[c-nsp] OT: Following Up on Netflow Information

Van Der Meulen, Mark Mark.VanDerMeulen at travelex.com.au
Mon Jul 11 00:30:32 EDT 2011 

And here we have people, the George Costanza of Network Admins.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
Sent: Sunday, 10 July 2011 5:49 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] OT: Following Up on Netflow Information

I've always got the best results using a crowbar
First time you approach the user with the crowbar in hand, and tell him,
in a calm, polite way, that he should refrain from doing that again,
whatever it was he was doing
Second time, after finding out he persisted with his unwanted activity,
you pay him a visit, come calm, and without saying a single word, smash
his computer screen with the crowbar, in front of him (very important),
and go away the same calm way you came.

Third time (on most cases this won't be needed) you beat the heck out of
him with the crowbar and go to jail with a huge smile on your face...

Ziv

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kevin Cullimore
Sent: Saturday, July 09, 2011 2:04 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] OT: Following Up on Netflow Information

On 7/8/2011 11:58 AM, Jeff Cartier wrote:
> Hi All,
>
> This might be a little off-topic to Cisco, but what the heck.
>
> I'm just curious as to how 'you' would go about tracking down a user
that *may* possibly be downloading large amounts of data causing
congestion on a link.  For instance, I had a case this morning with an
internal IP address of 10.x.x.x that showed a 900MB conversation over
TCP 80 (HTTP) to an ip address of 174.120.5.220.
>
> Great - so its not that hard to track down the internal user.  Yell at
him to stop, talking to him about what he's doing to the network.  No
biggie.
>
> I'm more curious about options/tools available to find out what he was
doing.  I know that he was downloading something, I know that it was
over HTTP and I know the outside IP address he was accessing.  So I
start off by looking at 174.120.5.220.  I can check the A record which
tells me nothing....
> Name:    dc.5.78ae.static.theplanet.com....
I've encountered organizations that use commercial grade applications to

proactively track this data, such as 
lancope(Stealthwatch)/riverbed(ManageEngine)/sourcefire(RNA). They enjoy

some success when dealing with situations similar to those you describe,

since these tools track netflow data over time, allowing profiles to be 
constructed (which may well contain the information you seek). Some of 
them integrate with user directories, which would certainly improve your

chances. For customers without budget money, I've also deployed ntop 
rather effectively.
>
> I can't browse to that IP address.  I can see who owns that IP address
(XO Communications) though, but in this case its all useless.
>
> The question, more or less, is do I have any options to keep moving
forward in finding out what this user was actually doing?
It depends how long your organization stores log entries. Without a 
proactive monitoring tool in place, you'll almost certainly need to 
interface with individuals managing other parts of the infrastructure 
such as dhcp servers and/or snmp collectors and/or firewalls. The list 
of options often depends upon the higher-level details. As other posters

have noted, it's difficult to outdo packet capture data when you're 
seeking actual insight.
> Thanks in advance!
>
> __________________________________________________________________
> DISCLAIMER: This e-mail contains proprietary information some or all
of which may be legally privileged.  It is for the intended recipient
only. If an addressing or transmission error has misdirected this
e-mail, please notify the author by replying to this e-mail.  If you are
not the intended recipient you must not use, disclose, distribute, copy,
print, or rely on this e-mail.
>
> This message has been scanned for the presence of computer viruses,
Spam, and Explicit Content.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************




The information contained in this e-mail message and its attachments is
confidential information intended only for the use of the individual or
entity named above. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
replying to the sender, and then delete the message from your computer.
Thank you!

******** This mail was sent via Mail-SeCure System.********



 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
*******************************************************************************
Travelex - www.travelex.com

Travelex Outsourcing Pty Limited [Currency Select businesss] is a limited company registered in Australia with company number: 127 747 586.

Information in this email including any attachment ('email') is confidential, 
may be privileged and is intended solely for the addressee. Unauthorised 
recipients are requested to preserve the confidentiality of this email, advise 
the sender immediately of any error in transmission, and then delete the email
from the recipient's mailbox without making copies. Any disclosure, copying, 
distribution or action taken, or omitted to be taken, in reliance upon the 
contents of this email by unauthorised recipients is prohibited and may be
unlawful.

Please note that no contracts or commitments may be concluded on behalf of Travelex Outsourcing Pty Limited [Currency Select businesss] or its groups of companies ('Travelex') by means of email, and no statement or representation made in this email is binding on 
behalf of Travelex.

DISCLAIMER: Whilst this message has been scanned for viruses, Travelex 
disclaims any responsibility or liability for viruses contained therein. It is 
therefore recommended that all emails should be scanned for viruses.
*******************************************************************************

More information about the cisco-nsp mailing list