7 Mar
2005
7 Mar
'05
5:07 p.m.
* Jared Mauch:
If you want some "basic" detection, I recommend doing something like this:
sort by the top "proto+dstip+dstport+tcpflags" combination. The more of these you see, the more it may look weird.
You should also run a similar query for source IPs in your netblocks, particularly one restricted to 25/TCP. 8->
Cisco publishes the netflow datagram specification, so you may be able to write an optimized netflow daemon that doesn't take up too much cpu/disk/whatnot if you discard the lower levels of the "noise".
I wouldn't optimize prematurely. I was surprised how far you can get with simple Perl script, a slightly increased socket buffer size for the receiving UDP socket, and rotating ASCII log files.