Feature Request - Alert for specific port traffic occuring

FormerMember

My company would like to have the ability to alert on specific port traffic that occurs on our enterprise network. We currently have had some situations where we have had some computers being infected with a virus and send spam out which causes our public IP address to be placed on a black list. It would be great if NTA could send us an alert when it identifies traffic on port 25 occurring on our network so we can quickly investigate the cause and clean any infected devices. I think it would be good to also have the ability to exclude certain server's as the source since port 25 is used for legit mail server traffic.

Currently we are just needing port 25 but this could expand out to other ports like FTP, WEB, etc.

darragh.delaney

Hi n2n8ure‌

I come across this issue a lot, especially in college networks where people bring in devices infected with malware which then send large volumes of SPAM. While alerting based on port numbers is a great start you should look at extending this to application recognition. What I mean is to get alerts if traffic on your network is found to be SMTP email but not coming from an 'official source'. If your monitoring system is clever enough it will look at all traffic for SMTP activity, not just TCP port 25.

To see an example of this check out the Network Security Monitoring view on this demo system. The middle element on the left shows suspicious SMTP sources (filter applied excluding Exchange servers).

http://demo2.netfort.com/Orion/SummaryView.aspx?viewid=45&AccountID=guest

When you drill down you confirm that it is rouge activity as the subject lines are very SPAM like. The network monitoring system in use here is LANGuardian which is then integrated with Orion. Similar reports and alerts can be configured for other applications too like WEB.

Hope you might find this information useful as part of your research.

Darragh