1 Reply Latest reply on Jun 29, 2016 1:54 AM by minsktractorworks

    Detecting Long-Duration Sessions?

    rbroom

      Fellow Nitro Users,

       

      I'm trying to detect long-duration network sessions that may indicate tunnels.  I believe Nitro has all the data it needs (ADM monitoring, flow data sent to receivers), but I don't see a way to write an alarm for (say) TCP sessions lasting more than 5 minutes.

       

      Does someone have an idea how to approach this?

       

      Thanks,

       

      Ralph

        • 1. Re: Detecting Long-Duration Sessions?
          minsktractorworks

          Hey Ralph,

           

          Why are you attempting to alarm on TCP sessions that have been open for a while? The reason I ask this is all the rules we've created so far have been matched to a problem/risk. If you are worried about someone tunnelling data out then rather than looking at the TCP connections maybe you'd be better off looking at the Netflow data for bytes transferred or the actual databases for abnormal user access. Something else we've found very useful for picking up abnormal user behaviour out to the Internet is someone accessing an IP address through a proxy, this has helped us identify many compromised workstations.

           

          Some reasons I think an alarm/correlation rule for this will flood you with false positives;

           

          - Someone with Gmail open in a broswer is going to hold a TCP session open for a long time.

          - Proxy servers are going to hold TCP sessions open for a long time

          - Outlook is going to hold TCP sessions open for a long time

          - Windows is going to spew information back to Microsoft with TCP sessions which have been held open for a long time