Caligare - makes the network better Contact Us |  Sitemap |  Our customers   Cisco Technology Developer Partner

Caligare Company News

Caligare Flow Inspector - version 4.0.0
Our clients can look forward to many new innovations in the latest CFI version (4.0.0). It's well worth the price to pay for the extended license!

CFI software - Linux based software for network monitoring and data flow analysis - the latest version with new features the main one is called network anomalies detection. Network anomalies detection (NA) uses netflow exports to identify worm and abnormal network activities detection, and deeper network analysis.

Network anomalies detection
Because NetFlow exports is coming directly from the router, a core element of any large network, NetFlow is capable of providing a unique view on the entire traffic of a network at the infrastructure level. It is also proactive detection of network infrastructure security events. Packet sniffer is more a troubleshooting tool than a specific tool for constant netflow monitoring. Packet sniffer allows you to capture every packet and store it on your hard disk. Letís say you want to do 24 hour monitoring - 7 days a week, this way you need an incredible big hard disk. Netflow monitoring collects statistics not the whole packet, which is why this method is more suitable for constant monitoring.

Caligare Flow Inspector version 4 supports base network anomaly detection such as network and host port scanning, ICMP and TCP/SYN flooding detections, and detection of network games and peer-2-peer applications. Most of the modules use heuristic detection methods - for every anomaly there is a specified probability of incident. If analyzed properly, NetFlow records will be very suitable for early worm and other abnormal (suspicious) network activity detection in large enterprise networks and service providers.

Correction of unsynchronized time between server and exporting device
If the time between collector server and exporting device is unsynchronized, flows that contain the wrong time will be. You can correct the wrong time by changing the collector settings. In most cases the source of the problem is a different/wrong time zone setting or wrong time set up on exporting device. The collector by itself analyzes each flow and if there is a difference between the flow time and the collector's time by more than 12 hours, the flow time is replaced by the collector's time.

New web interface design
Our developers created a new Caligare Flow Inspector web interface with many new icons, hints and installation tips. You can see short description for every main menu item.

NetFlow technology efficiently provides the metering base for a key set of applications including network traffic accounting, usage-based network billing, network planning, network monitoring, outbound marketing, and data mining capabilities for both service provider and enterprise customers.

Return to the news section.

Network anomalies modules

Network port scanning
The network port scan module detects many suspicious activities as worms, BOTNET scanning attacks, etc. The latest software version detects stations which are scanning the network and looking for network vulnerabilities e.g.: Microsoft WINS, NETBIOS, Microsoft DS, SOCKS, Microsoft SQL, MySQL, web cache, VNC, Microsoft EPMAP and Microsoft terminal services. This module also detects SWIFT, DABBER, QWIN worms and many other unusual activities.

Host port scanning
This network detection module identifies attackers that scan TCP or UDP service ports for vulnerabilities. This module supports only scanning of applications that uses low ports (1-1024).

ICMP flooding
The ICMP flooding detection checks how many ICMP packets the host is sending. If the number of packets exceeds the configured threshold, then the system creates a new anomaly. System recognizes long ICMP messages (>1000B) so that you can configure different thresholds for short ICMP messages and long ICMP messages. Software is capable of detecting unreachable messages (often it signify infection by worm) and other ICMP message types.

TCP/SYN flooding
The TCP/SYN flooding module detects direct or distributed flooding of network with TCP connection requests. This attack is characteristic for distributed denial of service attacks.

Network games detection
The network games detection module uses heuristic methods to detect network games. Many games use the same TCP or UDP port so it is very difficult to say which game was used. The latest version supports the following games: Need for Speed, Diablo, Civilization, Worms 3D, Microsoft DirectX games, Railroad Tycoon, Athena Sword, Unreal, Team Speak, Battlefield 1942, Battle Zone, Age of Empires, Heretic, Hexen, Doom, Call Of Duty, Castle Wolfenstein, Battlefield 2142, MSN Game Zone, Alien vs. Predator, America's Army, Battle.NET, Vietcong, Half-Life and Quake.

Peer to peer application detection
Peer to peer applications waste network bandwidth the most, so detection of these applications is very useful for many administrators, detection of these applications is very, very difficult. Network analysis software uses well-known TCP/UDP ports and some heuristic methods, but in some cases may detect false positives. The latest version supports detection of the following applications: FastTrack, Kazza, Overnet, Kademlia, Aimster, GNUtella, GNUtella2, WinMX, OpenNapster, Direct Connect, SoulSeek, eDonkey and BitTorrent.

Return to the news section.

  © 2003-2022 Caligare. All Rights Reserved.  Terms of Use  | Privacy Statement  | Site Map  | Contact Us