[c-nsp] Re: Netflow traffic study
Roger Weeks
rjw at mcn.org
Thu Dec 29 12:06:43 EST 2005
I don't know if you'd be willing to share, but I for one would be
very interested in the perl scripts you were using to analyze netflow
data for smtp connections, and the way you pushed filters to customer
interfaces.
--
Roger J. Weeks
Systems & Network Administrator
Mendocino Community Network
On Dec 28, 2005, at 11:58 PM, cisco-nsp-request at puck.nether.net wrote:
> Message: 8
> Date: Thu, 29 Dec 2005 00:19:36 -0600
> From: Gerry Boudreaux <gerry at tape.net>
> Subject: Re: [c-nsp] Re: Netflow traffic study
> To: Kanagaraj Krishna <kanagaraj at aims.com.my>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <205B3279-268A-4BEF-A6C2-F3EBF9B0C719 at tape.net>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> In a previous job, we were analyzing netflow data to look for unusual
> patterns, like resi customers making too many smtp connections in a 5
> minute window, or portscans, etc....
>
> most were custom written perl scripts, but we used the results of our
> analysis to push filters to specific customer interfaces, and then
> expired them after two weeks, assuming that either the customer would
> have fixed the problem, or the scanner would re-capture them.
>
> We also pushed the results to a searchable web-page for support to
> use to troubleshoot issues like "Why cannot I sent e-mail?" um well,
> you tried to send 50000 messages in a 5 minute window, and you are a
> resi customer, you might have a virus...
>
> By limiting unwanted traffic, you might save money by not needing
> additional upstream bandwidth.
>
> Just one possibility on how you can manipulate netflow data. Use
> your imagination.
>
> G
More information about the cisco-nsp
mailing list