[nsp-sec] Pre-classified netflow samples

Smith, Donald Donald.Smith at qwest.com
Tue Sep 2 16:59:40 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Sebastian Abt [mailto:sa at rh-tec.de] 
> Sent: Tuesday, September 02, 2008 2:48 PM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Pre-classified netflow samples
> 
> * Smith, Donald wrote:
> > Flow-dscan from flow tools provides some ddos and scanning 
> recognition
> > abilities.
> > 
> > I have written some flow-nfilter and flow-filter acl's but most of
> > those have been fairly specific with host and port numbers based on
> > reports here or on another list.
> 
> Thanks, this is an idea I haven't thought about yet..  
> However, I'm more
> looking for data that has been verified to belonging to a specific
> attack and classified accordingly, which can then be used as 
> a training
> and evaluation dataset.

Ok then you might be interested in this
http://www.indiana.edu/~renisac/monitoring.cgi they have sanitized
netflow available also.


Most of us are NOT allowed to share raw netflow without sanitizing it
removing all customer's info. It is a pain and so far I haven't thought
about sanitizing for community training.
It is interesting. I would like to be able to do it because I want to be
able to train my tier two in what various attacks look like and an open
repository for examples and explaination would be helpful.
But that would require time both to preform the initial analysis and
sanitization.
If I created netflow in the lab using known attack tools I wouldn't have
to sanitize but again there is a decent amount of work required. 

> 
> 
> sebastian
> 
> -- 
> fon: +49 69 95411 15  e-mail: sa at rh-tec.de
> fax: +49 69 95411 45  mobile: +49 69 95411 55
> rh-tec Business GmbH  http://www.rh-tec.de/
> Ringstrasse 36        32584 Loehne
> Geschaeftsfuehrer:    Gerhard Roehrmann
> Registergericht:      AG Bad Oeynhausen, HRB 8112 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list