Well it looks like our run of nice weather has ended here in Southern Maine. Saturday we had our first snow of the year. It was kind of a nice touch to be at a holiday party and have the snow falling outside. And then to wake up Sunday morning to find that the view outside your window is like that of a Currier and Ives winter print.
A couple of weeks ago I began a series of blogs that introduces you to the new Flow Analytic tools that are available with Plixer International’s latest NetFlow and sFlow analysis tool, Scrutinizer v7.3.
Today I will be introducing you to the third of the four new analytic tools now available with Scrutinizer v7.3. The Breach Attempt Violation looks for many small flows from one source to one destination. This can indicate things such as a “brute force” or “dictionary” attack.
A typical scenario would be someone port scanning your network looking for particular services to attack. For instance, a host scanning a subnet finds that your router or Linux server has an SSH server running on port 23.
Once the cracker knows that you have a device with an SSH server (or any type of server), they attempt to gain access to the device by trying different password combinations.
The Breach Attempt algorithm attempts to identify traffic that has the following characteristics:
Generally the TCP flows are complete and closed with a FIN flag
They are small and total less than 1KB
They have less than 25 packets per flow
They are numerous
They are from 1 single host to another single host
The threshold is simple and can be set within the Flow Analytics Overview gadget “inbound threshold”. This threshold setting will help you adjust whether you want to alert on light to heavy attacks. The default threshold is 100.
All of these Flow Analytic algorithms are intended to help our customers with improved network traffic analysis and network traffic monitoring. I will be blogging about more of the new features and reports available in Scrutinizer v7.3 in the upcoming days, so be sure to check in.