Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Reference Manual for GigaFlow > System > Alerting

Alerting

Located at System > Alerting.

Configure GigaFlow to alert you when something happens. Syslog or mail alerts can be set up for any of the following:

  • SYN Source Network Sweep: alerts if a source IP address fails to get a response from more than IP Address Count Threshold unique destination addresses.
  • SYN Source Port Sweep: alerts if a source IP address fails to get a response from more than Port Count Threshold unique destination ports.
  • SYN Source Network And Port Sweep: alerts if a source IP address exceeds both Port Count Threshold and IP Address Count Threshold thresholds.
  • SYN Destination Unreachable Server: alerts if a destination IP address fails to respond to more than IP Address Count Threshold unique destination addresses.
  • SYN Destination Port Sweep: alerts if a destination IP address fails to respond to more than Port Count Threshold unique destination ports.
  • SYN Destination Network And Port Sweep: alerts if a destination IP address exceeds both Port Count Threshold and IP Address Count Threshold thresholds.
  • Blacklist source.
  • Blacklist destination.
  • Profile exceptions.
  • A device restarts sending flows.
  • A device stops sending flows.

Syslog Alerts

To configure a system log alert:

  • Toggle the Yes or No options for any of alert situations.
  • You can set and save the server(s) address(es) below. The syslog server(s) input can have multiple entries, separated by a comma, e.g.
172.16.254.1, 172.16.254.2
  • Each entry can also have a port, facility and warning level set using the format:
IP_Address:Port:Facility:Level

e.g. 172.21.40.1:515:4:23,172.21.40.2:516:23:4

In this example, messages are sent to 2 servers; the first is on port 515 and the second is on port 516. Both are using the "Local 7" Facility and the "Warning" level. See syslog at Wikipedia for more.
  • Click Save Save icon. to store the server address.
  • Sent alerts are displayed with the following information:
  • Address.
  • Port.
  • Facility, e.g. Local 7.
  • Level, e.g. Warning.
  • Sent.

Sample Syslog Message Types

  • Profiling
{"Application":"HTTPS TCP/443","Eventer":"172.0.0.1","Profile":"Facebook","appid":393659,"bytes":1447,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":50561,"duration":288,"eventname":"Profiler","flags":26,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":10,"proto":6,"srcadd":"172.0.0.1","srcport":443,"time":1475147589242,"timeH":"29-Sep-2016 12:13:09.242","tos":40,"user":""}
  • Blacklist
{"Application":"BitTorrent TCP/6881","Black List":"http://lists.blocklist.de/lists/bots.txt","Black List 

Type":"Source","Eventer":"172.0.0.1","appid":400097,"bytes":120,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1",

"dstport":63533,"duration":1380, "eventname":"Black List  Src","flags":20,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":3,"proto":6,"srcadd"
"172.0.0.1","srcport":6881,"time":1475147643237,"timeH":"29-Sep-2016 12:14:03.237","tos":40,"user":""}
  • Syn Source
{"Application":"TCP/49755","Eventer":"172.0.0.1","Syn Type":"Source","appid":442971,"bytes":152,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":54350,"duration":1804,"eventname":"Syn Src Network Sweep",   "flags":2,"fwevent":0,"fwextcode":0,"inif":30,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":12,"packets":3,"proto":6,"srcadd":"172.0.0.1","srcport":49755,"time":1475147666238,"timeH":"29-Sep-2016 12:14:26.238","tos":0,"user":""}
  • Syn Destination
{"Application":"TCP/34056","Eventer":"172.0.0.1","Syn Type":"Destination","appid":427272,"bytes":152,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":34056,"duration":1124,"eventname":"Syn Dst Port   Sweep","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":3,"proto":6,"srcadd":"172.0.0.1","srcport":57058,"time":1475147662254,"timeH":"29-Sep-2016 12:14:22.254","tos":0,"user":""}

The IP addresses in these sample Syslog messages have been replaced with 172.0.0.1.

Mail Alerts

To configure a system email alert:

Toggle the Yes or No options for any of alert situations.Click Save Save icon. to store the server address.

Netflow Event Types to Process

This table lists different possible event triggers with options to: (i) create and event and (ii) trigger a script to run.

The event triggers include:

  • Netflow Unknown.
  • Netflow TCA.
  • Netflow Route Change.
  • Netflow Immitigable.
  • Netflow Bandwidth.
  • Netflow Egress Measurement.
  • Netflow Ingress Measurement.