[AusNOG] Netflow analysis for end-user security
Shaun Deans
s.deans at bluefibre.com.au
Mon Jul 5 17:53:51 EST 2010
Ø Wondering how many of you analyse your end-users' flows for general anomalies, known malware/botnet signatures or other stuff for the purpose of detecting infected/owned boxes? No need to get too specific. In some regions it seems to be pretty common, from what I've seen/heard it's not so much done here.
We have our Flow data going to two collectors.
1. Is custom scripts on PMAcct which Summarizes for billing purposes and throws in a DB. This is then exposed to clients in our billing system.
2. Is a copy of flow analyzer from NetManage which we have alerts setup on over client ip groups.
We then get emailed if a client goes feral.
This collector stores up to 1 month of individual flow data for debugging.
We also have it set to mail us a pretty summary nightly to keep an eye on the state of the nation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100705/8c823b47/attachment.html>
More information about the AusNOG
mailing list