Hi,
Ill begin with some background info: our setup
has a central collector running flow-fanout and flow-capture, with flow-fanout
sending flows to multiple development/testing servers. Ive read in
a previous post that flow-fanout cant maintain the sequence numbers, and
as a result,
Use the ip-exporter-address match type with flow-nfilter. So a filter file
might have the following primitives and definitions:
Filter-primitive routerA
Type ip-address
Permit 10.0.1.1
Filter-primitive routerB
Type ip-address
Permit 10.0.2.1
My understanding of flow-stat -f 11 is that it displays both source
and destination IP addresses, so the following:
flow-cat ft- | flow-stat -f 11 | grep 192.168.
will show all entries where the source or the destination IP contains
192.168. This is different to in/out traffic. For In
I do something similar, and rely on known ports. Rather than using
the list of known ports as in /etc/services, it's more useful to
construct our own list of known ports based on what is actually used on
our network. We have an advantage though in that our network is very
much a closed system
I would have thought that the DDoS that you've described is relatively
easy to block, so more sophisticated ones will spray an entire subnet,
with the source coming from random IP addresses, and with random src/dst
ports. Unless things have changed in the last couple of years, there
isn't much