabling system administrators to carry out patch management and installation and repairs from the cloud is also cited by VMware as a benefit.

So where does Plixer stand on virtualization? NetFlow is supported by VMware, as we explained in this blog post VMWare – ESX Servers and NetFlow . You’ll also be interested to know that there is a FREE version of Scrutinizer that runs on Linux and you can download the virtual appliance and the VMware player from Plixer.com. Read more about the Linux NetFlow Collector in this blog post.

Is your company using desktop virtualization? Has it made your job easier? Let us know using the comment box below.

Here we go again. This seems to have become a recurring event in our lives now; someone hacks a financial database, gets confidential credit card info, and then letters go out to customers about “an alert from Visa U.S.A. Inc. regarding compromised Visa account numbers.”

We got such a letter on February 13, 2009. You can read this two-year-old Computerworld blog, “Your credit card data may have been compromised. But don’t worry” to see that this threat is not new. Our cards were also among those compromised in 2007, and again last year. So it was no surprise that our current Visa cards would now expire March 13, 2009 and we were informed that we would receive new cards before then.
Read more »

That was it… the last straw. I’d had enough!

We purchased a car DVD player at Wal-Mart last year and it died.  My overall goal with the DVD player was to promote happiness in the car. This solution was specifically targeted towards my 3-year-old daughter,  Molly.  Before last week the product performed well. I would rip some recorded shows to DVD and she would watch them. Primitive, but it worked.

In general, I would get three shows per DVD. For Molly and my wife that was good. For me, being a data freak, it was less then acceptable. I mean, in today’s world of cheap storage, why can’t I have more? My wife assured me that there was no way we were going to replace a working player. My dreams were dashed.

My salvation finally came! One day, the DVD player started to heat up and shut down. Being a technology expert, I looked at the device and unequivocally came to the one and only possible conclusion. It was broken. So, I quickly put it on eBay as an ‘AS-IS’ product,  recouped some of the original cost, and started hunting for a new machine.

I decided to go with the Archos 704 with Wi-Fi. It cost about $100 more than I had spent on the original DVD player, but the added features justified the cost. So, I was off to my happy place, which is buying small electronic devices for me to play with.

In the car this little unit can now hold well over 20 DVDs of content,  it can play music and podcasts, and it can show pictures. For Molly, it’s great. She has a variety of shows to watch, she can listen to an audio story book or even settle down with some music.

At home Molly doesn’t have a TV in her room, but we do let her watch a show or two when appropriate. Now she can watch any of the stored shows, and with the Wi-Fi connection, she can watch shows stored on my Windows Home Server or Media Center. That also includes listening to audio books and music.

So I am pleased. The unit works well with our network and its vast media collection. Best of all, my daughter is happy to enjoy her shows when she wants. I guess you can’t ask for more.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

If there was one word I could pick to describe this company, I think I would use the word ‘adaptive’.

To give you an example; earlier this summer we hired 2 temps to call our existing customers and find out what features they wanted to see in Scrutinizer.

Maybe it’s just me, but I haven’t seen many businesses proactively seek out their customer base and ask, “What do YOU want from us?”

After collecting a LOT of feedback and suggestions, development had a vision of what Scrutinizer v7.0 was to become.

Things such as LDAP support, faster performance, expanded custom reporting features and flexible permissions were among the many requests heard over and over again.

Currently, we’re still working hard on the alpha build of Scrutinizer v7.0, which is slated for release later this year. However, I did want to show you a sneak preview of one big feature request that we run into all the time…

One of the limitations that we have had with Scrutinizer is being unable to create custom reports around certain subnets. Even with the latest release of Scrutinizer v6.05, we cannot do any custom reporting based on entire Class A or Class B networks. This has made it tough on customers trying to filter on conversations/hosts on those network ranges using custom reports.

After hearing your requests, we have now included this feature in Scrutinizer v7.0. Here’s a great screenshot from development that you might like.

Hey! While you’re at it, take notice of some formatting changes that we’re making too!

-Nate

It’s hard; I mean really hard to find out who is using unwanted applications on your network.

The tedious process of finding people using applications that consume your network bandwidth is nerve wracking, and to be honest with you, less then efficient.

The good news is that with NetFlow and CISCO CAR you can manage, and in most cases, eliminate the issue.

The first step in this battle is to use the “Top Application” gadget which is part of the new Flow Analytics 2.0.

This tool is designed to help with management of applications on the network. The algorithm scans the NetFlow traffic for known application types and alerts when it finds an unknown or undesirable application.

The gadgets usefulness doesn’t stop there. At first glance, you will be able to see the amount of bandwidth consumed by the application in that last poll cycle. You also have the ability to drill down on that application and determine who on your network was using it. In a short period of time, you are able to find your issue.

Managing known or acceptable application types is simple too. If an application type is highlighted in yellow, then it has been marked as unknown and an alert has been generated. Clicking on the small plus sign located on the right hand side of the the label will add that type to the known applications list.  From then on, when the application is detected, Flow Analytics will no longer post an alert.

So what do you do when you find an unwanted transport? Well, the goal is to prohibit or limit the use of the application. This can be done by enabling the Cisco CAR function.

For example, let’s say you have quickly determined that a host is using an unknown protocol or application group to download movies from the web and this has left your internal servers inaccessible over your network.

CAR controls the bandwidth of  certain types of traffic. In our case, that would be transports. It also controls an access control list (ACL) that defines which traffic it regulates. Once you’ve created the ACL, you can use CAR to enforce a bandwidth rate on that traffic for either an INBOUND or OUTBOUND direction; according to the interface on which you applied CAR. You can learn more about CAR and its functions by visiting Cisco’s IOS 12.0 documentation.

There are many QoS functions on a Cisco router, and there are many third-party applications and appliances that can help solve this problem. However, the simplest solution to this problem is to use Flow Analytics to find the transports in question and then use CAR to prohibit their use. You save time and money, and it only takes about two minutes to implement.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Plixer International Inc. today announces the release of Flow Analytics version 2.0, an add-on module for their Scrutinizer NetFlow & sFlow Analyzer tool. Flow Analytics works to ensure network health and stability by analyzing NetFlow data and alerting IT administrators on potentially hazardous traffic patterns.

Plixer has utilized various resources to create a pool of known compromised hosts on the internet, which no host on the network should be communicating with. The list is updated within Flow Analytics every single hour. Flow Analytics scrutinizes every flow, as it comes in, to ensure that there is no communication with any of these potentially dangerous hosts.

Version 2 of the Flow Analytics module brings a host of new in-depth network traffic reports, found in easy to configure Scrutinizer gadgets.

New gadgets include:

• Top Inter-network Traffic, which shows subnet to subnet traffic.
• Top Applications, with the ability to alert for applications which should not be on the network.
• Top Transport, with the ability to alarm for protocols (e.g. TCP, UDP, IGMP, etc.) which should not be on the network.
• Top Sending and Receiving Countries
• Top Sending and Receiving Domains
• Network Volume, which reports on the number of unique hosts or applications in the last 5 minutes versus the last 30 hours.

Each report runs across potentially hundreds of routers after deduplication, not just per interface/per router.

There are also new network behavior analysis algorithms, which sift through network traffic looking for illegal scans such as NULL, FYN, SYN, Invalid Subnets, XMAS Tree, and more; all of which can lead to worm attacks.

In support of the new Flow Analytics module, Plixer has also released Scrutinizer NetFlow & sFlow Analyzer version 6.0.5. This new version includes minor bug fixes, user interface enhancements and improved support for Flow Analytics.

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

This is a continuation from a previous blog titled “NetFlow Calculator”, posted January 25, 2009, by Mike Patterson, Scrutinizer Product Manager. We have just released an updated Flow Bandwidth/Hard Drive Consumption Calculator for Scrutinizer which is available online:
Read more »