Caligare Company News
|Caligare Flow Inspector - version 4.0.0
Our clients can look forward to many new innovations in the latest CFI version (4.0.0).
It's well worth the price to pay for the extended license!
CFI software - Linux based software for network monitoring and data flow analysis - the
latest version with new features the main one is called network anomalies detection.
Network anomalies detection (NA) uses netflow exports to identify worm and abnormal
network activities detection, and deeper network analysis.
Network anomalies detection
Because NetFlow exports is coming directly from the router, a core element of any large
network, NetFlow is capable of providing a unique view on the entire traffic of a network
at the infrastructure level. It is also proactive detection of network infrastructure
security events. Packet sniffer is more a troubleshooting tool than a specific tool for
constant netflow monitoring. Packet sniffer allows you to capture every packet and store
it on your hard disk. Letís say you want to do 24 hour monitoring - 7 days a week, this
way you need an incredible big hard disk. Netflow monitoring collects statistics not the
whole packet, which is why this method is more suitable for constant monitoring.
Caligare Flow Inspector version 4 supports base network anomaly detection such as
network and host port scanning, ICMP and TCP/SYN flooding detections, and detection of network
games and peer-2-peer applications. Most of the modules use heuristic detection methods - for
every anomaly there is a specified probability of incident. If analyzed properly, NetFlow records
will be very suitable for early worm and other abnormal (suspicious) network activity detection
in large enterprise networks and service providers.
Correction of unsynchronized time between server and exporting device
If the time between collector server and exporting device is unsynchronized, flows that
contain the wrong time will be. You can correct the wrong time by changing the collector
settings. In most cases the source of the problem is a different/wrong time zone setting
or wrong time set up on exporting device. The collector by itself analyzes each flow and
if there is a difference between the flow time and the collector's time by more than 12
hours, the flow time is replaced by the collector's time.
New web interface design
Our developers created a new Caligare Flow Inspector web interface with many new icons,
hints and installation tips. You can see short description for every main menu item.
NetFlow technology efficiently provides the metering base for a key set of applications
including network traffic accounting, usage-based network billing, network planning, network
monitoring, outbound marketing, and data mining capabilities for both service provider and
Return to the news section.
Network anomalies modules
Network port scanning
The network port scan module detects many suspicious activities as worms, BOTNET scanning
attacks, etc. The latest software version detects stations which are scanning the network
and looking for network vulnerabilities e.g.: Microsoft WINS, NETBIOS, Microsoft DS, SOCKS,
Microsoft SQL, MySQL, web cache, VNC, Microsoft EPMAP and Microsoft terminal services.
This module also detects SWIFT, DABBER, QWIN worms and many other unusual activities.
Host port scanning
This network detection module identifies attackers that scan TCP or UDP service ports for
vulnerabilities. This module supports only scanning of applications that uses low
The ICMP flooding detection checks how many ICMP packets the host is sending. If the number
of packets exceeds the configured threshold, then the system creates a new anomaly.
System recognizes long ICMP messages (>1000B) so that you can configure different
thresholds for short ICMP messages and long ICMP messages. Software is capable of detecting
unreachable messages (often it signify infection by worm) and other ICMP message types.
The TCP/SYN flooding module detects direct or distributed flooding of network with TCP
connection requests. This attack is characteristic for distributed denial of service
Network games detection
The network games detection module uses heuristic methods to detect network games. Many
games use the same TCP or UDP port so it is very difficult to say which game was used. The
latest version supports the following games: Need for Speed, Diablo, Civilization, Worms 3D,
Microsoft DirectX games, Railroad Tycoon, Athena Sword, Unreal, Team Speak, Battlefield 1942,
Battle Zone, Age of Empires, Heretic, Hexen, Doom, Call Of Duty, Castle Wolfenstein,
Battlefield 2142, MSN Game Zone, Alien vs. Predator, America's Army, Battle.NET, Vietcong,
Half-Life and Quake.
Peer to peer application detection
Peer to peer applications waste network bandwidth the most, so detection of these applications
is very useful for many administrators, detection of these applications is very, very
difficult. Network analysis software uses well-known TCP/UDP ports and some heuristic methods,
but in some cases may detect false positives. The latest version supports detection of the
following applications: FastTrack, Kazza, Overnet, Kademlia, Aimster, GNUtella, GNUtella2,
WinMX, OpenNapster, Direct Connect, SoulSeek, eDonkey and BitTorrent.
Return to the news section.