Hi, we're a smaller ISP and I recently "refreshed" nfsen - being astonished! First time I get a simply usable environment to take advantage of netflow -> great stuff!
Well, things weren't easy setting up Plugins PortTrack, Events, Events_mail, Botnet but finally it works. I might put some of the pitfalls together regarding these a later time.. Now I asked myself: wether there are some more examples/best-practice for Alerts (detect Portscans, things "going wild" etc.) ? I haven't found that much so far, surely the right parameters could be found out tuning myself for weeks, but I'm sure there are some out there having reasonable Alerts in place where just the numbers might have to be adjusted.. The ambition is to detect things like large-scale Portscans form internal and external, internal Hosts doing "strange" things like trying/sending many SMTP (despite legitimate Servers) out and whatever one could imagine being unusual traffic. Any hints appreciated, maybe someone wants to share some rules/alerts ;) best regards, Michael ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
