What is ZNeTS ?
ZNeTS ( "The" nets ), is the acronym of "The Network Traffic Supervisor". ZNeTS is an intelligent powerful tool, easy to deploy, that allows to detect anomalies and
investigate, thanks to integrated tools and innovative self-learning algorithms that interprete the network flows.
It is the ultimate tool for monitoring and recording machines traffic for months on one or more LANs.
ZNeTS can acquire datafrom multiple sources(one or many netflow/IPFIX probesor directly fromaphysical interface).So, it is easyto deploy ZNeTS whateverthe architecture of yournetwork!
ZNeTS is not just a collector. It uses optimized flows that are re-aggregated during a adjustable period (from 1 minute to 1 hour).
ZNeTS may even send its flows to another collector (it behaves then as a NetflowV9 probe)
ZNeTS graphical interface is intuitive and ergonomic. Metrology offers two levels of detail. Alerts are simple and relevant (based on counting algorithms). Access to the network flows are easy, the selection forms are pre-filled automatically with each interaction. 2-click on charts or alert are enough to see the corresponding flows.
What's the goal ?
ZNeTS is a powerful and easy tool whose purposeis :
- The acquisition and conservation of inbound and outbound network flows (during many months or years... even on very high speed networks). Legally, this traces may be requiredin an investigation, and protect your institution frombeing sentenced.
- Research and filter data, with an integrated search engine. You could quickly and accurately analyze the consequences of an attack, virus, or highlight a theft of information...
- The detection of anomalies causing the generation of alert and optionnal email sending. ZNeTS detected in near real time, misuse of computer resources (peer-to-peer, server ...), hacker scans, spam, ... and send alerts, so you will be very quick to react !
- Metrology, with the calculation and visualization of hourly and daily statistics of the overall traffic and detailled traffic (for each subnet, and machine on the LAN).
So, how does the data look like ?
The raw data collected by ZNeTS are aggregated and stored all fractions of an hour (time to configure) in the DBMS.
If GeoIP databases (from Maxmind) are available, they are used to resolve country and autonomous system number.
ZNeTS flows are bidirectional(unlike netflow's one).They are inherently incoming or outgoing.
Thus, they are less compressed and naturally indexed by the local IP address.
What's about the metrology ?
The statistics are calculated from raw data in real time.
The user interface is very ergonomic (simple, intuitive and relevant). There is really many charts (40 different kinds)
Most of them are "TOP10" stackedcharts, to visualizeinstantlythe 10biggest consumersof a resource. Two levels of details are available for quiet all charts.
=> Test interface ZNeTS with fixed data
and... What's kind of alert is there ?
Traffic anomalies likely to be detectedare 8different kinds :
- A local machine has contacted more than X external machines
- Local machine has scanned an external machine
- An external machine has scanned a machine internal
- A local machine has sent queries to an unknown external DNS server
- A local machine has had an outgoing SMTP traffic abnormally high
- A local machine has contacted a compromised external machines
How to deploy?
ZNeTS is very modular. Depending on the architecture of your network, it may be wiser to use ZNeTS Sniffer mode or Netflow mode (and possibly the both).
=> See ZNeTS installation manual
ZNeTS is very easy to deploy. It was developed in C++ and includes a web server that implements HTTP/1.1 standard (RFC2616). Authentication by login / password or certificate-X509 is also possible.
ZNeTS is very simple to configure. The configuration file is simple and documented.
Which kind of computer do I need to install ZNeTS ?
ZNeTS currently runs on Linux. Windows and Mac OS X version should be available soon.
It doesn't require much resource (CPU and RAM). It can be installed without problem on an old PC or a virtual machine. Inextreme cases, only accesstime of the disk containingthe databasecan be a bitlimiting.
Can ZNeTS deal with high rate network ?
ZNeTS has been developed and tested in the biggest computing centers (with tens ofgigabits average trafic). In all cases, ZNeTS works perfectly, and the database can easily contain several months of traffic.
The low resource consumption suggests that ZNeTS is very far from having reached its limits.
Can I test ZNeTS ?
Yes, regester and try it freely during 30 days.
ZNeTS is free for french public institutions ( Contact us to obtain a serial number)