Consider this – customer calls in and says that a workstation on his network was scanning their entire corporate network and how can he be alerted on this type of behavior? The behavior wasn’t exactly malicious, but rather that someone had installed an inventory application on their desktop  which scanned their entire network with snmp scans.

So, no, it wasn’t malicious activity, but that sort of network monitoring also was not authorized for that individual on their network.

Using Scrutinizer NetFlow and sFlow Analyzer, he asked how he could detect that sort of network traffic.

Using the Flow Analytics algorithms, we are constantly checking for what we consider malicious behaviors, or network traffic consistent with misconfigured servers or applications. This did not fit in the traffic patterns that we filter on.  But this workstation was sending snmp (and other) packets to many, many other ip addresses on their network, which would be generating a high number of flows per interval for that workstation.

In Scrutinizer v7.7, we have the ability to set report thresholds on a per row or report total basis.  For this situation, a threshold setting per row fits the bill perfectly.   So let’s see how we do that with our NetFlow Traffic Analyzer.

Setting a Report Threshold

  1. Using the Report Wizard from the Status page, we can add filters for the devices and interfaces that we want to monitor for this purpose.
  2. The report threshold is based on Inbound, and runs every 5 minutes along with the Flow Analytics algorithms.  So both of those settings need to be selected to use the report threshold.  For the report threshold we are setting for this example, we want the Host Flows report.
  3. Now we need to save the report.  Give the report a name (overwriting UNSAVED) and then save the report.
  4. Once you have the saved report, you can set the report threshold.  From the Add New Filter dropdown list select Inbound Threshold. Here you have two options, Total or Per row.  Total would be setting the threshold on the entire report total, Per row in our case would be per host, which is what each row includes.  For my test data, I set the threshold value of > 10 K in 5 min Per row.  If any single host generated more than 10K flows in 5 minutes, an alarm would be generated by the network traffic analyzer.

Scrutinizer can also be configured to generate syslogs based on the alarms, sent to a syslog server which could in turn send an email alert to the Network management team.

Another frequent use of the report threshold configuration is to monitor the amount of traffic a host is generating, which would alert the Network team of a large download, or streaming audio, video, etc.

If you have any further questions regarding configuring the report thresholds or its application, please don’t hesitate to contact Plixer International at (207) 32-8805.

Update, October 19, 2010:

You also need to make sure that the Custom Reports Thresholds algorithm is enabled in the Flow Analytics Overview gadget in MyView.  Otherwise the report thresholds are not processed.

Joanne Ghidoni author pic

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply