With the release of Scrutinizer v7.2 last month we offered an upgrade/migration path for those customers running Scutinizer v6. I have had some customers ask, “Why should we upgrade” or “What will we gain from Scrutinizer v7 that we don’t have now?”
The updated release of Plixer’s network traffic analyzer last week made the answer to that question very clear.
With Scrutinizer v7.3, Plixer International showed why they are the leader in NetFlow and sFlow traffic analysis. NBAR support, a number of new report filters, and a number of new Flow Analytic tools, all make it easier to analyze what is happening on your networks.
The Nefarious Activity algorithm is designed to catch people doing light port scans across a large number of hosts.
This usually means that a host will send one flow to each host IP to see if there is a service available for attack.
This diagram shows a host sending packets to multiple hosts on the same subnet. In this case it is looking for Port 80 web servers.
Only one of the servers responded. This will tell the “Internet Bad Guy” that he should try further attacks on 1x.1.1.1.
Thresholds for this algorithm are configurable by going to:
Admin Tab -> Settings -> Flow Analytics
The Nefarious Activity threshold is set to the number of unique source/application to destination TCP flows within the ratio needed to violate.
The Nefarious Activity Ratio is the ratio of packets per flow for a source address. e.g. 10:1. Lower ratios like 1:1 usually represent Nefarious activity.
Gone are the days when you would happen upon traffic that looked suspicious. With Scrutinizer v7.3 and Flow Analytics you are now alerted to possible suspicious activity on your network.
I will be blogging about all of the new features and reports available in Scrutinizer v7.3 in the upcoming days, so be sure to check in.