Everyone has one of those days! You know, the kind of day when you want to stuff a basketball in someone’s face, or smash the computer.

The thing that drives me crazy is when the application goes haywire and nothing is working right; so I decided to uninstall it and start from scratch. I uninstalled the software, and reinstalled it. Now I’m, thinking, “Okay, everything will work. It is a fresh install, and I can get back to work.”

It’s installed and I open up the app and everything looks like it is working, but when I installed the app, I installed it to a different drive that had more space. I went to run a database query and the query was not working. At this point, I was ready to blow my top and take the computer and throw it across the room. I checked the services to see if they were running and they were.  Now I am really steaming. I decided to open up the properties for that certain service and it was pointing to the wrong drive, so it did not want to run.

The moral of my story is: check the service before you reinstall your software, because it may not uninstall your services and if it does not uninstall the your services, then here is a command that could help. Open the command prompt, type sc delete (display name of the service). This will delete the service.

Expanding Enterprise Network Performance Problem Troubleshooting Capabilities

Zenoss Inc., the leading commercial open source network and systems management provider, today announced the addition of NetFlow reporting through a partnership with Plixer. The added capability – available as an extension to Zenoss’ award winning IT infrastructure monitoring solution – provides enterprises with even greater visibility into their network health and performance for a fraction of the cost of comparable solutions.

“Our enterprise customers smartly requested that we add NetFlow reporting capability to Zenoss Enterprise and we’ve quickly delivered,” said Bill Karpovich, Zenoss co-founder and CEO. “The integration of Plixer’s Scrutinizer with Zenoss Enterprise provides network engineers additional visibility into router performance and availability, reducing the time required to resolve network problems.”

With the integration complete, network engineers that are users of both Zenoss Enterprise and Plixer Scrutinizer can quickly identify network problems and immediately troubleshoot them. Network engineers can directly navigate from Zenoss Enterprise to Scrutinizer, which provides access to NetFlow and bandwidth utilization reports.

For more details on Zenoss’ new NetFlow capabilities, visit http://www.plixer.com/zenoss.

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

Looking for an easy way to view host connections on your network? How about a graphical view in matrix format?

Using Cisco NetFlow and Scrutinizer NetFlow Analyzer with the latest release (version 2) of the Flow Analytics add-on module, Plixer International has provided just that.
Read more »

Back in January, we discussed how to analyze NetFlow data on a Linux server with Scrutinizer for Linux. Now the excitement continues with the release of Flow Analytics 2.0 for Linux! Not only are Linux users able to run one of the industry’s strongest NetFlow collectors and reporting tools, but now they can dig deeper with Flow Analytics.

With Flow Analytics you are able to detect and alert on certain network traffic patterns, using the same NetFlow collection mechanisms found in Scrutinizer. These patterns could resemble things like Port Scans, DDoS Attacks, P2P traffic and more.  Along with that, it generates top end reports that quickly generate reports from all of your NetFlow devices. Imagine being able to see all of the top talkers, number of unique hosts, top domains, top countries and more, across all of your NetFlow sending routers.

I have provided the tar ball and install instructions below. The Flow Analytics demo requires a Plixer Engineer for install and  I would be more then happy to assist.

Scrutinizer Install Instructions – http://www.plixer.com/files/scrutinizer_linux_install_instructions.txt

Scrutinizer tar ball – http://files.plixer.com/plixer-scrutinizer-linux.tar.gz

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

I’m sure just about every company’s security manager is aware of Conficker. This worm is spreading through networks at alarming rates. It’s weapon: exploiting a vulnerability, called MS08-067, in Windows 2000, XP, and Server 2003.

Conficker looks like legitimate traffic
Conficker.A, .B & .C (yes, it has versions) randomly creates domain names that are based on the system clocks of popular web sites such as google.com, yahoo.com, etc., so the HTTP traffic looks legitimate. At first, I thought we should block all the domains, but that is not a simple task. As of April 8th, Conficker.E was found not to be using randomly created domains, but deletes itself on May 3rd, 2009; unlike Conficker.C. It constantly changes its own behavior!

On April 7th researches found a variant of Conficker that initiates communication via a peer-to-peer (P2P) connection. A TCP connection is then used to download the file. Irregular UDP communications also take place.

What is Cisco’s position?
Learn more about Cisco’s position on Conficker. They encourage customers to purchase their Home Network Defender product and as a result, you “should be” protected. Here is some additional great information on Conficker from Cisco.

Track Conficker with Cisco NetFlow?
It isn’t that easy. Remember, Conficker looks like legitimate traffic. Network Behavior Analysis solutions can’t confidently detect Conficker either. We are looking into a solution that watches Conficker behaviors. Our Internet Threats Monitor has proven to be very effective at getting updates out to all our customers within just a few minutes. We could do the same as Conficker mutates and we learn its new behavior. For now, here are a few things to be aware of:

• Make sure you know your company’s legitimate applications VERY WELL.
  • Make sure you have defined the known applications within Scrutinizer.
  • Put in the time to mark legitimate traffic within the Top Applications gadget of Flow Analytics.
• Watch your DNS logs for hosts failing to resolve odd host names. Maybe script something that looks for excessive DNS lookup failures within a time frame, etc. I’m still looking into this.
• Participate in Systrax and get involved.

Are you infected?
Take the Conficker test right now. If all 6 images show up you are in good shape.

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

I was dealing with a client this morning who wanted to see a demonstration of CrossCheck, a plug-in for the Scrutinizer NetFlow analysis application. Normally, I fire up a remote session, like GoToMeeting, and give the demonstration. My client, being a large state government, had extensive restrictions on their network. The process to open and test ports would take weeks, and he needed to see the app quickly. I tried my best to explain the product, but lets face it, it’s not the same as seeing it in action. A remote connection was not going to be an option.

I really didn’t want to leave him hanging. He liked the product, but just didn’t grasp its value and functionality. A demo would fix this. So I decided to let him know that I would record a video and send it his way.

After a few minutes of reviewing my options, I decided to go with the easiest screen capturing utility that I could find, Jing. The process to record your own video presentation is simple, just follow these steps.

Step 1

Click on the yellow ball on the top of the screen

Step 2

Click on the plus sign to start your video.

Step 3

Select the section of the screen that you want recorded.

Now you record and make your presentation. Once you are done, press the stop button and save the file. The saved file is a flash SW file that can be viewed by opening it up in any browser.

That’s it! As you can see, it was simple, and I am pleased to report that the client was quite impressed. I hate to reference an over used and possible out of date saying but sometimes is pays to “think out of the box.”

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

So you’ve heard about NetFlow. It’s exactly what you need. But then you find out that none of the network equipment you have supports it.

I hate having to tell customers that our product won’t work with their networks…

I think it’s partly because of the lost customer. However, I think it’s more because smaller networks mean smaller budgets, smaller budgets mean more affordable equipment and more affordable equipment means no Cisco devices. No Cisco devices means no NetFlow…

Knowing what NetFlow can do for a Network Admin makes me wish it was more easily attainable, but in the real world, amazing products warrant big price tags.

However, even though you may not have Cisco equipment, doesn’t mean all is lost.

If you are really interested in having full visibility on your network, then I invite you to keep reading since we at Plixer would like to offer you a couple alternatives.

Option 1:

If you are running with smaller Linksys routers, then maybe consider the firmware update from the company Brainslayer, called DD-WRT. This Linksys firmware update allows options that previously, only higher end routers supported. One of those new features being flow record export. For more information, please refer to this great blog that highlights DD-WRT.

Option 2:

If you are using any other devices other than the Cisco or Linksys brands, then this might be an acceptable alternative.

Now even though your devices may not be able to export flows in themselves, what if we were to introduce something that could take your traffic and mold it to export as NetFlow? This is exactly what the nProbe software offers.

With nProbe, just install this application on a local Linux server and direct your traffic through the server itself. With nProbe configured and running, it can then export NetFlow record summaries of your traffic to a local NetFlow collector, such as Scrutinizer. nProbe may be a great option for a small business that does not want to purchase new equipment in order to take advantage of NetFlow.

For more information about either option, feel free to take a look at the products on their websites. The extra effort required to get these products running can produce fantastic returns in network visibility.

-Nate

I had a support case this week in which a customer’s domain was being Blacklisted, because of spam from his SMTP server. Upon further investigation, he found that the mail server showed no evidence of spam mail going through the server.

I had the customer open his Scrutinizer NetFlow analysis tool via the web interface and create a custom report that looks at SMTP traffic on port 25 and the Internet router, through which all traffic passes. We viewed the report to find all outbound traffic on TCP port 25. Guess what we found? An unauthorized host sending mail through his network.

He was able to identify the compromised host and fix the issue in a timely manner.

Milton

Hold on to your hats because Terabit Ethernet is in our future – six years in the future, according to experts. John D’Ambrosia, chair of the 802.3ba Task Force in the IEEE and Bob Metcalfe, creator of Ethernet, both predict that the first commercial use of Terabit Ethernet could come as soon as 2015. That’s pretty amazing but whether, in reality, that technology would be within reach of the average enterprise is up for debate. When 10 Gigabit Ethernet switches were introduced in 2001, the average per-port cost was $39,000 and it took eight years for the price to drop to $4,000.

Right now, the industry is looking to 40 Gigabit and 100 Gigabit Ethernet products to show up in the market by the end of the year as the bridge to Terabit Ethernet, according to a Network World article. It reports that pre-standard 40 Gigabit and 100 Gigabit Ethernet gear, including server network interface cards, switch uplinks and switches, are expected to roll out later this year.

The IEEE P802.3ba Task Force is expected to ratify the 100GbE standard in June 2010 and compliant products are slated to ship soon after that.

If the rate of traffic continues to grow as it has – with networks having to transport high-def video, and so on – it may not take so many years for prices of compliant gear to come down. Take 40GbE for example. Industry researchers believe the price of 40GbE gear will soon come down as U.S. carriers like AT&T and Comcast demand more 40GbE equipment thus helping to commoditize the market, bringing down prices as a result, according to this TechTarget article.

The carriers, as well as companies like Google, Yahoo and Facebook are expected to soon be crying out for 100GbE between data centers to speed the flow of data.

Under Moore’s law, data center network usage doubles every 24 months. With that in mind, 10GbE will not be enough for data centers in 2014 when 40GbE is expected to take over. 100GbE should meet the needs of carriers and ISPs through 2015, according to this Ixia white paper.

How soon is 40/100GbE in your future? Or are you just now playing with 10GbE?

Over the weekend I spent quite a bit of time watching some of the awesome IT security videos that are offered on The Academy Pro web site. I couldn’t believe all the valuable step by step information that this site offers.  Believe it or not, I had a goal. I needed to learn more about “Conficker“.

We have already covered how to detect “Conficker” traffic via Scrutinizer’s Flow Analytics application from my buddy Milton’s blog back in March. In the NetworkWorld article titled “Downadup/Conflicker worm: When will the next shoe fall? “, Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks is quoted as saying,  “It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs”. So how can we prevent this from happening?

My goal was to conduct a security audit for such a vulnerability. That is where TheAcademyPro comes in. TheAcademyPro web site was created by Peter Giannoulis, a well know information security consultant and author. Check out this awesome interview with Peter on Hak5. They just started a series on how to conduct vulnerability scans for Conficker:

Conficker vulnerabilities with Core Impact – Posted on April 20th, 2009

“Everybody’s had to deal with Conficker over the last little while, but many don’t realize exactly how easy it is to exploit a system using the targeted vulnerability. Let’s begin the week by manually exploiting Conficker vulnerabilities with Core Impact 8 modules.”

Now I have a bit more information and might be able to conduct a security audit soon. I will keep you posted.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________