Dear Teams,
Our team CERT-GOV-GE implemented free plugin for NFSEN (GABRIEL v0.1.0). This is testing release and we need your comments and remarks. Here you can see small description of plugin: This plugin detects DDoS attacks and displays the result for each timeslot. several indices are counted for each timeslot data and are saved in the database. such as: total bytes sent and received during each timeslot, total packets, number of similar packets (two packets are assumed similar if they are of the same size) and the percentage of the most often repeated packet. DDoS is detected if the following two conditions are met: 1. total bytes in this flow are greater than the average number of total bytes during last $interval period **times** some coefficient. 2. percentage of similar packets in this flow is greater than the average number of such percentage during last $interval period **PLUS** some coefficient; if either of the above two conditions are not met, no DDoS is detected; This is mostly the testing release, so these coefficients may be changed according to your needs. see ($INTERVAL, $PERCENTAGE_COEFFICIENT and BYTE_COEFFICIENT) in gabriel.pm. Increase $INTERVAL if you want to consider older flows when detecting DDoS. Increase $PERCENTAGE_COEFFICIENT and $BYTE_COEFFICIENT if a normal flow is detected as an attack, or decrease them if some attacks are not detected. We also have an idea about second version of plugin which you can read below: For each timeslot, detect how many previously unseen IP's were visiting, and save them to the database. If the number of previously unseen IP's in each timeslot is increasing significantly (not slightly), detect that an anomaly is happening. This anomaly may be a DDoS attack, may be a flash event. In the case of an anomaly, we assess the behavior of these IP's and decide if it's an attack or not. In each timeslot, we sort the IP's according to the date of their first visit. Older IP's have more trust and previously unseen IP's have less trust from us. So, we compare the behavior of older and newer IP's and if new IP's are consuming significantly more resources then older (trusted) IP's, then it's probably a DDoS. otherwise it's just a flesh event. You can download plugin from GitHub or see attached file: https://github.com/CERT-GOV-GE/gabriel If you have any questions please do not hesitate to contact us: dkvata...@dea.gov.ge CERT-GOV-GE Manager ndarja...@dea.gov.ge CERT-GOV-GE Senior Programmer Thank you in advance! With best regards, David Kvatadze CERT-GOV-GE Manager LEPL DATA EXCHANGE AGENCY Ministry of Justice of Georgia Tbilisi, Georgia 0102 2,St. Nikoloz/N. Chkheidze Str. (: (+995 32) 2 915-140 ): (+995) 599-252-113 *: <mailto:dkvata...@dea.gov.ge> dkvata...@dea.gov.ge oie_291681889JW3LHq
gabriel-0.1.0.tar.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss