Home page logo
/

nanog logo nanog mailing list archives

ipfix analyzers
From: Saku Ytti <saku () ytti fi>
Date: Tue, 9 Apr 2013 17:28:34 +0300

Can someone point me to IPFIX analysers that do automatic learning of
traffic patterns, raise events as suspected dos, and when operator marked
as false positive, won't trigger that pattern anymore?

This should be without configuring any explicit network ranges anywhere. So
when I do get new customer, I don't have to teach the system about it.

At simplest, maybe it could be static n pps / n Mbps per IP, then keep
hitting false positive button, until they disappear.


Other thing I'm missing from Arbor, is as far as I can see, it does not
really like IXP. I don't know how you can ask via webUI to show traffic
from ASNX in IXP port Y.
I can ask traffic in port X or traffic in ASNX, but not traffic in ASNX in
port X. You can dig this out of IPFIX data really easily.


Both of these seem really trivial issues, frankly not much more than full
work day to produce in homegrown IPFIX analyzer if you don't have to
worry about bigdata/scaling (which I do).
But is there product I can buy, which satisfies these requirements?


-- 
  ++ytti


  By Date           By Thread  

Current thread:
  • ipfix analyzers Saku Ytti (Apr 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]