Содержание

Triggers in QoE

Triggers in QoE

Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible:

GUI notification
HTTP action
sending email

Required SSG options:

Required additional modules:

Trigger configuration example: Finding the source of a Flood DDOS attack

General Information

Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.

Every day, once an hour, a check will be carried out according to the conditions described below.

Queries

Add a field
Name: A
Choose a table to be scanned: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
Set the period from: «now – 15minute», until : «now»

In this case, the traffic analysis for the selected page will be carried out for the period of the last 15 minutes.

Conditions

Add "+" 2 fields
Bind – AND
Function – avg
Serie in the 1 field – session timeout ⇐ 20(ms)
Serie in the 2 field – number of sessions >= 1500

We have set a condition — the trigger will fire when it detects both signs: sessions with lifetime equal or less than 20ms AND more than 1500 sessions from one IP-host.

Error handling

In the field "If no data" — No data
In the field "If execution error or timeout" — Keep last state

In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.

Actions

E-mail

For automatic filling - click on the "</>" icon (automatic filling of the form)
In the field "Send to" — specify email address

With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).

Notification

For automatic filling - click on the "</>" icon (automatic filling of the form)
Choose the notification type — "Warning"
With this setting, a notification will be created in the SSG

You can get a link to the report in the notification menu

Select notification
Select - "Details"

Follow the link to the report - it will open in a new tab.

HTTP

For automatic filling - click on the "</>" icon (automatic filling of the form)
Choose the method most suitable for your ticket system and enter the URL

It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.

Trigger configuration example: Finding the target of a Flood DDOS attack

It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).

Queries

In the "Report" field choose Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi

Conditions

Serie — "Flow volume to subscribers", >= 10000

BotNet Analysis

It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).

Queries

Choose Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for the "А" value
Raw full network → Tables → Raw log → Full raw log for the "B" value

Conditions

Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000.

With this configuration, if at least on one of the ports (6667/1080) the number of passing packets is more than 2000 per second, the trigger will fire.

Subscriber's interest in competitor resources

General information

Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.

Every day, once an hour, a check will be carried out according to the conditions described below.

Queries

Add "+" field
Name А
Choose a table to be scanned: Raw clickstream → Tables → Raw clickstream
Name B
Choose a table to be scanned: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
Set the period from: "now – 1 hour", until : "now"

In this case, the traffic analysis for the selected tables will be carried out every hour.

Conditions

Add "+" 3 fields
First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP)
Second field — choose table "B"; Bind "AND"; Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800

We have set a condition — the trigger will fire at least 800 packets (not an accidental but meaningful visits) from a subscriber to a competitor's site.

Error handling

In the field "If no data" — No data
In the field "If execution error or timeout" — Keep last state

In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.

Actions

E-mail

For automatic filling - click on the "</>" icon (automatic filling of the form)
In the field "Send to" — specify email address

With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).

Notification

For automatic filling - click on the "</>" icon (automatic filling of the form)
Choose the notification type — "Warning"
With this setting, a notification will be created in the SSG

You can get a link to the report in the notification menu

Select notification
Select — "Details"

Follow the link to the report — it will open in a new tab.

HTTP

For automatic filling — click on the "</>" icon (automatic filling of the form)
Choose the method most suitable for your ticket system and enter the URL