2.12.2.1 Sampling Rate #
For better and more accurate anomaly detection, it’s strongly recommended to not sample the Flow records. However, if your network router is experiencing high CPU usage, you can enable sampling rate on the router interfaces. Example of the configuration on Cisco devices:
Listing 2.56: Cisco NetFlow Sampling Rate configuration
interface GigabitEthernet0/1 ip flow monitor FLOW-MONITOR input ip flow monitor FLOW-MONITOR output ip flow ingress sampling mode random 1 out-of 10 ip flow egress sampling mode random 1 out-of 10
The above command will send 1 random packet out of 10 flow records to the flow collector.
2.12.2.2 Exporting TCP flags #
To achieve better accuracy in detecting TCP attacks like SYN and ACK, it’s recommended that the option of exporting the TCP flags as key fields in the flow records is enabled. This will allow the application to provide more precise detection of the TCP anomalies. Otherwise, if your router does not support such options, IRP can sum the flow records that contain TCP flags and provide analysis based on this option.
Please refer to the collector.flow.nf.tcp_flags
Example of the configuration on Cisco and Juniper devices:
Please refer to the collector.flow.nf.tcp_flags
Example of the configuration on Cisco and Juniper devices:
Listing 2.57: Exporting TCP flags as flow keys
Cisco: flow record FLOW-RECORD match ipv4 source address match ipv4 destination address match ip protocol match transport tcp flags collect transport source-port collect transport destination-port
Juniper: set services flow-monitoring version9 template FLOW-RECORD flow-key ipv4-source-address set services flow-monitoring version9 template FLOW-RECORD flow-key ipv4-destination-address set services flow-monitoring version9 template FLOW-RECORD flow-key protocol set services flow-monitoring version9 template FLOW-RECORD flow-key source-port set services flow-monitoring version9 template FLOW-RECORD flow-key destination-port set services flow-monitoring version9 template FLOW-RECORD flow-key tcp-flags
