Re: [Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS)
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS)
|
From: Maurizio M. <mau...@da...> - 2006-08-07 17:00:53
|
I'd be interested as well, both in using these algorithms as well as in developing/adapting them. Pointers to existing material are very welcome! Cheers, Maurizio Tristan RHODES wrote: >We use a tool called "FlowTools" that was created by some local people >that analyzes netflow data and tries to identify security violations. >Here are some of the detections that the system is looking for: > >Virus/Scanning Machines >Peer-2-Peer Machines >Possible BotNet Zombies >SSH Brute-force Monitor >Slammer Attack Monitor >Netbios Attack Monitor >RDP Scanning Monitor >Outgoing Mail/Spam Monitor >Top Darknet Scanned Ports > >With this current system, it looks for these violations in the past >5-minutes of flow data. I assume it was setup with a short time-period >to reduce the amount of data processing. In order to reduce >false-positives, the system assigns a number value that correlates to >the probability of an actual problem. > >We have found that this tool is the most common way we identify problem >machines. We still use NFsen after we have discovered the incident, >which NFsen is very useful for. > >Is there any interest or progress being made to add a similar >functionality to Nfsen? I have talked to the creator and he is willing >to share the code that identifies security violotions, but the >flow-processing engine in the tool is not open source. (That engine may >not be necessary, since we have nfdump). Anyway, it will take some >coding (which I cannot provide) to make use of this functionality. > >Regards, > >Tristan Rhodes >Weber State University > >------------------------------------------------------------------------- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys -- and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >Nfsen-discuss mailing list >Nfs...@li... >https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > |
