Host Agent Templates

The Hosts category of agents uses information from PacketShaper's host database. These agents are useful for identifying hosts that are using too much bandwidth or that may be attacking your network, for example spoofing and SYN attacks.

Agent Template Name	Default Agent Name	Description
High Bandwidth Host	na	An agent based on the High Bandwidth Host template monitors hosts, evaluating whether any one is using too much bandwidth, and can help prevent any one host from consuming too much bandwidth. The High Bandwidth Host agent will not return correct values if the unit has more than one instance of this agent type, or if the Quota Bandwidth Host agent is also enabled. The agent tracks hosts sending and/or receiving an excessive amount of traffic, allowing you to find hosts that are downloading data at high levels. Agent Parameters ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you don't need to monitor. See Host Exception Lists. RedThreshold: An unacceptable percentage of bandwidth consumed by a single host GreenThreshold: An acceptable percentage of bandwidth Default values for the parameters are as follows: RedThreshold >10% of bandwidth on either link GreenThreshold < 5% of bandwidth on either link Yellow 5%-10% of bandwidth on either link Evaluation interval: 1 minute Action File Variables $host-ip, $direction, $avg-bps, $violatingHosts, $exceptionHosts Note: The $host-ip, $direction, and $avg-bps variables are valid in red action files only. Example
NFPM Side Unknown	Spoofing - Server, Spoofing - Client	Agents based on the New Flows Per Minute (NFPM) Side Unknown template detect hosts that may be spoofing. Spoofing attacks send packets that appear to be from a trusted source by maliciously setting the source and/or destination to false addresses. The traffic can then gain access to hosts or services that should be secure. A host is considered to be in violation if it exceeds the defined number of new flows per minute. Agent Parameters Side: client or server SideThreshold: Number of new flows per minute New Flows Per Minute The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period. ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you know are not spoofing. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of new flows per minute (SideThreshold) GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: SideThreshold > 100,000 new flows per minute ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Note: In order for the agents to work properly, you must set the SideThreshold to a value that is appropriate for your network traffic patterns. Action File Variables $side, $sideThreshold, $violatingHosts, $exceptionHosts Example
NFPM Failed Flow	na	An agent based on the New Flows Per Minute (NFPM) Failed Flow template detects hosts that may be SYN attacking. It identifies hosts that have failed flows during the evaluation interval AND that have new flows per minute that exceed the FlowsThreshold. Agent Parameters FlowsThreshold: Number of new flows per minute New Flows Per Minute The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period. Side: The traffic direction to be monitored: inside, outside, or both ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it has any failed flows AND exceeds the defined number of new flows per minute (FlowsThreshold) GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: FlowsThreshold > 100,000 new flows per minute Side = both ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Notes: In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns. If you set the Side parameter to Inside or Outside, the agent will score only when the PacketShaper sees at least one complete connection for a host. Action File Variables $flowsThreshold, $direction, $violatingHosts, $exceptionHosts Example
Failed Flow Ratio	na	Agents based on the Failed Flow Ratio template detect hosts that have a high ratio of failed flows compared to new client flows per minute. Agent Parameters RatioThreshold: Percentage of new client flows per minute that are failed flows Side: The traffic direction to be monitored: inside, outside, or both ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the RatioThreshold GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: RatioThreshold > 100 percent Side = both ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Notes: In order for the agents to work properly, you must set the RatioThreshold to a value that is appropriate for your network traffic patterns. If you set the Side parameter to Inside or Outside, the agent will score only when the PacketShaper sees at least one complete connection for a host. Action File Variables $ratioThreshold, $direction, $violatingHosts, $exceptionHosts Example
Host Info Variables	Syn Attack - Failed Flow	With the Host Info Variables template, you can select a variable to monitor hosts: Current Connections, New Flows Client, New Flows Server, Failed Flows. Agent Parameters VariableName: Current Connections, New Flows Client, New Flows Server, Failed Flows FlowsThreshold: Number of new flows or connections per minute Side: The traffic direction to be monitored: inside, outside, or both ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of flows or connections (FlowsThreshold) GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: FlowsThreshold > 100,000 (connections, new flows per minute, or failed flows) Side = both ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Notes: In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns. If you set the Side parameter to Inside or Outside, the agent will score only when the PacketShaper sees at lease one complete connection for a host. Action File Variables $variableName, $direction, $flowsThreshold, $violatingHosts, $exceptionHosts Example
Quota Bandwidth Host	na	An agent based on the Quota Bandwidth Host template monitors hosts, evaluating whether any one is using too much absolute bandwidth, and can help prevent any one host from consuming too much bandwidth for a specified interval (such as a day). The Quota Bandwidth Host agent will not return correct values if the unit has more than one instance of this agent type, or if the High Bandwidth Host agent is also enabled. The agent tracks hosts sending and/or receiving an excessive amount of traffic, allowing you to find hosts that are downloading data at high levels. Agent Parameters HostUsageThreshold: Maximum number of bytes a host may use during the interval. Threshold can be between 0 and 2,000,000,000 bytes. HostUsageMonitorInterval: Interval to be monitored (in days). Interval can be between 0 and 30 days. At the end of the interval, the measured bytes for each host is zeroed out and any violating hosts are removed from the ViolatingHosts list. Note: The interval begins when the agent is enabled. To control the time of day at which the bytes are reset (such as at midnight), you'll need to enable the agent at the desired time. Side: The traffic direction to be monitored: inside, outside, or both ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you don't need to monitor. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of bytes (HostUsageThreshold) during the interval (HostUsageMonitorInterval). GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: HostUsageThreshold >= 10000000 bytes HostUsageMonitorInterval = 1 day Side = both ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >=1 violating hosts GreenThreshold <= 0 Evaluation interval: 5 minutes Action File Variables $bytes, $host-ip, $direction, $violatingHosts, $exceptionHosts Example

Agent Template Name

Default Agent Name

Description

High Bandwidth Host

An agent based on the High Bandwidth Host template monitors hosts, evaluating whether any one is using too much bandwidth, and can help prevent any one host from consuming too much bandwidth. The High Bandwidth Host agent will not return correct values if the unit has more than one instance of this agent type, or if the Quota Bandwidth Host agent is also enabled. The agent tracks hosts sending and/or receiving an excessive amount of traffic, allowing you to find hosts that are downloading data at high levels.

Agent Parameters

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent.

ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you don't need to monitor. See Host Exception Lists.

RedThreshold: An unacceptable percentage of bandwidth consumed by a single host

GreenThreshold: An acceptable percentage of bandwidth

Default values for the parameters are as follows:

RedThreshold >10% of bandwidth on either link
GreenThreshold < 5% of bandwidth on either link
Yellow 5%-10% of bandwidth on either link
Evaluation interval: 1 minute

Action File Variables

$host-ip, $direction, $avg-bps, $violatingHosts, $exceptionHosts

Note: The $host-ip, $direction, and $avg-bps variables are valid in red action files only.

Example

NFPM Side Unknown

Spoofing - Server,

Spoofing - Client

Agents based on the New Flows Per Minute (NFPM) Side Unknown template detect hosts that may be spoofing. Spoofing attacks send packets that appear to be from a trusted source by maliciously setting the source and/or destination to false addresses. The traffic can then gain access to hosts or services that should be secure. A host is considered to be in violation if it exceeds the defined number of new flows per minute.

Agent Parameters

Side: client or server

SideThreshold: Number of new flows per minute

New Flows Per Minute
The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period.

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses or subnets of any hosts (such as servers) that you know are not spoofing. See Host Exception Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of new flows per minute (SideThreshold)

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

SideThreshold > 100,000 new flows per minute
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Note: In order for the agents to work properly, you must set the SideThreshold to a value that is appropriate for your network traffic patterns.

Action File Variables

$side, $sideThreshold, $violatingHosts, $exceptionHosts

Example

NFPM Failed Flow

An agent based on the New Flows Per Minute (NFPM) Failed Flow template detects hosts that may be SYN attacking. It identifies hosts that have failed flows during the evaluation interval AND that have new flows per minute that exceed the FlowsThreshold.

Agent Parameters

FlowsThreshold: Number of new flows per minute

New Flows Per Minute
The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period.

Side: The traffic direction to be monitored: inside, outside, or both

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it has any failed flows AND exceeds the defined number of new flows per minute (FlowsThreshold)

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

FlowsThreshold > 100,000 new flows per minute
Side = both
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Notes:

In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns.
If you set the Side parameter to Inside or Outside, the agent will score only when the PacketShaper sees at least one complete connection for a host.

Action File Variables

$flowsThreshold, $direction, $violatingHosts, $exceptionHosts

Example

Failed Flow Ratio

Agents based on the Failed Flow Ratio template detect hosts that have a high ratio of failed flows compared to new client flows per minute.

Agent Parameters

RatioThreshold: Percentage of new client flows per minute that are failed flows

Side: The traffic direction to be monitored: inside, outside, or both

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the RatioThreshold

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

RatioThreshold > 100 percent
Side = both
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Notes:

In order for the agents to work properly, you must set the RatioThreshold to a value that is appropriate for your network traffic patterns.
If you set the Side parameter to Inside or Outside, the agent will score only when the PacketShaper sees at least one complete connection for a host.

Action File Variables

$ratioThreshold, $direction, $violatingHosts, $exceptionHosts

Example

Host Info Variables

Syn Attack - Failed Flow

With the Host Info Variables template, you can select a variable to monitor hosts: Current Connections, New Flows Client, New Flows Server, Failed Flows.

Agent Parameters

VariableName: Current Connections, New Flows Client, New Flows Server, Failed Flows

FlowsThreshold: Number of new flows or connections per minute

Side: The traffic direction to be monitored: inside, outside, or both

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of flows or connections (FlowsThreshold)

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

FlowsThreshold > 100,000 (connections, new flows per minute, or failed flows)
Side = both
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Notes:

In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns.
If you set the Side parameter to Inside or Outside, the agent will score only when the PacketShaper sees at lease one complete connection for a host.

Action File Variables

$variableName, $direction, $flowsThreshold, $violatingHosts, $exceptionHosts

Example

Quota Bandwidth Host

An agent based on the Quota Bandwidth Host template monitors hosts, evaluating whether any one is using too much absolute bandwidth, and can help prevent any one host from consuming too much bandwidth for a specified interval (such as a day). The Quota Bandwidth Host agent will not return correct values if the unit has more than one instance of this agent type, or if the High Bandwidth Host agent is also enabled. The agent tracks hosts sending and/or receiving an excessive amount of traffic, allowing you to find hosts that are downloading data at high levels.

Agent Parameters

HostUsageThreshold: Maximum number of bytes a host may use during the interval. Threshold can be between 0 and 2,000,000,000 bytes.

HostUsageMonitorInterval: Interval to be monitored (in days). Interval can be between 0 and 30 days. At the end of the interval, the measured bytes for each host is zeroed out and any violating hosts are removed from the ViolatingHosts list. Note: The interval begins when the agent is enabled. To control the time of day at which the bytes are reset (such as at midnight), you'll need to enable the agent at the desired time.

Side: The traffic direction to be monitored: inside, outside, or both

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of bytes (HostUsageThreshold) during the interval (HostUsageMonitorInterval).

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

HostUsageThreshold >= 10000000 bytes
HostUsageMonitorInterval = 1 day
Side = both
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >=1 violating hosts
GreenThreshold <= 0
Evaluation interval: 5 minutes

Action File Variables

$bytes, $host-ip, $direction, $violatingHosts, $exceptionHosts

Example