Information Protection and Security

IPS utilizes a number of facilities for analyzing network logs.
 

• High Concern Index in Stealthwatch

  The concern index (CI) is a measurement of concern that the StealthWatch appliance assigns to a suspicious host.  The appliance monitors traffic at the network handoff as well as between major University routers.  Concern index points are added for activity that may be questionable when traffic exceed a configured threshhold.   Examples include: 

  • Bandwidth exceeded
  • ICMP flood
  • Half open attack
  • Mail rejects 
  • Worm activity

  Concern index values can range from zero points to hundreds of thousands of points.   The highest ones are brought to the attention of departmental computing staff for investigation and possible remediation.

• Connections to Known Botnet Controllers

  REN-ISAC provides lists of known botnet controllers and the ports on which zombie hosts connect to them.  If this traffic is detected on the network handoff, the chances are excellent that the host is part of a botnet.  A  report is generated once each night listing the Top Botnet Hosts for the previous 24 hour period.  See Botnet for further background and remediation information. 

• Snort Signature

  IPS runs the Snort IDS on the Internet handoff with a handful of tested signatures.  The Top Alert Hosts lists hosts that appeared most frequently in the previous 24 hour period.  This report is generated once every 24 hours.   The specific remediation depends on the particular Snort signature.