Top Traffic Monitor Geo City (10867 / 20867)
This Module identifies and reports hosts with the most traffic (optionally all hosts). It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 protocol
For bidirectional flows the Module stitches request-reply flows inverting source and destination for flows in the opposite direction. It reports consolidated flows separating bytes/packets sent and bytes/packets received.
This information is provided per NetFlow exporter.
Watch list parameter “Known malicious hosts list” must be specified for the Module to report reputation of communicating peers. The Module checks if destination IP is in this watch list; if yes, the reputation value is provided, and the rep_ip field is populated with destination IP address. If not, the source IP is checked, the reputation value is populated, and rep_ip field is populated with the source IP.
This list is obtained from Alienvault IP Reputation Database http://reputation.alienvault.com/reputation.snort. It is updated once a day.
If you have your private list in snort format, and/or you want NetFlow Optimizer to get the list from disk (e.g. /opt directory), change the URL from http://reputation.alienvault.com/reputation.snort to file:///opt/reputation.snort.
Country codes, region, city, and other geo information for both source IP and destination IP are provided based on “IPv4 address block and city location” watch list.
The free version of MaxMind GeoIP2 City database is updated once a month.
Starting from January 1 2020 you need to register with MaxMind to get FREE GeoLite2 database. Please see https://dev.maxmind.com/geoip/geoip2/geolite2/ for more details.
Once you register and generate your new license key, replace "YOUR_LICENSE_KEY" with it in URL field of EDFN Agent:
TCP session duration
TCP session duration is calculated as follows:
TCP session duration - tcp_duration - is reported in syslogs when the session is terminated. It is calculated as the time between source SYN and first FIN/RST.
"Update" flows reported by network devices triggered by inactive/active timeouts will not have tcp_duration field in corresponding syslogs as the session is not terminated at the time of reporting.
These flows will be consolidated for the same session if more than one flow is sent to NFO within the same data collection interval (DCI). Flows that belong to the same session (requests-replies) will be reported in a single syslog within DCI, with bytes and packets reported separately for each direction (bytes_in and bytes_out, packets_in and packets_out).