Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 106

98 U D
SING THE EPLOYMENT
Step 6
Step 7
Configuring a Flow
Processor
E
DITOR
Table 5-7 Flow Collector Parameters (continued)
Parameter
Flow Buffer Size
Maximum Number of
Flows
Remove duplicate flows Enables or disables the ability to remove duplicate flows.
Minimum Buffer Data
Maximum Wait Time
Polling Interval
Click Save.
The deployment editor appears.
Repeat for all Flow Collectors in your deployment you wish to configure.
A Flow Processor collects and consolidates data from one or more Flow
Collector(s). Flow Processors are located between the Classification Engine, Flow
Collectors, and other Flow Processors. You can connect multiple Flow Processors
in a series.
A Flow Processor removes duplicate flows and creates superflows (aggregate
flows) before the flows reach the main Classification Engine. A superflow is
multiple flows with the same properties combined into one flow, which details
one-sided communications and security events, such as scanning and attacks,
without losing the information stored in the thousands of individual flows created
by an infected host or attacker. The flow contains only the communications that
received no response. Valid communications from the attacking or infected hosts
are stored in the flow logs. Using superflows, STRM is able to scale to larger
environments and manage large attacks without overloading.
Superflows can last long periods of time, just like normal flows. STRM manages
superflows in the same manner as regular flows. Superflows are logged every
interval and detail the state of the flow during that time period. You can also
investigate flows using the Network Surveillance interface to further expand
superflows into more traditional flows, which allows for flexible analysis.
STRM Administration Guide
Description
Specify the amount of memory, in MB, that you wish to
reserve for flow storage. The default is 400 MB.
Specify the maximum number of flows you wish to send
from the Flow Collector to Flow Processors.
Specify the minimum amount of data, in bytes, that you wish
the Endace Dag Interface Card to receive before the
captured data is returned to the Flow Collector process. For
example, if this parameter is 0 and no data is available, the
Endace Dag Interface Card allows non-blocking behavior.
Specify the maximum amount of time, in microseconds, that
you wish the Endace Dag Interface Card to wait for the
minimum amount of data, as specified in the Minimum
Buffer Data parameter.
Specify the interval, in microseconds, that you wish the
Endace Dag Interface Card to wait before checking for
additional data. A polling interval avoids excessive polling
traffic to the card and therefore conserves bandwidth and
processing time.