NetFlow Integrator Standard
|
|
- Randolph Simmons
- 5 years ago
- Views:
Transcription
1 NetFlow Integrator Standard User Guide Version (Build ) November 2015 Copyright 2012, 2013 NetFlow Logic Corporation. All rights reserved. Patents Pending.
2 Contents About this Guide... 3 Introduction... 3 What Are Modules and Converters?... 3 How NFI Updater Works... 5 How to Use this Guide... 5 Solutions at a Glance... 6 Modules Specifications... 8 Network Traffic and Devices Monitoring... 8 Network Subnets Monitor (10011 / 20011)... 8 TCP Health (10060 / 20060)... 9 Top Connections Monitor (10063 / 20063) Top Host Pairs (10064 / 20064) Traffic by CBQoS (10065 / 20065) Traffic by Autonomous Systems (10066 / 20066) Top Traffic Monitor (10067 / 20067) Top Packets Monitor (10068 / 20068) Enhanced Traffic Monitor Top Traffic Monitor (10967 / 20967) Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper Network Bandwidth Consumption Monitor (10964 / 20964) Security Hosts Geographical Location Monitor (10040 / 20040) Botnet Command and Control Traffic Monitor (10050 / 20050) APT1 Monitor (10051 / 20051) Host Reputation Monitor (10052 / 20052) Threat Feeds Monitor (10053 / 20053) Outbound Mail Spammers Monitor (10025 / 20025) Inbound Mail Spammers Monitor (10026 / 20026) Unauthorized Mail Servers Monitor (10027 / 20027) Rejected s Monitor (10028 / 20028) Services Monitor DNS Monitor (10004 / 20004, 20005) Asset Access Monitor (10014 / 20014) Services Performance Monitor (10017 / 20017) Cisco ASA Devices Monitoring Top Bandwidth Consumers for Cisco ASA (10018 / 20018) Top Traffic Destinations for Cisco ASA (10019 / 20019) Top Policy Violators for Cisco ASA (10020 / 20020) Top Hosts with most Connections for Cisco ASA (10021 / 20021) Palo Alto Networks Devices Monitoring Top Bandwidth Consumers for Palo Alto Networks (10030 / 20030) Top Traffic Destinations for Palo Alto Networks (10031 / 20031) Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032) NetFlow Integrator Standard User Guide NetFlow Logic Confidential 1
3 Most Active Hosts for Palo Alto Networks (10033 / 20033) Bandwidth Consumption per Application for Palo Alto Networks (10034 / 20034) Bandwidth Consumption per Application and Users for Palo Alto Networks (10035 / 20035) VMware Top VM:Host Pairs (10164 / 20164) Top VM Traffic Monitor (10167 / 20167) Utilities Sampling Monitor (10002 / 20002) SNMP Information Monitor (10003 / 20003) Special Converters Original Flow Data (20001) sflow Data (20800, 20900) FDR Packeteer-2 Flow Data (20010) Appendix NetFlow v5 - NetFlow v9 Field Types Mapping Modules NetFlow for Splunk App X-Reference NetFlow Integrator Standard User Guide NetFlow Logic Confidential 2
4 About this Guide Introduction Use this document to learn about NetFlow Integrator s Modules and Converters, Updater, and Services, their functionality, inputs, outputs, and configuration parameters. NetFlow Integrator (NFI) is a software-only processing engine for network flow data (NetFlow, IPFIX, sflow, etc.). It is not a NetFlow collector. NetFlow Integrator accepts network flow data from network devices (routers, switches, firewalls), applies map-reduce algorithms to the data to extract the information needed to address desired use cases, converts the processed data to syslog (or other formats such as JSON), then sends that useful information to your visualization platform or SIEM (e.g. VMware vrealize Log Insight, VMware vrealize Operations, or Splunk Enterprise). By enabling appropriate Modules and Converters, you turn on specific functionality within NetFlow Integrator. For example, you can monitor: your network conversations and hosts behavior your network devices your network traffic reported by Cisco ASA NetFlow Secure Event Logging (NSEL) And many other use cases are expressed via the Modules. What Are Modules and Converters? NetFlow data is notoriously voluminous. Traditionally, all NetFlow records generated by network devices are captured and stored for further interpretation. This exact process of capturing all NetFlow records, without understanding the significance of information contained in the records data, creates tremendous storage and data analysis problems. A mid-range 20Gb device in a large office can process tens of thousands of network exchanges per second, which results in a hundred thousand NetFlow records per second. Assuming that each NetFlow record is 100 bytes long, storing data at this rate it would take 8.6TB of disk space every day. Even a smaller switch, router or firewall that processes 10 times less network connections produces 860GB of flow data every day. NetFlow Integrator Modules and Converters are designed to provide solutions for specific use cases and at the same time reduce the amount of data (without losing information veracity) that needs to be stored by orders of magnitude. The Modules and Converters are packaged into Module Set packages. Each Module consists of one or more content-based rules and one or more time-based triggers (called Data Collection Interval ). Converters provide mechanisms for translating information emitted by the Modules into a format suitable for further processing. Please see Solutions at a Glance section below for more details. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 3
5 Let us consider a typical example: a network administrator would like to know how the bandwidth of his Cisco ASA firewall is consumed. This is not possible using traditional Cisco ASA logging because setting logging at the Informational level severely impacts device performance. A better approach is to use Cisco ASA NetFlow Secure Event Logging (NSEL) but the sheer volume of NSEL data may overwhelm traditional NetFlow collectors. This is when NetFlow Integrator s Modules mechanism comes to the rescue. The diagram below shows how data reduction is implemented in the Top Bandwidth Consumers Module. This Module employs an in-memory Map-Shuffle-Reduce algorithm. To report top 50 bandwidth consumers, the Module sums up bytes by source IP -- processing every single flow record over a short period of time (e.g. 30 seconds) (Map), then the data is sorted by accumulated bytes (Shuffle), and finally the top 50 records are retrieved (Reduce), converted to syslog, and sent to a SIEM system (e.g. Splunk). Thus this Module processes thousands of flow records per second, and reports only top 50 bandwidth consumers every 30 seconds, which are typically responsible for 98%-99% of all traffic. NFI Modules use cases are not limited to NetFlow Consolidation. Another diagram below shows how security oriented NFI module reports all malicious network conversation based on threat lists. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 4
6 How NFI Updater Works NFI Updater is a remote component which serves as a knowledge base of information outside of the NetFlow domain. Its task is to provide NetFlow Integrator with information generally unavailable in the data streams supplied by NetFlow/IPFIX exporters. How to Use this Guide Updater is comprised of a Platform and a collection of Agents each of which is designed to obtain information of a certain kind. The Platform provides a common interface for the Agents configuration and data exchange and serves as a conduit for delivering information collected by the Agents to the NetFlow Integrator. Typically Updater is installed on a separate server with access to the internet. The Modules Specification section contains detailed descriptions of the Modules. Modules are numbered from Each Converter produces its own type of syslog message, identified by a special field: nfc_id. For example, Top Bandwidth Consumers for Cisco ASA (10018/20018) Module has the corresponding Converter The syslog message produced by this Converter is identified by the field nfc_id = All Modules are configurable. Parameters to specify the granularity and the amount of consolidated flow data to be sent out are described at the end of each Module specification. For example, Data Collection Interval, sec sets the interval for the Module time trigger. Top N parameter specifies the number of records (usually per exporter) to be converted and sent out. Other parameters may specify a list of IP addresses, or subnets, or ports, depending on the use case of the Module. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 5
7 Solutions at a Glance The table below shows which Modules need to be enabled to turn on NetFlow Integrator specific solutions and corresponding Splunk application menu. Module Set (package) Module (AppMod id / syslog id) Network Traffic and Devices Monitor (network_monitor) Network Subnets Monitor (10011 / 20011) TCP Health (10060 / 20060) Top Connections Monitor (10063 / 20063) Top Host Pairs (10064 / 20064) Traffic by CBQoS (10065 / 20065) Traffic by Autonomous Systems (10066 / 20066) Top Traffic Monitor (10067 / 20067) Top Packets Monitor (10068 / 20068) Reports top bandwidth consumers for each monitored subnet This Module reports TCP Health by detecting top hosts with the most TCP Resets This Module identifies hosts with the most connections This Module reports top Host Pairs network conversations This Module reports traffic for all DSCP bits combinations (QoS) This Module reports traffic by all Autonomous Systems (AS) This Module identifies hosts with the most traffic This Module identifies hosts with the most packets Enhanced Traffic Monitor (network_monitor) Top Traffic Monitor (10967 / 20967) Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper Network Bandwidth Consumption Monitor (10964 / 20964) Security (security) Hosts Geographical Location Monitor (10040 / 20040) Botnet Command and Control Traffic Monitor (10050 / 20050) APT1 Monitor (10051 / 20051) 1 Peer by Reputation Monitor (10052 / 20052) Threat Feeds Monitor (10053 / 20053) ( _monitor) This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts This Module reports network bandwidth consumption by pairs of network users per application kind per PacketShaper instance. This Module identifies hosts with most traffic, and reports them with their geographical locations This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts This Module monitors traffic originated from known APT1 hosts and IP blocks identified in Mandiant APT1 report. This Module uses a host reputation database from Alienvault ( to report communications with malicious peers This Module monitors traffic originated from known threat lists specified as IP blocks, list of domains, or IP addresses. 1 Mandiant APT1 report was published in 2013 and has not been updated since this time. This Module is obsolete and no longer supported. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 6
8 Outbound Mail Spammers Monitor (10025 / 20025) Inbound Mail Spammers Monitor (10026 / 20026) Unauthorized Mail Servers Monitor (10027 / 20027) Rejected s Monitor (10028 / 20028) Services Monitor (services_monitor) DNS Monitor (10004 / 20004, 20005) Asset Access Monitor (10014 / 20014) Services Performance Monitor (10017 / 20017) This Module detects internal hosts infected with spam malware This Module detects external hosts sending excessive traffic to your organization This Module detects internal hosts running unauthorized mail servers This Module detects external hosts sending s rejected by internal mail servers This Module monitors DNS servers and DNS traffic This Module monitors traffic to selected services and matches communications to a list of authorized peers This Module monitors services performance characteristics Cisco ASA (cisco_asa) Top Bandwidth Consumers for Cisco ASA (10018 / 20018) Top Traffic Destinations for Cisco ASA (10019 / 20019) Top Policy Violators for Cisco ASA (10020 / 20020) Top Hosts with most Connections for Cisco ASA (10021 / 20021) This Module provides a list of top network bandwidth consumers operating on the internal network This Module provides a list of most popular destinations measured by the traffic This Module provides a list of firewall policies violators This Module provides top N (by the number of connections) consumers (users) Palo Alto Networks (panw_monitor) Top Bandwidth Consumers for Palo Alto Networks (10030 / 20030) Top Traffic Destinations for Palo Alto Networks (10031 / 20031) Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032) Most Active Hosts for Palo Alto Networks (10033 / 20033) Bandwidth Consumption per Application for Palo Alto Networks (10034 / 20034) Bandwidth Consumption per Application and Users for Palo Alto Networks (10035 / 20035) This Module provides a list of top network bandwidth consumers operating on the internal network This Module provides a list of top network bandwidth destinations This Module provides a list of top firewall policies violators This Module provides a list of most active hosts by the number of initiated connections This Module provides a list of most active applications by traffic This Module provides a list of most active applications and users by traffic VMware (vmware) Top VM:Host Pairs (10164 / 20164) Top VM Traffic Monitor (10167 / 20167) This Module reports top network conversations in VM environment This Module identifies VMs with the most traffic Utilities (service_rules) Sampling Monitor (10002 / 20002) SNMP Information Monitor (10003 / 20003) This Module reports NetFlow sampling information This Module reports SNMP information NetFlow Integrator Standard User Guide NetFlow Logic Confidential 7
9 Modules Specifications Network Traffic and Devices Monitoring All Modules report information in syslog key=value pairs format, as shown below. Network Subnets Monitor (10011 / 20011) This Module reports top bandwidth consumers for each monitored subnet. This information is provided per NetFlow exporter and monitored subnet. Input NetFlow v5, v9, IPFIX, and Cisco ASA NSEL. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address or The IPv4 or IPv6 source address in the IP packet 8 or 27 4 or 16 sourceipv6address header destinationipv4address or The IPv4 or IPv6 destination address in the IP packet 12 or 28 4 or 16 destinationipv6address header The value of the protocol number in the IP packet protocolidentifier 4 1 header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 Subnet IPv4 subnet <IPv4_address> NetFlow Integrator Standard User Guide NetFlow Logic Confidential 8
10 No Field Key Comments 7 Subnet IPv6 subnet <IPv6_address> 8 Mask mask 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Transport Protocol ( TCP = 6, UDP = 17) protocol 12 Bytes Out (Traffic) bytes_out 13 Bytes In (Traffic) bytes_in 14 Packets Out count packets_out 15 Packets In count packets_in 16 Number of flows flow_count < number> 17 Percent of Total Traffic of the Source Host within Subnet percent_of_total 18 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 600 sec, default = 30 sec Monitored subnet IPv4 address and subnet mask List of the watched subnets IPv4 addresses and masks (CIDR notation) e.g / 18; / 24 Monitored subnet IPv6 address List of the watched subnets IPv6 and subnet mask addresses and masks (CIDR notation) e.g. 2620:0:2d0:200::7/24 N number of reported hosts Top N (number of reported hosts per min = 1, max = , subnet) default = 50 TCP Health (10060 / 20060) This Module reports TCP Health by detecting top hosts with the most TCP Resets. Top hosts are defined by percent of TCP resets to the total number of Resets for definitive NetFlow exporter or by percent of TCP resets to the total number of host s connections. This information is provided by a definitive NetFlow exporter. Input NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sflow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 9
11 Syslog message fields - Hosts No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= Source host IPv4 address src_ip <IPv4_address> 6 Source host IPv6 address src_ip6 <IPv6_address> 7 Source host name [src_host] 2 8 Count of Resets reset_count 9 10 Percent of the total number of resets sent by source host Percent of the resets to the total number of the source host connections total_share local_share <string>, included when FQDN is on 11 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N - reporting threshold in percent min = 0 %, max = 100 %, % of Total Resets of total resets number default = 10 % N - reporting threshold in percent min = 0 %, max = 100 %, of resets to the number of host % of Resets to local host connections default = 50 % connections Top Connections Monitor (10063 / 20063) This Module identifies hosts with the most connections. It consolidates NetFlow records over a period of time (Module execution interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface 2 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 10
12 This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address The IPv6 source address in the IP packet header destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 3 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 3 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 11
13 No Field Key Comments 15 Destination host name [dest_host]3 <string>, included when FQDN is on 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (flow_count) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , default NetFlow exporter = 50 Top Host Pairs (10064 / 20064) This Module reports top Host Pairs network conversations. A network conversion is a series of data exchanges between two hosts, over the same protocol (TCP or UDP), and going through the same router/switch (exporter). The number of exchanged bytes and packets are summed up. Unless specified in one of the parameters, the Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. Deduplication: optionally the module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 12
14 Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address The IPv6 source address in the IP packet header destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Transport Protocol ( TCP = 6, UDP = 17) protocol 7 Server IP address dest_ip <IPv4_address> 8 Server IPv6 address dest_ip6 <IPv6_address> 9 Server host name [dest_host] 4 10 Server port number [dest_port] 5 <string>, included when FQDN is on 11 Client IP address src_ip <IPv4_address> 12 Client IPv6 address src_ip6 <IPv6_address> 13 Client host name [src_host]4 14 Packets from client to server packets_in <string>, included when FQDN is on 4 Host name field is optional and included only if FQDN Service is enabled. 5 Server destination port is optional NetFlow Integrator Standard User Guide NetFlow Logic Confidential 13
15 No Field Key Comments 15 Layer 3 bytes from client to server bytes_in 16 Packets from server to client packets_out 17 Layer 3 bytes from server to client bytes_out 18 Layer 3 bytes in both directions bytes 19 Number of flows flow_count 20 Percent of Total (bytes) (Client + Server) percent_of_total 21 Flow Sampler ID [flow_smpl_id] 22 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported host pairs The number of top host pairs reported min = 1, max = , per NetFlow exporter default = 50 List of server destination ports to be used to determine which host is a client List of known server destination and which is a server. If the list is port numbers empty, the server is the one sending e.g. 53, 80, 443 more traffic than receiving Enable(1) or disable (0) reporting by server port Enable(1) or disable (0) reporting by authoritative exporters only Traffic by CBQoS (10065 / 20065) If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitted If set to 1, the Module reports host pairs only from authoritative exporters default = 1 default = 0 This Module reports traffic for all DSCP bits combinations (QoS). This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B octetdeltacount 1 4 or 8 The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. packetdeltacount 2 4 or 8 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 14
16 Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 Transport Protocol ( TCP = 6, UDP = 17) protocol 7 Inbound IP type of service src_tos 8 Outbound IP type of service dest_tos 9 Packets received in the QoS class flows packets_in Total number of Layer 3 bytes received in the QoS class flows Number of flows received in the QoS class flows Percent of Total (bytes) of all bytes received by the exporter bytes_in flow_count percent_of_total 13 Flow Sampler ID [flow_smpl_id] 14 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec Traffic by Autonomous Systems (10066 / 20066) This Module reports traffic by all Autonomous Systems (AS). This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX. Required NetFlow fields Information Element (IE) IE id IE size, B octetdeltacount 1 4 or 8 The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 15
17 Information Element (IE) IE id IE size, B packetdeltacount 2 4 or 8 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 Source AS src_asn 7 Destination AS dest_asn 8 9 Total number of Layer 3 bytes in the packets of the flow received (IPv4) Total number of Layer 3 bytes in the packets of the flow received (IPv6) bytes bytes6 10 Packets in the flow received (IPv4) packets 11 Packets in the flow received (IPv6) packets6 12 Number of Flows flow_count 13 Percent of Total (bytes) percent_of_total <decimal> 14 Flow Sampler ID [flow_smpl_id] 15 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top ASN pairs reported min = 1, max = , per NetFlow exporter default = 50 Top Traffic Monitor (10067 / 20067) This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address NetFlow Integrator Standard User Guide NetFlow Logic Confidential 16
18 Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address The IPv6 source address in the IP packet header destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 6 <string>, included when FQDN is on 6 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 17
19 No Field Key Comments 12 Source port number src_port 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host]6 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (bytes) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , NetFlow exporter default = 50 Top Packets Monitor (10068 / 20068) This Module identifies hosts with the most packets. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol NetFlow Integrator Standard User Guide NetFlow Logic Confidential 18
20 Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address The IPv6 source address in the IP packet header destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 7 12 Source port number src_port <string>, included when FQDN is on 7 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 19
21 No Field Key Comments 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host]7 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (packets) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int <decimal>, e.g % is Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , NetFlow exporter default = 50 Enhanced Traffic Monitor This package contains an enhanced version of Top Traffic Monitor Module It reports Reputation and Geo locations of source and destination hosts. Top Traffic Monitor (10967 / 20967) This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address NetFlow Integrator Standard User Guide NetFlow Logic Confidential 20
22 Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Reputation field is provided as follows: Watch list Known malicious hosts list must be specified. The Module checks if destination IP is in this watch list; if yes, the reputation value is provided, and the rep_ip field is populated with destination IP address. If not, the source IP is checked, the reputation value is populated, and rep_ip field is populated with the source IP. Country codes for both source IP and destination IP are provided based on IPv4 address block and country code watch list. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourceipv6address The IPv6 source address in the IP packet header IPv6 destinationipv6address The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id= NetFlow exporter IP address exp_ip <IPv4 address> 6 NetFlow exporter ingress interface SNMP index input_snmp NetFlow Integrator Standard User Guide NetFlow Logic Confidential 21
23 No Field Key Comments 7 NetFlow exporter egress interface SNMP index output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 8 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host] 9 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (bytes) percent_of_total 26 Flow Sampler ID [flow_smpl_id] <decimal>, e.g % is Host name field is optional and included only if FQDN Service is enabled. 9 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 22
24 No Field Key Comments 27 Reputation: [reputation] 10 <string>: "Unexpected Host Reputation Classifier" "Scanning Host" "Malware Domain" "Malware IP" "Spamming" "C&C" "Malicious Host" "Malware distribution" "APT" 28 Reputation IP [rep_ip] Actual IP address (source or destination) found in Reputation database 29 Source IP country code [src_cc] ISO Alpha 2 country code (a two-character country designation, e.g. US) 30 Destination IP country code [dest_cc] ISO Alpha 2 country code (a two-character country designation, e.g. US) 31 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = , NetFlow exporter default = 50 Known malicious hosts list List of known malicious peers AlienVault Reputation database (OTX) IPv4 address block and country code Mapping of country codes to IP addresses blocks This list is updated by NFI Updater, which uses the MaxMind GeoLite Country database as a source Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper This package contains a Module for Blue Coat PacketShaper-2 Flow Data. Network Bandwidth Consumption Monitor (10964 / 20964) This Module reports network bandwidth consumption by pairs of network users per application kind per PacketShaper instance. The Module consolidates per application kind information based on network 10 Omit this field if no match of source or destination IP is found in Reputation database NetFlow Integrator Standard User Guide NetFlow Logic Confidential 23
25 conversations, where a network conversation is a series of network traffic exchanges between two network hosts executing that application. Network conversation attributes are user configurable and may include source and destination IP addresses and source and destination transport layer ports. Optionally, the user may provide a list of known ports by which the server side of a network conversation may be determined. In a case when a list of ports is not provided or when the ports are not present in the provided list the Module makes a best effort determination of the server side by assuming that a party which sent most traffic is the server. The Module classifies applications by the PacketShaper ClassId field found in the Packeteer-2 messages. The Module determines a corresponding application name by dereferencing a list of application names distinguished by the respective ClassId values. The user has the ability to control Module s output by specifying treatment of the input Packeteer-2 records which ClassId is not present in the PacketShaper ClassId - Application Name mapping table. Unclassified records may either be discarded or processed normally and supplied a default application name such as unknown. Input Flow records in the Blue Coat PacketShaper Packeteer-2 format. Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= PacketShaper instance IPv4 address exp_ip <IPv4_address> 6 PacketShaper application ClassId class_id 7 PacketShaper application name application <string> 8 Server IPv4 address dest_ip <IPv4_address> 9 Server host name [dest_host] Server transport layer port number [dest_port] <string>, included when NFI FQDN service is enabled 11 Client IPv4 address src_ip <IPv4_address> 12 Client host name [src_host] 13 Client transport layer port number [src_port] <string>, included when NFI FQDN service is enabled 11 Optional message fields are enclosed in square brackets NetFlow Integrator Standard User Guide NetFlow Logic Confidential 24
26 20 No Field Key Comments 14 Packets sent from the client to the server packets_in 15 Layer 3 bytes from the client to the server bytes_in 16 Packets from the server to the client packets_out 17 Layer 3 bytes from the server to the client bytes_out 18 Number of observed flows flow_count 19 Percent of total traffic produced by this host pair per application during current data collection interval percent_of_total Observation time interval, msec t_int <floating point decimal> Parameters Parameter Name Comments Time-based Rule invocation min = 5 sec, max = 600 sec, Module reporting interval interval, sec default = 30 sec A number of unique communicating host pairs reported per application per N - The number of unique host pairs per min = 1, max = , PacketShaper instance. The application kind to report default = 50 host pairs are reported in the descending order by traffic volume. List of known server destination port numbers Enable(1) or disable (0) reporting by the server port Enable(1) or disable (0) reporting by the client port A list of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one sending more traffic than receiving If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field in the output syslog message is omitted. Turning this parameter on or off does not affect the number of unique host pairs output by the module. If set to 1, enable traffic reporting by source port. If set to 0, src_port field the output syslog message is omitted. Turning this parameter on or off does not affect the number of unique host pairs output by the module. e.g. 53, 80, 443 default = 0 default = 0 List of PacketShaper ClassId values and corresponding Application names A list of PacketShaper ClassId and Application name e.g. 2525, /Outbound/AOL-AIM- ICQ NetFlow Integrator Standard User Guide NetFlow Logic Confidential 25
27 Parameter Name Comments If set to 1, drop Packeteer-2 Report information for a user-defined records with unknown ClassId. subset of applications (1) or for all default = 0 Report all network conversations applications (0) otherwise. Security Hosts Geographical Location Monitor (10040 / 20040) This Module identifies hosts with most traffic, and reports them with their geographical locations. This Module uses an IPv4 address blocks to geographical locations mapping database provided by MaxMind GeoLite Country - to find geographical locations of the connecting hosts. The GeoIP database contains approximately 100K entries. The GeoLite Country database update frequency is one month. A commercial version of the MaxMind GeoIP database is updated every other day. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this list. Besides a GeoIP database the Module has two other optional watch lists: List of monitored localities: Alpha-2 codes per ISO ( List of watched local subnets: CIDR notation The Module is using local subnets list to resolve inbound and outbound traffic, and reports it separately (field direction=ingress or direction=egress in syslog). In inbound traffic report the source IPv4 address is an IPv4 address of a host with most traffic in a geographic locality, and the destination IPv4 address is an IPv4 address of an internal host. In outbound traffic report the source IPv4 address is an IPv4 address of an internal host, and the destination IPv4 address is an IPv4 address of a host with most traffic in an outbound geographic locality. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9 Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss NetFlow Integrator Standard User Guide NetFlow Logic Confidential 26
28 No Field Key Comments 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> 7 Destination host IPv4 address dest_ip <IPv4_address> 8 Traffic direction direction <string>: egress ingress 9 Country code cc 10 Number of flows flow_count < number> 11 Bytes total (Traffic) bytes 12 Observation time interval, msec t_int ISO Alpha 2 country code (a two-character country designation, e.g. US) Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 600 sec, default = 30 sec List of monitored localities List of two letter country codes e.g. AQ, US, GB List of watched local subnets and hosts IPv4 address block and country code List of the watched subnets IPv4 addresses and masks (CIDR notation) Mapping of country codes to IP addresses blocks Botnet Command and Control Traffic Monitor (10050 / 20050) e.g / 18; / 24 default = / 0 This list is updated by NFI Updater, which uses the MaxMind GeoLite Country database as a source This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list of IP addresses of C&C hosts is obtained from the list published by Emerging Threats ( company: List of known C&C servers: The Module reports all communications of internal hosts with C&C list, and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 27
29 Use Updater feature of NetFlow Integrator for initial load and periodic updates of this threat list. 12 Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourcetransportport 7 2 destinationtransportport 11 2 octetdeltacount 1 4 or 8 Syslog message fields The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id= NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> 7 Source port src_port 8 Destination host IPv4 address dest_ip <IPv4_address> 9 Destination port dest_port 10 Number of flows flow_count < number> 11 Bytes total (Traffic) bytes 12 Minimum bytes count of flows min_bytes 12 Please contact support@netflowlogic.com if you want to use your own feeds. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 28
30 No Field Key Comments 13 Maximum bytes count of flows max_bytes 14 Flow direction direction <string>: ingress or egress 15 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 300 sec, default = 30 sec Shadowserver C&C list from Known C&C hosts List of C&C IPv4 addresses Emerging Threats. This list is (ipv4_dst_addr) list updated by NFI Updater APT1 Monitor (10051 / 20051) This Module monitors traffic originated from known APT1 hosts and IP blocks identified in Mandiant APT1 report ( The Mandiant APT1 report has not been updated since This Module is obsolete and no longer supported. Host Reputation Monitor (10052 / 20052) This Module uses a host reputation database from Alienvault ( to report communications with malicious peers. The reputation table provides a suspicious host IPv4 address and one or more host classifications (e.g. Scanning Host, Malicious Host, Malware Domain). The host reputation database size is approximately 260K entries. The Module reports all communications of internal hosts with the hosts included in the reputation database and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this threat list from Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header NetFlow Integrator Standard User Guide NetFlow Logic Confidential 29
NetFlow Integrator Standard
NetFlow Integrator Standard User Guide Version 2.4.3 (Build 2.4.3.0.24) February 2016 Copyright 2012-2016 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents About this Guide... 3
More informationNetFlow Optimizer. User Guide. Version (Build ) May 2017
NetFlow Optimizer User Guide Version 2.4.9 (Build 2.4.9.0.3) May 2017 Copyright 2012-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About this Guide... 3
More informationNetFlow Optimizer. User Guide. Version (Build X) November 2017
NetFlow Optimizer User Guide Version 2.5.0 (Build 2.5.0.0.X) November 2017 Copyright 2012-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About this Guide...
More informationNetwork Operations Analytics
Network Operations Analytics Solution Guide Version 2.4.4 (Build 2.4.4.0.x) June 2016 Copyright 2012-2016 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 2 Solution
More informationNetFlow Optimizer. Overview. Version (Build ) May 2017
NetFlow Optimizer Overview Version 2.4.9 (Build 2.4.9.0.3) May 2017 Copyright 2013-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About NetFlow Optimizer...
More informationNetFlow Analytics for Splunk
NetFlow Analytics for Splunk User Manual Version 3.8.x May 2018 Copyright 2012-2018 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Table of Contents Introduction... 3
More informationFlowIntegrator. Integrating Flow Technologies with Mainstream Event Management Systems. Sasha Velednitsky
FlowIntegrator Integrating Flow Technologies with Mainstream Event Management Systems Sasha Velednitsky svelednitsky@netflowlogic.com NetFlow Logic Corporation January 2012 Problem Network infrastructure
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationTrisul Network Analytics - Traffic Analyzer
Trisul Network Analytics - Traffic Analyzer Using this information the Trisul Network Analytics Netfllow for ISP solution provides information to assist the following operation groups: Network Operations
More informationV2P Network Visibility
V2P Network Visibility Solution Guide Version 2.4.9 (Build 2.4.9.0.X) May 2017 Copyright 2012-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents Overview...
More informationHPE Security ArcSight Connectors
HPE Security ArcSight Connectors SmartConnector for IP Flow (NetFlow/J-Flow) Configuration Guide October 17, 2017 SmartConnector for IP Flow (NetFlow/J-Flow) October 17, 2017 Copyright 2004 2017 Hewlett
More informationUsing NetFlow Filtering or Sampling to Select the Network Traffic to Track
Using NetFlow Filtering or Sampling to Select the Network Traffic to Track First Published: June 19, 2006 Last Updated: December 17, 2010 This module contains information about and instructions for selecting
More informationFlow Sampling for ASR1K
LIVEACTION, INC. Flow Sampling for ASR1K CONFIGURATION LiveAction, Inc. 3500 Copyright WEST BAYSHORE 2016 LiveAction, ROAD Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and
More informationUsing Centralized Security Reporting
This chapter contains the following sections: Centralized Email Reporting Overview, on page 1 Setting Up Centralized Email Reporting, on page 2 Working with Email Report Data, on page 4 Understanding the
More informationMonitoring and Analysis
CHAPTER 3 Cisco Prime Network Analysis Module 5.1 has two types of dashboards: One type is the summary views found under the Monitor menu, and the other type is the over time views found under the Analyze
More informationZone-Based Firewall Logging Export Using NetFlow
Zone-Based Firewall Logging Export Using NetFlow Zone-based firewalls support the logging of messages to an external collector using NetFlow Version 9 export format. NetFlow Version 9 export format uses
More informationIntroduction to Netflow
Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationUsing NetFlow Sampling to Select the Network Traffic to Track
Using NetFlow Sampling to Select the Network Traffic to Track This module contains information about and instructions for selecting the network traffic to track through the use of NetFlow sampling. The
More informationImplementing Access Lists and Prefix Lists
An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR softwarefeatures
More informationAVC Configuration. Unified Policy CLI CHAPTER
CHAPTER 3 Revised: February 7, 2013, This chapter addresses AVC configuration and includes the following topics: Unified Policy CLI, page 3-1 Metric Producer Parameters, page 3-2 Reacts, page 3-2 NetFlow/IPFIX
More informationNetwork Management and Monitoring
Network Management and Monitoring Introduction to Netflow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationConfiguring Access Rules
Configuring Access Rules Rules > Access Rules About Access Rules Displaying Access Rules Specifying Maximum Zone-to-Zone Access Rules Changing Priority of a Rule Adding Access Rules Editing an Access Rule
More informationCovert channel detection using flow-data
Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationConfiguring AVC to Monitor MACE Metrics
This feature is designed to analyze and measure network traffic for WAAS Express. Application Visibility and Control (AVC) provides visibility for various applications and the network to central network
More informationConfiguring the Botnet Traffic Filter
CHAPTER 54 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationUsing NetFlow Sampling to Select the Network Traffic to Track
Using NetFlow Sampling to Select the Network Traffic to Track Last Updated: September 17, 2012 This module contains information about and instructions for selecting the network traffic to track through
More informationExternal Logging. Bulk Port Allocation. Restrictions for Bulk Port Allocation
External logging configures ex and logging of table entries, private bindings that are associated with a particular global IP, and to use Netflow to ex table entries., page 1 Session logging, page Syslog,
More informationConfiguring NetFlow and NetFlow Data Export
Configuring NetFlow and NetFlow Data Export This module contains information about and instructions for configuring NetFlow to capture and export network traffic data. NetFlow capture and export are performed
More informationConfiguring Application Visibility and Control for Cisco Flexible Netflow
Configuring Application Visibility and Control for Cisco Flexible Netflow First published: July 22, 2011 This guide contains information about the Cisco Application Visibility and Control feature. It also
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationInformation about Network Security with ACLs
This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Finding Feature Information,
More informationConfiguring the Botnet Traffic Filter
CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationConfiguring Data Export for Flexible NetFlow with Flow Exporters
Configuring Data Export for Flexible NetFlow with Flow Exporters Last Updated: November 29, 2012 This document contains information about and instructions for configuring flow exporters to export Flexible
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationConfiguring the Botnet Traffic Filter
CHAPTER 51 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationHow the Internet sees you
IBM Research Zurich How the Internet sees you Demonstrating what activities most ISPs see you doing on the Internet Jeroen Massar 2010 IBM Corporation Network of networks You 2 CCC
More informationDetecting and Analyzing Network Threats With NetFlow
Detecting and Analyzing Network Threats With NetFlow First Published: June 19, 2006 Last Updated: October 02, 2009 This document contains information about and instructions for detecting and analyzing
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, on page 1 Uses for Host, Application, and User Discovery and Identity
More informationConfiguring NetFlow and NetFlow Data Export
This module contains information about and instructions for configuring NetFlow to capture and export network traffic data. NetFlow capture and export are performed independently on each internetworking
More informationIP Multicast Traffic Measurement Method with IPFIX/PSAMP. Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT
IP Multicast Traffic Measurement Method with /PSAMP Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT 1 Outline Introduction Motivation Requirements Main requirements for measurement system in largescale
More informationNetFlow Traffic Analyzer
ADMINISTRATOR GUIDE NetFlow Traffic Analyzer Version 4.4 Last Updated: Friday, June 15, 2018 2018 SolarWinds Worldwide, LLC. All rights reserved. This document may not be reproduced by any means nor modified,
More informationFlowMonitor for WhatsUp Gold v16.3 User Guide
FlowMonitor for WhatsUp Gold v16.3 User Guide Contents Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 Flow Monitor System requirements...
More informationSteelCentral NPM. NetProfiler, NetShark, Flow Gateway & Packet Analyzer. December 2015
SteelCentral NPM NetProfiler, NetShark, Flow Gateway & Packet Analyzer December 2015 IT Ops Network Ops App Ops DevOps LOB Unified Performance Visibility Single Performance Management Interface Real-Time,
More informationDetecting and Analyzing Network Threats With NetFlow
Detecting and Analyzing Network Threats With NetFlow This document contains information about and instructions for detecting and analyzing network threats such as denial of service attacks (DoS) through
More informationConfiguring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced.
Configuring NetFlow A NetFlow flow is a unidirectional sequence of packets that arrive on a single interface (or subinterface), and have the same values for key fields. NetFlow is useful for the following:
More informationUsing NetFlow Filtering or Sampling to Select the Network Traffic to Track
Using NetFlow Filtering or Sampling to Select the Network Traffic to Track Last Updated: December 7, 2011 This module contains information about and instructions for selecting the network traffic to track
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationThis chapter describes how to configure NetFlow Data Export (NDE).
51 CHAPTER This chapter describes how to configure NetFlow Data Export (NDE). Note For complete syntax and usage information for the commands used in this chapter, refer to these publications: The Cisco
More informationAdministration of Symantec Cyber Security Services (July 2015) Sample Exam
Administration of Symantec Cyber Security Services (July 2015) Sample Exam Contents SAMPLE QUESTIONS... 1 ANSWERS... 6 Sample Questions 1. Which DeepSight Intelligence Datafeed can be used to create a
More informationMonitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;
NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize
More informationAccessing SGM Data from a Web Browser
CHAPTER 7 Accessing SGM Data from a Web Browser This chapter provides information about accessing SGM data from the SGM server home page, using a Web browser. This chapter includes the following sections:
More informationAdvanced Application Reporting USER GUIDE
Advanced Application Reporting USER GUIDE CONTENTS 1.0 Preface: About This Document 5 2.0 Conventions 5 3.0 Chapter 1: Introducing Advanced Application Reporting 6 4.0 Features and Benefits 7 5.0 Product
More informationConfiguring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:
This chapter contains the following sections: Information About sflow, page 1 Licensing Requirements, page 2 Prerequisites, page 2 Guidelines and Limitations for sflow, page 2 Default Settings for sflow,
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationConfiguring Cisco Mediatrace
This chapter contains information about and instructions for configuring Cisco Mediatrace. Cisco Mediatrace enables you to isolate and troubleshoot network degradation problems for data streams. Although
More informationIt s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security
It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security Pavel Minařík, Chief Technology Officer Neutral Peering Days 2018, The Hague Your customers depend on your
More informationConfiguring Data Export for Flexible NetFlow with Flow Exporters
Configuring Data Export for Flexible NetFlow with Flow Exporters Last Updated: September 4, 2012 This document contains information about and instructions for configuring flow exporters to export Flexible
More informationTraffic and Performance Visibility for Cisco Live 2010, Barcelona
Traffic and Performance Visibility for Cisco Live 2010, Barcelona Background Cisco Live is Cisco's annual premier education and training event for IT, networking, and communications professionals. Cisco
More informationConfiguring Cisco Performance Monitor
This document contains information about and instructions for configuring Cisco Performance Monitor. Finding Feature Information, page 1 Information About Cisco Performance Monitor, page 1 Restrictions
More informationBIG-IP Local Traffic Management: Basics. Version 12.1
BIG-IP Local Traffic Management: Basics Version 12.1 Table of Contents Table of Contents Introduction to Local Traffic Management...7 About local traffic management...7 About the network map...7 Viewing
More informationListening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect
Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they
More informationComodo Dome Shield - Admin Guide
rat Comodo Dome Shield Software Version 1.16 Administrator Guide Guide Version 1.16.062718 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo Dome
More informationComodo Dome Shield. Administrator Guide Guide Version Software Version 2.4. Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013
rat Comodo Dome Shield Software Version 2.4 Administrator Guide Guide Version 2.4.032019 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo Dome Shield...3
More informationQuality of Service. Understanding Quality of Service
The following sections describe support for features on the Cisco ASR 920 Series Router. Understanding, page 1 Configuring, page 2 Global QoS Limitations, page 2 Classification, page 3 Marking, page 6
More informationNetFlow Traffic Analyzer
GETTING STARTED GUIDE NetFlow Traffic Analyzer Version 4.2.3 Last Updated: Wednesday, October 11, 2017 Retrieve the latest version from: https://support.solarwinds.com/success_center/netflow_traffic_analyzer_(nta)/nta_documentation
More informationNetFlow Basics and Deployment Strategies
NetFlow Basics and Deployment Strategies Section 1 The Need for Flow Analysis... 1 Section 2 How does NetFlow Work?... 1 The NetFlow Cache... 2 The NetFlow Data Exporter (NDE)... 4 Section 3 - The NetFlow
More informationMonitoring Data CHAPTER
CHAPTER 4 The Monitor tab provides options for viewing various types of monitored data. There are options for: Overview of Data Collection and Data Sources, page 4-2 Viewing the Monitor Overview Charts,
More informationAruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00
Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00 Part Number: 5200-4710a Published: April 2018 Edition: 2 Copyright 2018 Hewlett Packard Enterprise Development LP Notices
More informationSystem Requirements. Things to Consider Before You Install Foglight NMS. Host Server Hardware and Software System Requirements
System Requirements This section contains information on the minimum system requirements for Foglight NMS. Before you can begin to download Foglight NMS, you must make sure that your computer meets the
More informationCisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements
Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements White Paper March 5, 2011 Contents Overview... 3 NetFlow Introduction... 3 Sup2T Increased NetFlow Scalability... 6 Egress NetFlow... 7 Sampled
More informationMonitoring and Threat Detection
Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017 AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What
More informationMonitoring Data CHAPTER
CHAPTER 4 The Monitor tab provides options to view various types of monitored data. There are options for: Viewing the Monitor Overview Charts, page 4-9 Viewing Application Data, page 4-12 Viewing Voice
More informationThis chapter describes how to configure NetFlow Data Export (NDE).
56 CHAPTER This chapter describes how to configure NetFlow Data Export (NDE). Note For complete syntax and usage information for the commands used in this chapter, see these publications: The Cisco IOS
More informationvrealize Operations Management Pack for NSX for vsphere 2.0
vrealize Operations Management Pack for NSX for vsphere 2.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.
More informationBIG-IP Analytics: Implementations. Version 13.1
BIG-IP Analytics: Implementations Version 13.1 Table of Contents Table of Contents Setting Up Application Statistics Collection...5 What is Analytics?...5 About HTTP Analytics profiles... 5 Overview:
More informationIP Access List Overview
Access control lists (ACLs) perform packet filtering to control which packets move through a network and to where. The packet filtering provides security by helping to limit the network traffic, restrict
More informationStandard Content Guide
Standard Content Guide Express Express 4.0 with CORR-Engine March 12, 2013 Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession,
More informationBIG-IP Network Firewall: Policies and Implementations. Version 13.0
BIG-IP Network Firewall: Policies and Implementations Version 13.0 Table of Contents Table of Contents About the Network Firewall...9 What is the BIG-IP Network Firewall?...9 About firewall modes... 9
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Chapter 7 - Network Measurements Introduction Architecture & Mechanisms
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationTroubleshooting with Network Analysis Module
Troubleshooting with Network Analysis Module Introduction The Cisco Network Analysis Module (NAM) provides visibility into how the network is performing and how users experience the applications and services
More informationInterface Utilization vs. Flow Analysis
Interface Utilization vs. Flow Analysis Interface utilization is the calculated percentage utilization at the interface using SNMP polled data from the IF-MIB (Figure 2) and this is presented as inbound
More informationMcAfee Network Security Platform 9.1
9.1.7.15-9.1.5.9 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationIPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall
More informationUsing Diagnostic Tools
Using Diagnostic Tools The Tools System Diagnostics page on the INVESTIGATE view provides several diagnostic tools that help troubleshoot various kinds of network problems and process monitors. Tech Support
More informationIPv6 Sampled NetFlow feature was introduced. Destination-based Netflow Accounting feature was introduced.
A NetFlow flow is a unidirectional sequence of packets that arrive on a single interface (or subinterface), and have the same values for key fields. NetFlow is useful for the following: Accounting/Billing
More informationTracking Messages
This chapter contains the following sections: Tracking Service Overview, page 1 Setting Up Centralized Message Tracking, page 2 Checking Message Tracking Data Availability, page 4 Searching for Email Messages,
More informationConfiguring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands This module contains information about and instructions for configuring NetFlow Top Talkers feature. The NetFlow Top Talkers
More informationIntelligent WAN NetFlow Monitoring Deployment Guide
Cisco Validated design Intelligent WAN NetFlow Monitoring Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deployment Details...1 Deploying NetFlow
More informationNetwork Security Monitoring with Flow Data
Network Security Monitoring with Flow Data IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationNetwork Configuration Example
Network Configuration Example Configuring Active Flow Monitoring Version 9 Modified: 2017-01-18 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All
More informationThis chapter provides information to configure Cflowd.
Cflowd In This Chapter This chapter provides information to configure Cflowd. Topics in this chapter include: Cflowd Overview on page 564 Operation on page 565 Cflowd Filter Matching on page 569 Cflowd
More informationNetFlow Monitoring. NetFlow Monitoring
, page 1 NetFlow Limitations, page 2 Creating a Flow Record Definition, page 3 Viewing Flow Record Definitions, page 4 Defining the Exporter Profile, page 4 Creating a Flow Collector, page 5 Creating a
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationRIPE75 - Network monitoring at scale. Louis Poinsignon
RIPE75 - Network monitoring at scale Louis Poinsignon Why monitoring and what to monitor? Why do we monitor? Billing Reducing costs Traffic engineering Where should we peer? Where should we set-up a new
More information