[AusNOG] Netflow analysis for end-user security

[John Edwards]

On 05/07/2010, at 4:34 PM, Steve Skeevens wrote:

> Wondering how many of you analyse your end-users' flows for general anomalies, known malware/botnet signatures or other stuff for the purpose of detecting infected/owned boxes?   No need to get too specific.  In some regions it seems to be pretty common, from what I've seen/heard it's not so much done here.

With a large network, historical analysis isn't fantastic as the users may have already noticed the infection and cleaned it up by the time you crunch the numbers.

Once upon a time I developed some scripts to simply inspect the telnet output of "sh ip cache flow" for heuristics congruent with known nasties. This was remarkably effective at identifying compromised hosts, but ultimately it required too many human resources for a sustained follow up.

John