<-

FLOW ANALYTICS > ALGORITHMS

Available Languages: English

Overview

Flow Analytic Algorithms look for specific traffic patterns and send alerts. Thresholds can be set per algorithm.

The above gadget scrut_nba.cgi should be added to MyView.

Topics

top

Internet Threats Monitor

Goes out to an internet site every hour for a list of known hosts that end systems on the network should not be communicating with. The default threshold minimum that can be set is 1. Contact Us to learn more. Only Internet routers should be included with this algorithm. Some threats that could appear include:

ICMP Destination Unreachable

This is a message that comes back from the router to the requesting host stating that it doesn't have a route to the destination network of the target host. The default threshold is 100 and the minimum that can be set is 20. We recommend excluding all internet routers from this algorithm. Click Here to learn more.

ICMP Port Unreachable

This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host. The default threshold is 100 and the minimum that can be set is 20. Click Here to learn more. We recommend excluding all internet routers from this algorithm.

Multicast Violations

Any multicast traffic that exceeds the threshold that isn't excluded will violate this algorithm. The default threshold is 1,000,000 and the minimum that can be set is 100,000. We recommend only including backbone routers with this algorithm.

Top Conversations

This algorithm determines the top conversations across all included flow sending switches and routers. It sets up the data for the Top Conversations gadget topconv.html should be added to MyView. Include all routers with this algorithm. If it is taking too long, exclude a few routers.

RST/ACK Destination Packets

RST/ACK packets are connection denials that come back from destinations to the originating hosts. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. Print servers can cause false positives with this algorithm and often need to be excluded. Also, we recommend excluding all internet routers from this algorithm.

SYN Violation

SYN packets are sent out in an attempt to make a network connection with a target host. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. We recommend excluding all internet routers from this algorithm. Click Here to learn more.

P2P Monitor

P2P (includes BitTorrent) connections are monitored by this algorithm. The default threshold is 100 and the minimum that can be set is 100. We recommend excluding all internet routers from this algorithm.

Network Volume

This algorithm creates the content for the Network Volume gadget. The gadget scrut_volume.cgi should be added to MyView. We recommend including only core routers in this algorithm.

Adding Algorithms

Algorithms can watch for nearly any traffic pattern using NetFlow/sFlow data. Algorithms can be developed which alarm for:

Analytic Settings

The time to run can be altered per algorithm. Some algorithms need more time to run than others either due to the behavior of the search and or the volume of the routers / switches included in the algorithm.

Other NBA Algorithms

Details on other NBA Algorithms that have recently been added that FA will alarm for:

Available Languages: English