[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

John Fraizer john at op-sec.us
Tue Apr 21 21:44:23 EDT 2009 

On Tue, Apr 21, 2009 at 6:02 PM, Smith, Donald <Donald.Smith at qwest.com>wrote:

> ----------- nsp-security Confidential --------
> In netflow I could only corralate about 10% of the sample ips I pulled from
> the time-check report.
> I didn't check the entire set but did check 100 so would expect a higher
> rate of correlation.
>

Donald,

I  am pretty sure that your flow data is much like mine and many others here
- IE; sampled.  Your sample rate is probably less granular than mine simply
as a function of scale.  Is it possible that you're not seeing flow
correlation because flows are falling into the 1:1000, 1:10,000, 1:100,000
sample bin?

I know that at 1:1000, I deal with a pretty significant amount of flows
still and even with that sample rate, I've had "known, validated by other
means" hits in the ASN reports that I couldn't find a flow correlation for.
It took me a while to explain to the pointy-heads that sampled means sampled
and that means we *miss* some data in the flows.

Since your network is significantly larger  than mine, I would have to
assume that the number of flows involved is also significantly larger and
there is a larger incident of "lost to sampling" misses with respect to flow
to report correlation.

I'm open to education or other smack-down by those who know much more than I
do.  I don't pretend to know everything but, I *did" drive by a "Holiday Inn
Express" on my way home.  (I can't afford to stay there!)



> Ok that makes sense. I am not trying to cast doubts but need to feel the
> data is accurate before we use it to notify customers. Based on your 86%
> correlation between the two types I am feeling better about this data but
> there is still a gap.
>

Oh... Not me.  I'm trying to get my "customer facing" folks trained along
the lines  of "If it gets sent to us by John and he says it comes from one
of his trusted sources, it had might as well been "spoken in a thunderous
voice from the clouds" - mindset.

Perhaps  your customer-facing folks are better than  mine. :)

John

More information about the nsp-security mailing list