Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible:

• GUI notification
• HTTP action
• sending email

Required SSG options:

• Statistics gathering and analysis on protocols and directions
• Subscriber notifications

Required additional modules:

• DPIUI2 (GUI - Graphical User Interface)
• QoE Stor (Statistics collection module)

Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.

• Add a field
• Name: A
• Choose a table to be scanned: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
• Set the period from: «now – 15minute», until : «now»

• Add "+" 2 fields
• Bind – AND
• Function – avg
• Serie in the 1 field – session timeout ⇐ 20(ms)
• Serie in the 2 field – number of sessions >= 1500

• In the field "If no data" — No data
• In the field "If execution error or timeout" — Keep last state

• For automatic filling - click on the "</>" icon (automatic filling of the form)
• In the field "Send to" — specify email address

• For automatic filling - click on the "</>" icon (automatic filling of the form)
• Choose the notification type — "Warning"
• With this setting, a notification will be created in the SSG

You can get a link to the report in the notification menu

Select notification
Select - "Details"

Follow the link to the report - it will open in a new tab.

• For automatic filling - click on the "</>" icon (automatic filling of the form)
• Choose the method most suitable for your ticket system and enter the URL

It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).

In the "Report" field choose Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi

Serie — "Flow volume to subscribers", >= 10000

It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).

• Choose Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for the "А" value
• Raw full network → Tables → Raw log → Full raw log for the "B" value

Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000.

Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.

• Add "+" field
• Name А
  Choose a table to be scanned: Raw clickstream → Tables → Raw clickstream
• Name B
  Choose a table to be scanned: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
• Set the period from: "now – 1 hour", until : "now"

• Add "+" 3 fields
• First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP)
• Second field — choose table "B"; Bind "AND"; Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800

• In the field "If no data" — No data
• In the field "If execution error or timeout" — Keep last state

• For automatic filling - click on the "</>" icon (automatic filling of the form)
• In the field "Send to" — specify email address

• For automatic filling - click on the "</>" icon (automatic filling of the form)
• Choose the notification type — "Warning"
• With this setting, a notification will be created in the SSG

You can get a link to the report in the notification menu

Select notification
Select — "Details"

Follow the link to the report — it will open in a new tab.

• For automatic filling — click on the "</>" icon (automatic filling of the form)
• Choose the method most suitable for your ticket system and enter the URL