[Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS)

[Tristan R. <Tri...@we...>]

We use a tool called "FlowTools" that was created by some local people
that analyzes netflow data and tries to identify security violations. 
Here are some of the detections that the system is looking for:

Virus/Scanning Machines
Peer-2-Peer Machines
Possible BotNet Zombies
SSH Brute-force Monitor
Slammer Attack Monitor
Netbios Attack Monitor
RDP Scanning Monitor
Outgoing Mail/Spam Monitor
Top Darknet Scanned Ports

With this current system, it looks for these violations in the past
5-minutes of flow data.  I assume it was setup with a short time-period
to reduce the amount of data processing.  In order to reduce
false-positives, the system assigns a number value that correlates to
the probability of an actual problem.

We have found that this tool is the most common way we identify problem
machines.  We still use NFsen after we have discovered the incident,
which NFsen is very useful for.

Is there any interest or progress being made to add a similar
functionality to Nfsen?  I have talked to the creator and he is willing
to share the code that identifies security violotions, but the
flow-processing engine in the tool is not open source.  (That engine may
not be necessary, since we have nfdump).  Anyway, it will take some
coding (which I cannot provide) to make use of this functionality.

Regards,

Tristan Rhodes
Weber State University