nanog mailing list archives
Re: quietly....
From: Jack Bates <jbates () brightok net>
Date: Sat, 05 Feb 2011 01:04:01 -0600
On 2/4/2011 9:25 PM, George Bonser wrote:
Maybe because it is just easier to do a transparent redirect to the ISPs mail server and look for patterns there.
Analyzing flows generally isn't any more difficult than analyzing mail log patterns. It doesn't have the queue and check mechanism of a transparent redirect, but transparent redirects break certain types of mail connections as well. It is good practice for an ISP to run flow analysis anyways to detect bad traffic patterns.
What I really want and haven't had time to write is a good procedure that establishes dynamic policies for flow pattern matches which causes the suspect packets to start tag switching to an analysis server where it is closer examined before actual filters are updated.
I'd really like to see standards developed which router vendors supported to make such dynamic policies easier to update, along with the filters themselves. Perhaps we'll see it after more pressing IPv6 concerns are addressed.
Jack
Current thread:
- Re: quietly...., (continued)
- Re: quietly.... david raistrick (Feb 04)
- Re: quietly.... Mark Andrews (Feb 04)
- Re: quietly.... david raistrick (Feb 04)
- Re: quietly.... R A Lichtensteiger (Feb 04)
- Re: quietly.... Joel Jaeggli (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Jack Bates (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Jack Bates (Feb 04)
- RE: quietly.... George Bonser (Feb 04)
- Re: quietly.... Jack Bates (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Jack Bates (Feb 05)
- RE: quietly.... Lee Howard (Feb 06)
- Re: quietly.... isabel dias (Feb 06)
- Re: quietly.... Owen DeLong (Feb 06)
- Re: quietly.... Valdis . Kletnieks (Feb 04)
- Re: quietly.... Blake Dunlap (Feb 04)
- Re: quietly.... Jay Ashworth (Feb 04)
- Re: quietly.... Jack Bates (Feb 03)