Ability to alert on specific traffic patterns found by NTA

In order to help out our security team I created a report that identifies odd traffic; SMTP from a desktop, 100K DNS requests in 5 minutes, use of streaming media, etc. The issue is that I cannot generate an alert based on this information, so we've had to put a guy in front of a computer doing nothing all day but watching for stuff to pop up on the report they are running every five minutes. The issue with this two fold; one we are wasting a person each shift watching a monitor and two this is not real time data which delays prevention in the event of an event.

I'd like to see the addition of more NTA type alerts to allow for better response to security or other business impacting events.

Find more posts tagged with

npm

nta

Alerts

Status: None

Comments

rharland2012

I'm with you - that would be a great feature. With regard to the 'real-time' concern, I hear that too - but xFlow isn't really real-time anyway, is it? If I recall, the flow datagrams aren't sent to the collector until the conclusion of each TCP conversation.

dmartzall

It depends on the flow in question and what the time-out you have set is. If for example it's an FTP download that is taking a good amount of time, the time-out would send flow data after 15 seconds (the inactive flow time-out). Even if it's not exactly real-time, it's going to be closer than every 5 minutes.

sspinola

I think this would be a great feature!

lesterjandraux

This would be nice,
would be very useful in monitoring my ISP links and my VPN lines on my routers hoho ^_^
Additionally, all the alert features like, "this condition should exist 'x' minutes" etc. will still be intact

For a start it would be great to monitor if utilization for example stays X Mbps for T amount of time, and alert goes off.

familyofcrowes

R u willing to share those alerts? NTA alerts seem very limited so I'm wondering if you are creating SQL alerts.

I am trying to create an alert that will notify us if traffic from a certain IP group stops.

doogie8797

VALUABLE for security purposes.

Alert on blacklisted sources/destination IP addresses
Alert on overused ports
Alert on thresholds exceeded for particular user range
Alert on small/large packet size and protocol
Alert whenever a particular app exceeds a load threshold -- BASELINING applications

From what I've read, lack of security-based NetFlow alerting is a major GAP that is not address by IDS systems or by SIEM systems.

Big payoff for incorporating this I would imagine. it's been requested since, like 2008. Not sure why this has been overlooked.

jreves

If you voted for this feature: It's available now as an NTA Release Candidate!

Head over to the NTA Release Candidate forum, and check out the details here: NetFlow Traffic Analyzer Release Candidate

Let us know in that forum what you think, and how you're using this feature to alert on flow traffic in your network!

joer

jreves

And this is now available in General Release as NTA version 4.5!

You can check out the Release Notes, download the new release on the Customer Portal, and get all the help they need with the upgrade at the Success Center.

joer