I'd recommend taking a look at some of the threads on the Argus mailing list regarding the "App Byte Ratio". I think the equation is: (src_paylod_bytes-dest_payload_bytes) / (src_payload_bytes + dest_payload_bytes).
So, an FTP put where all of the payload data is from the client to the server would make that client a "producer" of data (app byte ratio of 1). An FTP get where all of the payload data is from the server to the client (app byte ratio of -1) would make the client a "consumer" of data. Most hosts are typically either producers or consumers of data for a particular port/protocol. When a desktop that is normally a consumer of HTTP is compromised by APT1, it starts uploading a ton of data over HTTP. Identifying when a machine or a subnet transitions from a consumer to a producer is a good indicator of compromise. There is some discussion of it here: http://mbrownnyc.wordpress.com/2013/05/21/anomaly-detection-creating-baselines-and-determining-statistical-outliers-in-argus-data/ C -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jaime Nebrera Sent: Thursday, November 14, 2013 3:44 AM To: [email protected] Subject: [Ntop-misc] Netflow correlation rules Hi all, We are just adding the correlation engine to our upcoming open source redBorder Flow platform and would be interested in hearing from you guys interesting ideas on how to apply correlation rules that are specific to netflow area in order to detect weird stuff. Things that come to my mind: * Link saturation or loss * DDoS * Botnets / malware * Portscan, ip sweeps * Connection to bad reputation sites * Change in user behaviour (from client typical usage to server typical usage) * Activation of privileged ports in client machines * Too much jitter / latency * ... I dont know, any idea or suggestion is really welcomed. We would appreciate links to sources of information too. Regards -- Jaime Nebrera - [email protected] Consultor TI - ENEO Tecnologia SL C/ Manufactura 2, Edificio Euro, Oficina 3N Mairena del Aljarafe - 41927 - Sevilla Telf.- 955 60 11 60 / 619 04 55 18 _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
