Well it looks like our run of nice weather has ended here in Southern Maine. Saturday we had our first snow of the year. It was kind of a nice touch to be at a holiday party and have the snow falling outside. And then to wake up Sunday morning to find that the view outside your window is like that of a Currier and Ives winter print.

A couple of weeks ago I began a series of blogs that introduces you to the new Flow Analytic tools that are available with Plixer International’s latest NetFlow and sFlow analysis tool, Scrutinizer v7.3.

Today I will be introducing you to the third of the four new analytic tools now available with Scrutinizer v7.3. The Breach Attempt Violation looks for many small flows from one source to one destination. This can indicate things such as a “brute force” or “dictionary” attack. 

A typical scenario would be someone port scanning your network looking for particular services to attack. For instance,  a host scanning a subnet finds that your router or Linux server has an SSH server running on port 23.

Once the cracker knows that you have a device with an SSH server (or any type of server), they attempt to gain access to the device by trying different password combinations.
 

The Breach Attempt algorithm attempts to identify traffic that has the following characteristics:

  • Generally the TCP flows are complete and closed with a FIN flag
  • They are small and total less than 1KB
  • They have less than 25 packets per flow
  • They are numerous
  • They are from 1 single host to another single host

The threshold is simple and can be set within the Flow Analytics Overview gadget “inbound threshold”. This threshold setting will help you adjust whether you want to alert on light to heavy attacks.  The default threshold is 100.

Breach Attempt Threshold Setting

All of these Flow Analytic algorithms are intended to help our customers with improved network traffic analysis and network traffic monitoring. I will be blogging about more of the new features and reports available in Scrutinizer v7.3 in the upcoming days, so be sure to check in.

Scott Robertson author pic

Scott

Scott provides Pre Sales Technical Support to the Sales team at Plixer. Scott comes from a technical support background, having years of experience doing everything from customer account management to system programming. Some of his interests include coaching youth sports programs here in Sanford, playing drums and guitar in local jam bands, and playing in neighborhood lawn dart tournaments.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply