I do love flow-tools and easy CLI power it gives me. I don't shy from showing
how I use it very early in the game.
If you want a quick and easy way (flow-tools way), then you should
flow-cat dayfileinflows | flow-nfilter -Slast5m | flow-stat -f(report num)
The -Slast5m points to a rule in the filters.cfg
I do find it very useful to have many filters to get rid of the normal background noise,
so you can easily change your filter (which you've already made).
Don't go too far, that host you exclude may be the one that is going awry.
HTH
On 9/1/05, Paul Halliday <[EMAIL PROTECTED]> wrote:
On 8/31/05, Mike Hunter <[EMAIL PROTECTED]> wrote:
> On Aug 17, "Ross Wimmersberger" wrote:
>
> > I am curious to find out what you do with your netflow reporting system?
> > We were hoping to get a little more detail so if HTTP is spiking, find
> > out why, so I might be looking into the other reporting engine, but I am
> > curious to see what and how you all use it on a daily basis?
We use it mainly to augment our IDS system. Some samples are here:
http://dp.penix.org/Flows/
Just a bunch of cron jobs that run TCL scripts to generate web based
reports. The graphing is done with a 'very crappy' shell script that
grabs stats and populates RRD's (rrdtool). Everything is refreshed
every 5 minutes. The host based reports are generated either on demand
(IDS correlation) or via a trigger (bandwidth markers, flow-dscan,
etc) during each report generation period. The great thing about flows
is the sky is the limit. So much information, so many ways to display
it, so little time..
-p
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
