Re: [Nfsen-discuss] Adding security intelligence to NFsen (netflow based IDS)

[Tristan R. <Tri...@we...>]

I am still trying to get final permission to share the code in
FlowTools.  I will ask the author again, and let him know that there is
a community of users who are very interested in contributing to the
development of this functionality.

Tristan Rhodes

>>> Chelo Malagon <che...@re...> 08/18/06 2:50 AM >>>
Hello,
Is there any new or progress related this subject? As Maurizzio and I
think Wim said on the list I am also interested in such a new
functionality (also in helping in the coding)

Cheers,
Chelo

Tristan RHODES wrote:

>We use a tool called "FlowTools" that was created by some local
people
>that analyzes netflow data and tries to identify security violations.

>Here are some of the detections that the system is looking for:
>
>Virus/Scanning Machines
>Peer-2-Peer Machines
>Possible BotNet Zombies
>SSH Brute-force Monitor
>Slammer Attack Monitor
>Netbios Attack Monitor
>RDP Scanning Monitor
>Outgoing Mail/Spam Monitor
>Top Darknet Scanned Ports
>
>With this current system, it looks for these violations in the past
>5-minutes of flow data.  I assume it was setup with a short
time-period
>to reduce the amount of data processing.  In order to reduce
>false-positives, the system assigns a number value that correlates to
>the probability of an actual problem.
>
>We have found that this tool is the most common way we identify
problem
>machines.  We still use NFsen after we have discovered the incident,
>which NFsen is very useful for.
>
>Is there any interest or progress being made to add a similar
>functionality to Nfsen?  I have talked to the creator and he is
willing
>to share the code that identifies security violotions, but the
>flow-processing engine in the tool is not open source.  (That engine
may
>not be necessary, since we have nfdump).  Anyway, it will take some
>coding (which I cannot provide) to make use of this functionality.
>
>Regards,
>
>Tristan Rhodes
>Weber State University