On 2/7/2011 4:02 PM, Jeremy Charles wrote:
There are three things I've not found together in any netflow analysis
products that I've tried so far:
1) A host on my network is receiving traffic from hundreds of remote
hosts out on the Internet. I'd like to have some way of noticing that
this is happening so that I can take a closer look at what that host
is doing. For example, it would be fine if I could see a table of
hosts that's sorted according to how many remote hosts it's receiving
traffic from... or even a threshold alert.
Most netflow analyzers that I've looked at only do a good job at
answering question #3. Some handle #2 decently. Question #1 is the
holy grail at this point.
We do this with nfsen and a Nagios plugin we developed. The plugin
monitors for top-N senders and receivers for a nfsen flow source (or all
sources) over a specified window and traffic threshold with an optional
filter. We have checks like 'Internet Uploads', 'Exchange Traffic',
etc. all delineated by filters and different sensitivity traffic
thresholds. The output includes the top receivers and senders, resolved
via rDNS where possible. And, a notification callback expands on this
(via the same plugin) to include the top conversations related to the
detected IPs. It doesn't currently show how many hosts are involved,
but that is just because it never seemed like it was that useful, but I
don't think that would be very difficult to implement. It currently
reports all peer hosts with a minimum percentage threshold of traffic.
It is not realtime, but it generally provides information in enough time
to react in a meaningful way.
NfSen: http://nfsen.sf.net/
Regards,
Mark
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
