Hello people,
One of our use-cases of Netflow is to track down security related incidents where our ISP reports users to us for whatever reasons. Most of the "footprints" our ISPs use is *VERY* small (1-400Kbit) TCP/HTTP or UDP C&C transactions between an internal users in our network and an external IP. In many of these cases I can't find the transactions our ISP is reporting, although I can clearly see the source IP is ours and should originate from a specific router/router interface on our network. Infact most of the times they report such incidents, I'm not able to track down the related netflow data because I simply can't find it when I search for "Endpoint IP address" (which is normally the unique identifier of the incident)
Is there any reason why Netflow should disregard tiny transactions like these? I've configured NTA to monitor all ports.
Thanks in advance,
Best regards,
Vidar S