[AusNOG] Netflow analysis for end-user security
John Edwards
john at netniche.com.au
Mon Jul 5 17:45:58 EST 2010
On 05/07/2010, at 4:34 PM, Steve Skeevens wrote:
> Wondering how many of you analyse your end-users' flows for general anomalies, known malware/botnet signatures or other stuff for the purpose of detecting infected/owned boxes? No need to get too specific. In some regions it seems to be pretty common, from what I've seen/heard it's not so much done here.
With a large network, historical analysis isn't fantastic as the users may have already noticed the infection and cleaned it up by the time you crunch the numbers.
Once upon a time I developed some scripts to simply inspect the telnet output of "sh ip cache flow" for heuristics congruent with known nasties. This was remarkably effective at identifying compromised hosts, but ultimately it required too many human resources for a sustained follow up.
John
More information about the AusNOG
mailing list