Customizing ASAM module in NetFlow Analyzer


The previous blog was on ASAM will have given you an idea
about the class “Scan and Probes” available with NetFlow
Analyzer. Now that we know how the
events are triggered we need to narrow it down, that the specific events or
unwanted events can be ignored.

When I say unwanted events, I mean the events that are
deemed trusted or allowed network activities for certain resources and
problems. To white list these kinds of events we have to fine tune this module.

To customize or fine tune the module we can make use of
the following

1) White List: The White List
option allows you to ignore specific events and discard specific flows.

1.a) Ignore Events: Allows you to ignore specific events of
problems for any resource

1.b) Discard Flows: Allows you to discard flows for a specific
problem.

2)
Manage: The Manage option allows you to manage Problems,
Algorithms, and Resources.

2.a) Manage Problem: Allows
you to enable or disable a specific or set of problems

2.b) Manage Algorithm: Allows
you to enable or disable a specific or set of Algorithms. If a specific
algorithm is disabled, ASAM will not use the algorithm to generate events.

2.c) Manage Resource: Allows
you to enable or disable resources for a specific resource type.


3)
Algorithm Settings: Allows you to set the threshold value
and the field type to be displayed in the offender and target column in the
event list report.

3.a) Threshold Settings: Allows
you to set threshold values for an algorithm

3.b) Offender/Target settings:
You can select specific Offender/Target field to be displayed in the Event List
report using this option

4)
Location: The Location option allows you to manage the
geographical and topological locations for offenders and target. Using this you
can load/update geographical location, configure topological location,
view/edit topological location list, and configure location mode settings.

4.a) Load Geolocation: Allows
you to load/update the geographical location of the IP addresses.

4.b) Add Topolocation: Allows
you to configure the topological location for IP addresses

Now let me explain in the white listing with an example.
Consider that I am using a server (say 192.168.181.14) for testing. I will be
doing lots of ping to other destinations and doing a TCP header testing from
this server. Hence I do not want the events to be generated for traffic from
this server.

For this, first I will select an event generated from the
IP address of the server and click on Whitelist. Here I will select the option
discard
flows which will open a new page. In this page I will be setting the needed criteria.
In my case I will be setting

Leave a Reply