Triggers are used to search data in QoE Stor based on specified parameters. When a trigger fires, one of the following actions can occur:

• Notification in GUI
• HTTP action
• Email notification

Required SSG DPI options:

• Statistics gathering and analysis on protocols and directions
• Subscriber notifications

Required additional modules:

• DPIUI2 (GUI - Graphical User Interface)
• Implementation and administration

Trigger name: “DDOS source detection”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set.

• Add field
• Name: A
• Select table for scanning: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
• Select period from “now – 15 minutes” to “now”

• Add two "+" fields
• Link – AND
• Function – avg
• Condition 1 – session lifetime <= 20 (ms)
• Condition 2 – number of sessions >= 1500

• “If no errors” — no data
• “If there is an error or timeout” — save last state

• Click the "</>" icon to auto-fill the form
• Enter the recipient email address in the “To” field
• When triggered, a notification will be sent to the specified email containing the trigger ID, name, status, and report link (saved state).

• Click "</>" to auto-fill the form
• Select notification type — “Warning”
• A notification will be created in the SSG system

The report link can be obtained from the notifications menu.

Select the notification Click Details

Follow the report link — it will open in a new browser window.

Click "</>" to auto-fill the form, select the method suitable for your ticket system, and enter the URL address.

This configuration differs from the previous example in steps 2 and 3 (Queries and Conditions).

In the report field, select Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi

Series — “Flow volume to subscribers, Pct/s” >= 10000

This configuration differs from the previous example in steps 2 and 3 (Queries and Conditions).

• Select Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for “A”
• Raw full network → Tables → Raw log → Full raw log for “B”

Since BotNet often uses ports 6667 and 1080 — add each destination/source port by selecting query “B” with “OR” condition, and Flow Pcts/s >= 2000.

Trigger name: “Interest in competitors”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set.

• Add “+” field
• Name A — select table: Raw clickstream → Tables → Raw clickstream
• Name B — select table: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
• Select period from “now – 1 hour” to “now”
• This setup analyzes traffic hourly based on the selected tables.

• Add 3 “+” fields
• First field — select table “A”; Link – “OR”; Function – “avg”; Series Host = *megafon.ru (or your competitor)
• Second field — select table “B”; Link – “AND”; Function – “avg”; Series Flow volume from subscriber, Pct/s >= 800

• “If no errors” — no data
• “If there is an error or timeout” — save last state

• Click to auto-fill the form
• Enter recipient email address in “To” field

• Click "</>" to auto-fill the form
• Select notification type — “Warning”
• A notification will be created in the SSG system

The report link can be obtained from the notifications menu.

Select the notification Click Details

Follow the report link — it will open in a new browser window.

• Click "</>" to auto-fill the form
• Select the method suitable for your ticket system and enter the URL address