Monday, June 23, 2003

Flow Tools

Thomas H. Ptacek, who co-authored a slightly famous paper on IDS several years ago, wrote me regarding his company's product, Peakflow X. According to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir press release, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system profiles network traffic and complements traditional signature-based IDS:


"Upon installation, Peakflow X monitors network traffic, automatically constructing a holistic real-time model of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire network from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inside out. Identifying factors such as services (HTTP, FTP, Microsoft File Sharing, etc.), inbound and outbound traffic, and host-to-host behavior, Peakflow X dynamically clusters all hosts into groups based on similar operational policies. For example, hosts that communicate primarily HTTP only to hosts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 marketing department would be grouped togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, indicating an organization’s internal workgroup Web servers. Based on this detailed network-wide model, Peakflow X immediately detects anomalous behavior whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r or not it stems from a known vulnerability. For example, should one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal Web servers initiate a file sharing connection to a system on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, Peakflow X would immediately flag cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 activity as suspicious. As a result, Peakflow X can detect not only zero-day threats, like worms, but also internal misuse."


This seems like one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best ways to deal with inspecting huge traffic flows. Readers may know I am a huge fan of products which independently capture network flows without processing stored libpcap data. Argus is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best stand-alone app, while Cisco NetFlow is an option. Luca Deri of ntop fame shared news of his nProbe, a PC-based NetFlow collector, and nBox, a Cyclades-TS100 appliance-based NetFlow collector. Commercial ntop support is available.

No comments: