I could see where having the ability to generate netflow alerts could be very handy especially in the security realm or just to know fo example that 1 person is hogging up an entire circuit.
I agree. I can definitely see the benefits on the security side of knowing that traffic related to a specific application/virus has been detected and alerting on this. This is something we're looking at although it's not going to make the release we're currently working on.
For the performance side of things, how would you want to setup those alerts? For example, is the primary use-case to alert if a single endpoint (IP address) consumes more than X% of bandwidth on an interface? Or would you want this based on applications?
If there are others that have NetFlow alerting use-cases, please chime in!
Both of those to be honest. Endpoint alerting would be more of special use whereas application would be more general use.
For example I could see alerting on a netflow source because let's say it is in the middle east and we want to know when they start doing a lot of filesharing or P2P traffic because it would mean a virus.
In fact virus detection I think would be the biggest reason to do this. If you started to see 445 all over the place you would know something was up for example.
Ok, great feedback. We were focusing our initial efforts on alerting if a particular application showed up on a NetFlow source, so it's sound like our prioritization is in the right place. This helps because threshold-based alerting on NetFlow traffic statistics is a lot more complicated.
Thanks Donald for your valid feature request.
I too agree that it very much essential to have application level and port level alerting.
I would like to summarize the requirement:
1) Alert Based on incoming/outging traffic
2) Alert Based on incoming+outgoing traffic ( this gives exactly how much BW used at that point)
3) Alert Based on Application
4) Alert Based on IP/Endpoint
5) Ability add multiple interfaces from different routers while creating alert.
Hope this will help.
Thanks
Jeeth
Project Manager
I am glad to see Netflow alerts are being worked on, as I was looking to put some up today. I will share an example of the type of alerts I'd like to see.
My company just started to install VoiP across our network. To increase our bandwidth without adding new circuits, we decided to move from a proxy server and force internet traffic out the local firewalls of our remote locations. We are monitoring this traffic with a separate application.
Three months after moving people off the proxy, I am still seeing requests across the private lines connecting the remote locations to the data center. I would like to have a flexible enough alert system that I can program alerts based on specific traffic or IPs. If someone is trying to connect to the proxy, I want to know.
I would also like to see alerts for VoiP traffic based on error thresholds, jitter thresholds, or traffic alerts when server traffic across the links spikes. I also like the idea I read earlier in the thread about alerting when Netflow detects a rise in the usage of a certain port, for virus detection.
I agree with you on the alerting feature requirement. However, I thought I'd point out that NetFlow doesn't track information like jitter or errors. You can alert on errors easily in the regular NPM featureset, and you can alert on jitter either by using the IP SLA module or by building your own UnDPs that poll IP SLA jitter operations on your routers.
I dont think you can create a UnDP for jitter because the data requires a table join, which UnDP won't do.
Good Luck, I asked for this 3 years ago:
