Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > How-To Guide for GigaFlow

Respond to a Blacklist Email Alert

Alerts and Events

See System > Alerting in the Reference Manual to enable email alerts.

You will receive a GigaFlow alert email when a device in your network makes a connection to a blacklisted IP address. The embedded link will direct you to an Events page that summarises interactions with the blacklisted IP address during the reporting period.

See Determine if Bad Traffic is Affecting Your Network for more.

Determine the Importance of an Event

If you receive intelligence about a specific IP Address, MAC Address, network device or user, carry out a GigaFlow Search on the object. For this example, we will search by IP address.

After searching by IP address, click By Either in the panel on the left.

This will bring you to an Events page that summarises interactions with the IP address during the reporting period. Using this information, you can build a picture of the importance of the event.

See Determine if Bad Traffic is Affecting Your Network for more.

To view historical information, select the relevant dates and times at the top of the page.

Investigate a SYN Anomaly

See Reports > System Wide Reports > SYN Forensics Monitoring in the Reference Manual.

GigaFlow monitors all TCP flows where only the SYN bit is set. In normal network operations, this indicates that a flow has not seen a reply packet while active in a router's Netflow cache.

A lonely SYN can be an indicator that:

  • Routing was asymmetric. Perhaps the reply returned via a different router.
  • Reply traffic was blocked.
  • Servers were not responding for some reason.
  • Something was probing the network.

To view objects that are behaving anomalously, navigate to Reports > System Wide Reports > SYN Forensics Monitoring

You will see a summary of all the internal sources listed in order of the number of destination objects associated with each internal source.

Click the Drill Down icon for more information about each IP address.