[c-nsp] NetFlow Vs. SPAN (mix?) for detecting less than savory application behavior.

Drew Weaver drew.weaver at thenap.com
Tue Feb 5 09:17:18 EST 2008


                Aside from having "strong written policy", some ACLs, and a good "response team" we are trying to come up with some proactive monitoring we can do to detect certain behavior outbound from our network (sort of like a reverse Intrusion Detection System [EDS?]) to minimize the impact of having a network where it is impossible to simply "firewall and forget" as the needs of the folks using the network is dynamic.

Some examples of things I am trying to "catch are":

Botnet members
SSH/FTP/SQL/etc "brute-force knockers"

Of course the best answer is "why not prevent them from becoming botnet members, etc in the first place" Well, that's not so easy as we don't manage the end points/servers, etc.

I would welcome suggestions on whether NetFlow Vs. SPAN (possibly using some SNORT implementation at the aggregation points would allow us to detect some of the more obvious annoyances) would be the best course of action or if possibly a combination of both would be the best any advice from folks who have already automated detection of things of this sort would be great as well.




More information about the cisco-nsp mailing list