Re: [Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS)
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS)
|
From: Peter H. <ha...@sw...> - 2006-08-04 05:10:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Tristan, - -------- Original Message -------- From: "Tristan RHODES" <Tri...@we...> To: nfs...@li... Subject: [Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS) Date: Thu Aug 03 2006 18:23:25 GMT+0200 (CEST) > We use a tool called "FlowTools" that was created by some local people > that analyzes netflow data and tries to identify security violations. > Here are some of the detections that the system is looking for: > > Virus/Scanning Machines > Peer-2-Peer Machines > Possible BotNet Zombies > SSH Brute-force Monitor > Slammer Attack Monitor > Netbios Attack Monitor > RDP Scanning Monitor > Outgoing Mail/Spam Monitor > Top Darknet Scanned Ports > > With this current system, it looks for these violations in the past > 5-minutes of flow data. I assume it was setup with a short time-period > to reduce the amount of data processing. In order to reduce > false-positives, the system assigns a number value that correlates to > the probability of an actual problem. > > We have found that this tool is the most common way we identify problem > machines. We still use NFsen after we have discovered the incident, > which NFsen is very useful for. > > Is there any interest or progress being made to add a similar > functionality to Nfsen? I have talked to the creator and he is willing > to share the code that identifies security violotions, but the Of course it will be possible to integrate feature like that into nfsen/nfdump. Do you have a pointer to tool? If the author is willing to share the code, this would make it lot easier of course. If the author agrees to share his code under BSD license, you, or the author could send me the code, and some documentation available. I'll take a look, what it means to port that to nfdump. - Peter > flow-processing engine in the tool is not open source. (That engine may > not be necessary, since we have nfdump). Anyway, it will take some > coding (which I cannot provide) to make use of this functionality. > > Regards, > > Tristan Rhodes > Weber State University > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRNLWvv5AbZRALNr/AQKNNQP/UOEFPpX+Y7Gqz+wrFcTQql8g9R50pZQF V7IUQH8yqUq3ZsaMCtUtzxcSQn+wHrXefFqhEBfaoPVlvxsMTYVeMBeE9TKhfgFV AOX6k+sa9/Erf0yLY2/9oryX7w0qYwnNNKMeVT7Awre/Fj5hR/m51oMR+J9IYycz cYZRR/5MQS8= =aiyo -----END PGP SIGNATURE----- |
