Outbound Mail Spammers Monitor (10025 / 20025)
Description
This Module detects internal hosts infected with spam malware. It monitors egress traffic over TCP protocol and destination ports 25 or 465, excluding known authorized mail servers. This Module reports top email senders and provides consolidated information over a time interval.
Parameters
Parameter Name | Description | Comments |
---|
Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 3600 sec, default = 600 sec |
N - number of reported outbound spammers | Top N (number of reported spammers) | min = 0, max = 100000, default = 50 (0 indicates all hosts are reported) |
Known local mail servers (ipv4_src_addr) list | List of IP addresses of known mail servers to be excluded from reporting | |
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow fields
Information Element (IE) | IE id | IE size, B | Description |
---|
sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
protocolIdentifier | 4 | 1 | The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. |
destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
octetDeltaCount | 1 | 4 or 8 | The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. |
packetDeltaCount | 2 | 4 or 8 | The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. |
Syslog/JSON Message Fields
Key | Field Description | Comments |
---|
nfc_id | Message type identifier | "nfc_id=20025" |
exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
src_ip | Source host IPv4 address | <IPv4_address> |
bytes_out | Bytes total (Traffic) | <number> |
packets_out | Packets | <number> |
num_conn | Number of flows initiated by the source host | <number> |
min_bytes | Minimum bytes count of flows | <number> |
max_bytes | Maximum bytes count of flows | <number> |
t_int | Observation time interval, msec | <number> |