Brown, Robin wrote: > Anyone using the alerts tab to try and detect port scanning? What kinds > of things are you using it for? > I am currently experimenting with creating profiles for detecting anomalies in SMTP traffic (to detect spammers), by using the total flow summaries and by using Holt-Winters.
I think portscanners are hard to pinpoint in the alert page. I think the best way to find them is to look at the flows/bytes ratio per source host (as portscan typically has a large number of flows with a low amount of traffic). This would detect both hosts scanning multiple ports on a single host and hosts scanning a single port on multiple hosts. However, this would require support for aggregation in the alert page, which is something I would like to discuss at the meeting in Zürich. Werner > Thanks and regards, > Robin > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
