Hi Kent,
On 2/9/10 2:51 AM, Kent Plummer wrote: > Greetings nfsen list, > We have just run up nfsen and are really impressed with the product. Well > done to all involved. > > Im interested to make further use of the alerting ability of nfsen. What we > currently see is alerts without much useful information in the alert email > body. We know an alert has triggered but thats all we know. It would be > desirable to see which hosts / flows etc actually triggered the alert and the > number of flows or other metric at the time of the trigger. > > An example alert email body: > Alert '300kFlows' triggered at timeslot 201008311330 > > An example alert we have setup is an alert on any IP with > 300k flows. We > get alerts but still don't know whom the offending IP is. Yes - it's a know problem. You can solve that by writing an alert action plugin, which re-processes the flows and lists those, which you are interested in. The plugin is fired every time an alert triggers. See also the plugin writers guide http://nfsen.sourceforge.net/PluginGuide/plugin-guide.html I should improve that in NfSen 2.0. - I put it on the list. - Peter > > I see there are other plugins such as ddd that seem to do alerting and Im > looking at these now. I welcome any suggestions here. > > The end goal is to be able to detect DoS attack like traffic patterns on the > network and send useful alerts to an operational team that can then take the > appropriate action / ACL / RTBH etc. > > Thanks in advance for any advice. > > Regards, > Kent > > > > > > > > ------------------------------------------------------------------------------ > This SF.net Dev2Dev email is sponsored by: > > Show off your parallel programming skills. > Enter the Intel(R) Threading Challenge 2010. > http://p.sf.net/sfu/intel-thread-sfd > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss -- Be nice to your netflow data. Use NfSen and nfdump :) ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
