[c-nsp] NetFlow Vs. SPAN (mix?) for detecting less than savory application behavior.

Christian Koch christian at visr.org
Tue Feb 5 11:22:02 EST 2008


check out Richard Bejtlich's book -  extrusion detection, very good read,
and tons of usefull tips/tools in there...

http://www.informit.com/store/product.aspx?isbn=0321349962

<http://www.informit.com/authors/bio.aspx?a=d166f1f7-55c7-4987-80bc-230bcb6a1f94>
On Feb 5, 2008 9:17 AM, Drew Weaver <drew.weaver at thenap.com> wrote:

>                Aside from having "strong written policy", some ACLs, and a
> good "response team" we are trying to come up with some proactive monitoring
> we can do to detect certain behavior outbound from our network (sort of like
> a reverse Intrusion Detection System [EDS?]) to minimize the impact of
> having a network where it is impossible to simply "firewall and forget" as
> the needs of the folks using the network is dynamic.
>
> Some examples of things I am trying to "catch are":
>
> Botnet members
> SSH/FTP/SQL/etc "brute-force knockers"
>
> Of course the best answer is "why not prevent them from becoming botnet
> members, etc in the first place" Well, that's not so easy as we don't manage
> the end points/servers, etc.
>
> I would welcome suggestions on whether NetFlow Vs. SPAN (possibly using
> some SNORT implementation at the aggregation points would allow us to detect
> some of the more obvious annoyances) would be the best course of action or
> if possibly a combination of both would be the best any advice from folks
> who have already automated detection of things of this sort would be great
> as well.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list