[unisog] registering servers

Reg Quinton reggers at ist.uwaterloo.ca
Fri Jul 28 13:42:09 GMT 2006

wrt. figuring out where your servers are...

We have Cisco routers and archive flowdata as many others do with flow-tools 
from splintered.net -- I gather this is similar to the argus system Peter 
mentioned. I had assumed the information about TCP flow direction (to 
identify the server side of a TCP) was already there already ... but it 
isn't obvious to me. I can figure out from the start time information on a 
pair of related flows I can determine who called who but that seems to be an 
awkward way of getting the information.

Are there any netflow gurus out there who know some better tricks?

PS. We have a snort tap and this rule will ring on a server responding with 
a syn+ack:

alert tcp $HOME_NET any -> any any (msg: "BLEEDING-UW Server Syn/Ack"; 
flags:SA; sid:99990026; rev:1;)

But that will generate a ton of alerts -- you probably don't want to use it! 

