| > It makes sense to select "flows with > 10000 octets". But I don't see how
| > we can select "flows with > 10000 flows".
|
| Ah.. that makes sense.
|
| > Can you describe what info you're actually trying to obtain ?
|
| My flow-capture setup rotates every minute, I'd like to see an alarm if
| there are more than 10k flows for one dest. IP. (DDoS alarm)
|
| How could I setup such an alarm?
One solution might involve flow-report to get "top N local destinations
sorted by number of flows". Then process the output to alarm where any
are more than 10k.
The filter and stat files for flow-report might look like this (untested):
--- begin filter1 ---
filter-primitive my-network
type ip-address-mask
permit 62.212.64.0 255.255.224.0
permit 82.192.64.0 255.255.224.0
permit 83.149.64.0 255.255.192.0
default deny
filter-definition incoming
match dst-ip-addr my-network
--- end filter1 ---
--- begin stat file ---
include-filter /some/where/filter1
stat-report many_flows
type ip-destination-address
filter incoming
output
format ascii
sort +flows
records 10
path /some/where/report
stat-definition default
report many_flows
--- end stat file ---
and invoke:
flow-cat <flows> | flow-report -s <stat file>
which should give the top 10 destinations by number of flows. Then,
process the output to alarm if needed.
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
