When wondering what to write about for our blog, came this question from a user. They needed to get alerts when the hosts in his network communicated with a set of blacklisted IP Address. Felt this could be useful for a number of users which is why we now have this blog here.

For his requirement, the user could have opted for an expensive flow based anomaly detection solution and achieve it the costly way. The cost effective method was to work with features already available in the easy to use, all software bandwidth monitoring solution from ManageEngine, which is NetFlow Analyzer.

Now in detail about what was wanted and how this can be done.

There is a set of IP Addresses with which the hosts in a company’s network is not expected to communicate. If there is traffic either to or from these blacklisted IPs, the network administrator needs to be alerted, find the violating host and then carry out cautionary steps.

NetFlow (or any similar flows), with its capabilities for in-depth reports, is the only technology that can tell you about the application used, source and destination of traffic, priority of the traffic and much more. NetFlow Analyzer, which supports all the major flow formats, has an IP Group feature with which you can group together IP Address/Network or Range and monitor the traffic to and from it. Making use of this, one can create an IP Group and associate all the blacklisted IP Addresses with it. When creating the IP Group, the speed which is taken for utilization calculation is set at the lowest possible value, 1bps. This way, even a single conversation will account for more than 1 percentage utilization.

Creating IP Group

After creating the IP Group, we can use the alert profiles to receive alerts when the traffic utilization exceeds 1% in the IP Group. The alerts can be emailed to the email address specified and you can even give multiple threshold actions in the same alert.

Setting up the alert

With this, you will be able to ensure that no traffic passed to or from the blacklisted IP Addresses and even if there was traffic, you are alerted. Drilling down on the IP Group to the conversation tab shows the hosts involved thus helping you take your cautionary measures.

A combination of simple features for proactive troubleshooting !

Download
| Interactive Demo | Product overview video

Regards,
Don Thomas Jacob