Triggers in QoE

Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible:

  • GUI notification
  • HTTP action
  • sending email

Required SSG options:

Required additional modules:

Trigger configuration example: Finding the source of a Flood DDOS attack

General Information

Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.

Every day, once an hour, a check will be carried out according to the conditions described below.

Queries

  • Add a field
  • Name: A
  • Choose a table to be scanned: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
  • Set the period from: «now – 15minute», until : «now»
In this case, the traffic analysis for the selected page will be carried out for the period of the last 15 minutes.

Conditions

  • Add "+" 2 fields
  • Bind – AND
  • Function – avg
  • Serie in the 1 field – session timeout ⇐ 20(ms)
  • Serie in the 2 field – number of sessions >= 1500
We have set a condition — the trigger will fire when it detects both signs: sessions with lifetime equal or less than 20ms AND more than 1500 sessions from one IP-host.

Error handling

  • In the field "If no data" — No data
  • In the field "If execution error or timeout" — Keep last state
In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.

Actions

E-mail

  • For automatic filling - click on the "</>" icon (automatic filling of the form)
  • In the field "Send to" — specify email address
With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).
Notification

  • For automatic filling - click on the "</>" icon (automatic filling of the form)
  • Choose the notification type — "Warning"
  • With this setting, a notification will be created in the SSG

You can get a link to the report in the notification menu

Select notification
Select - "Details"

Follow the link to the report - it will open in a new tab.

HTTP

  • For automatic filling - click on the "</>" icon (automatic filling of the form)
  • Choose the method most suitable for your ticket system and enter the URL
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.

Trigger configuration example: Finding the target of a Flood DDOS attack

It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).

Queries

In the "Report" field choose Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi

Conditions

Serie — "Flow volume to subscribers", >= 10000

It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.

BotNet Analysis

It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).

Queries

  • Choose Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for the "А" value
  • Raw full network → Tables → Raw log → Full raw log for the "B" value

Conditions

Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000.

With this configuration, if at least on one of the ports (6667/1080) the number of passing packets is more than 2000 per second, the trigger will fire.
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.

Subscriber's interest in competitor resources

General information

Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.

Every day, once an hour, a check will be carried out according to the conditions described below.

Queries

  • Add "+" field
  • Name А
    Choose a table to be scanned: Raw clickstream → Tables → Raw clickstream
  • Name B
    Choose a table to be scanned: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
  • Set the period from: "now – 1 hour", until : "now"
In this case, the traffic analysis for the selected tables will be carried out every hour.

Conditions

  • Add "+" 3 fields
  • First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP)
  • Second field — choose table "B"; Bind "AND"; Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800
We have set a condition — the trigger will fire at least 800 packets (not an accidental but meaningful visits) from a subscriber to a competitor's site.

Error handling

  • In the field "If no data" — No data
  • In the field "If execution error or timeout" — Keep last state
In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.

Actions

E-mail

  • For automatic filling - click on the "</>" icon (automatic filling of the form)
  • In the field "Send to" — specify email address
With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).
Notification

  • For automatic filling - click on the "</>" icon (automatic filling of the form)
  • Choose the notification type — "Warning"
  • With this setting, a notification will be created in the SSG

You can get a link to the report in the notification menu

Select notification
Select — "Details"

Follow the link to the report — it will open in a new tab.

HTTP

  • For automatic filling — click on the "</>" icon (automatic filling of the form)
  • Choose the method most suitable for your ticket system and enter the URL
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.