> 1) A host on my network is receiving traffic from hundreds of remote hosts > out on the Internet. I'd like to have some way of noticing that this is > happening so that I can take a closer look at what that host is doing. For > example, it would be fine if I could see a table of hosts that's sorted > according to how many remote hosts it's receiving traffic from... or even a > threshold alert.
I don't do this with netflows, but perhaps how I monitor this problem will help. We use OpenNMS to monitor the network. I've created a threshold on the SNMP value tcpActiveOpens. I don't really care if its coming from one host or 500, but after watching the graphs for a while I set it a value that's outside of normal operations. When it gets triggered, I look at the server logs or use ntop to see where the traffic is coming from. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
