Scribd Logo
Upload

Welcome to Scribd!

  • Netscout University - Lab _Router Profiled Automatic threshold configuration

    Uploaded by

    Elaouni Abdessamad
    7 views6 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views6 pages

    Netscout University - Lab _Router Profiled Automatic threshold configuration

    Uploaded by

    Elaouni Abdessamad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"

    Finished
    Profiled Anomaly Detection

    Lab Description
    Review the key elements in a profiled alert to differentiate a real attack from a false positive
    Understand the Router Profiled Automatic threshold configuration

    Duration:
    30 minutes
    Platform:
    https://slvis1.ne.netscout.com/
    Username:
    NE186
    Password:
    Vafaseyu2!
    ⚠ Please ensure you read each step carefully before performing the required task in the order described.
    1. Examining Profiled DoS Alerts

    1 Login to the Sightline Deployment

    Username: NE186
    Password: Vafaseyu2!

    1. Connect to this URL, if this page is not already open: https://slvis1.ne.netscout.com/


    2. If prompted, you must first authenticate with the lab proxy, after that you will be redirected to the
    Sightline login page.
    3. At the Sightline login page, use the credentials again to login.
    4. Notify the proctor if you are unable to connect to your Sightline.

    2 In the menu, browse to Alerts > DoS page, using the search box or wizard if needed, search for the
    following alerts characteristics:
    Severity: High
    Alert Type: DoS Profiled Router
    Start Time: In the last 5 days (use start is after filter)

    In the Alert Search Wizard the option “DoS Profiled Router *” does not exist, manually typing at:"DoS
    Profiled Router" will match both DoS Profiled Router Bandwidth, DoS Profiled Router ICMP, ....
    Need Help

    Example:

    3 Select the alert with the highest impact listed in the first page (keeping the default sorting by start time)
    and answer the following questions:
    ID:

    https://cx.netscout.com/lab/465/EN 1/6
    25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"

    Finished Duration:
    Importance:
    Profiled alert type: (Bandwidth, TCP, UDP, ICMP, etc.)
    Managed object name:
    Threshold value:

    4 Click on the Alert ID or Mini Graph of the alert you studied to open the alert details.

    5 Reviewing the Top Traffic Patterns (last 5 min of selected timeframe) listed for this alert.
    What is the first pattern listed?
    Could the first pattern listed correspond to a legitimate traffic flow? (Please skip and proceed if your
    platform is not showing these stats)

    Need Help

    As mentioned before, source and destination port ranges of 1-1023 or 1024-65535 should help here.

    6 In the Alert Characterization section, use the included lookup tool (Whois) to find more information
    about the first source IP address.
    To access the functionality, click on the arrow down in front of the Source IP Addresses.

    7 What is the profiled alert Direction reported in this alert?

    Need Help

    The Direction is shown on the Summary tab and can only be Incoming or Outgoing.

    8 Looking at the Top Interfaces at the bottom of the Summary tab, find the interface which received the
    most traffic in IN direction
    Is this interface part of the boundary called Network?
    If the interface is part of the Network boundary, it confirms that the traffic is coming from the OUTSIDE and is
    RECEIVED through this interface into your network.

    9 In your opinion, was this alert a real attack or a false positive? Write in a few words the key elements that
    helped you to conclude.

    In a virtual training, send this and the alert ID chosen to your instructor via the WebEx chat function.

    https://cx.netscout.com/lab/465/EN 2/6
    25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"

    Finished
    10
    In the Annotations tab, perform the following action:
    Add your findings as a new annotation (Add Annotation)
    Update the Alert Classification accordingly (False Positive, Flash Crowd, ...)
    Click on Save

    2. Understanding the Router Profiled Detection Thresholds

    1 Looking at the following configuration, can you answer these questions?

    Is the Incoming Profiled Detection enabled?

    Is the Outgoing Profiled Detection enabled?

    Administration > Detection > Global Detection Settings:

    Check Solution

    Incoming Profiled Router detection is enabled, Outgoing Detection is set to Global and globally it
    was set to enabled.

    2 Looking at the configuration which is shown after clicking on Edit Profiled Router Configuration:

    https://cx.netscout.com/lab/465/EN 3/6
    25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"

    Finished

    https://cx.netscout.com/lab/465/EN 4/6
    25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"

    Finished

    3 Can you identify if Automatic Rate Calculation is enabled?

    Check Solution

    The option Enable Automatic Rate Calculation (Automatic Rates will override configured Severity and
    Ignore Rates) is enabled...

    4 Can you identify the following information?


    Calculated incoming severity? (in bps)
    Calculated incoming ignore rate? (in pps)
    Interface bandwidth alert sensibility? (1 to 5)

    Check Solution

    Calculated incoming severity 5.68 Gbps


    Calculated incoming ignore rate 252.08 Kpps
    Interface bandwidth alert sensibility 5

    5 Looking at the Automatic Rate Calculation Results Graph, you can easily review how the rates you noted
    previously were calculated.
    Look at the value defined above the Graph. Severity Percentile * Severity Multiplier

    Need Help

    Calculated Ignore Rates were calculated by using the 40 PCT * 1.3


    https://cx.netscout.com/lab/465/EN 5/6
    25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"

    Finished The default value is 40. This means that 60% of the data points over the last 30 days are greater
    than the calculated trigger rate. We recommend that you enter a value between 40 and 50.
    Calculated Severity Rates were calculated by using the 95 PCT * 1.3
    Example: If the 95th percentile value for incoming traffic is 100 Mbps and the multiplier is 1.3,
    then the high severity threshold for that managed object becomes 130 Mbps.

    6 Well Done, you have just successfully completed this exercise.

    Well Done
    You can click on the button below to report back to the trainer.

    I successfully completed this unit

    How would you rate this lab:

    Tell us what do you think of this lab, and how it could be improved ?

    Save

    If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options
    from your browser’s dropdown menu. Need Help

    © Copyright 2022 NETSCOUT, Inc. All rights reserved

    https://cx.netscout.com/lab/465/EN 6/6

    You might also like