Consider this – customer calls in and says that a workstation on his network was scanning their entire corporate network and how can he be alerted on this type of behavior? The behavior wasn’t exactly malicious, but rather that someone had installed an inventory application on their desktop which scanned their entire network with snmp scans.
So, no, it wasn’t malicious activity, but that sort of network monitoring also was not authorized for that individual on their network.
Using Scrutinizer NetFlow and sFlow Analyzer, he asked how he could detect that sort of network traffic.
Using the Flow Analytics algorithms, we are constantly checking for what we consider malicious behaviors, or network traffic consistent with misconfigured servers or applications. This did not fit in the traffic patterns that we filter on. But this workstation was sending snmp (and other) packets to many, many other ip addresses on their network, which would be generating a high number of flows per interval for that workstation.
In Scrutinizer v7.7, we have the ability to set report thresholds on a per row or report total basis. For this situation, a threshold setting per row fits the bill perfectly. So let’s see how we do that with our NetFlow Traffic Analyzer.
Setting a Report Threshold
- Using the Report Wizard from the Status page, we can add filters for the devices and interfaces that we want to monitor for this purpose.
- The report threshold is based on Inbound, and runs every 5 minutes along with the Flow Analytics algorithms. So both of those settings need to be selected to use the report threshold. For the report threshold we are setting for this example, we want the Host Flows report.
- Now we need to save the report. Give the report a name (overwriting UNSAVED) and then save the report.
- Once you have the saved report, you can set the report threshold. From the Add New Filter dropdown list select Inbound Threshold. Here you have two options, Total or Per row. Total would be setting the threshold on the entire report total, Per row in our case would be per host, which is what each row includes. For my test data, I set the threshold value of > 10 K in 5 min Per row. If any single host generated more than 10K flows in 5 minutes, an alarm would be generated by the network traffic analyzer.
Scrutinizer can also be configured to generate syslogs based on the alarms, sent to a syslog server which could in turn send an email alert to the Network management team.
Another frequent use of the report threshold configuration is to monitor the amount of traffic a host is generating, which would alert the Network team of a large download, or streaming audio, video, etc.
If you have any further questions regarding configuring the report thresholds or its application, please don’t hesitate to contact Plixer International at (207) 32-8805.
Update, October 19, 2010:
You also need to make sure that the Custom Reports Thresholds algorithm is enabled in the Flow Analytics Overview gadget in MyView. Otherwise the report thresholds are not processed.