[AusNOG] Netflow analysis for end-user security

Steve Skeevens steve.skeevens at gmail.com
Mon Jul 5 18:42:37 EST 2010


Hi John,

What sort of response did you get from end users?

On Mon, Jul 5, 2010 at 5:45 PM, John Edwards <john at netniche.com.au> wrote:

>
> On 05/07/2010, at 4:34 PM, Steve Skeevens wrote:
>
> > Wondering how many of you analyse your end-users' flows for general
> anomalies, known malware/botnet signatures or other stuff for the purpose of
> detecting infected/owned boxes?   No need to get too specific.  In some
> regions it seems to be pretty common, from what I've seen/heard it's not so
> much done here.
>
> With a large network, historical analysis isn't fantastic as the users may
> have already noticed the infection and cleaned it up by the time you crunch
> the numbers.
>
> Once upon a time I developed some scripts to simply inspect the telnet
> output of "sh ip cache flow" for heuristics congruent with known nasties.
> This was remarkably effective at identifying compromised hosts, but
> ultimately it required too many human resources for a sustained follow up.
>
> John
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100705/15ca00a9/attachment.html>


More information about the AusNOG mailing list