Hi all,
We are just adding the correlation engine to our upcoming open source
redBorder Flow platform and would be interested in hearing from you guys
interesting ideas on how to apply correlation rules that are specific to
netflow area in order to detect weird stuff.
Things that come to my mind:
* Link saturation or loss
* DDoS
* Botnets / malware
* Portscan, ip sweeps
* Connection to bad reputation sites
* Change in user behaviour (from client typical usage to server
typical usage)
* Activation of privileged ports in client machines
* Too much jitter / latency
* ...
I dont know, any idea or suggestion is really welcomed. We would
appreciate links to sources of information too.
Regards
--
Jaime Nebrera - [email protected]
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
