For monitoring anomalies in traffic we are using multiple approaches. Of course we can support Energy Logserver with dedicated network probe, which is equipped with Netflow Analazing module and is detecting anomalies by default. Such probes is receiving netflow from selected span port and can be also used as virtual appliance.
Other than that we often move back to our alerting module, where we choose proper approach.
For some customers we are using metric aggregation type, where we set threshold for sent/received data.
But Energy Logserver has also set of predefined alerts and among them is: Netflow – DNS traffic abnormal of type Spike. This rule is comparing actual timeframe to previous one and calculate difference between them. By doing so we detect sudden spike of chosen pattern.
Another approach is to monitor new, unseen values in selected field (like new url address in our logs) per user, source or other parameter.
Energy Logserver is capable of connecting multiple alerts together in one, correlated by field and condition alert with types of Chain or Logical.