All scripts
analysis
Expert
5–15 min

NetFlow / sFlow Anomaly Detector

Statistical traffic anomaly engine: rolling-window baselining of per-prefix/per-port flows, DDoS volumetric and SYN-flood detection, top-talker drift, geographic source skew, and BGP-aware blackhole/RTBH suggestions.

Cisco IOS/XE/XR
Juniper
Arista
Nokia SR-OS
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in →

Capabilities

  • EWMA baselining per /24
  • SYN-flood & UDP amp detect
  • Volumetric DDoS scoring
  • Top-talker drift
  • ASN/geo source skew
  • RTBH candidate generator
  • Flow exporter health
  • Sampling-rate sanity check

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
Baseline window (mins)
window_mins
number60
Anomaly sigma threshold
sigma_alert
number4.0
RTBH announcements require ≥3σ confidence to avoid false-positive blackholes.
Min pps to score
pps_floor
number5000
SYN/SYN-ACK ratio alert
syn_ratio_alert
number10
Generate RTBH candidates
suggest_rtbh
booltrue
RTBH community injection requires a Cisco IOS-XR or IOS/XE edge in the vendor mix.
Flow collector URL
collector_url
stringhttp://flow.local:9995

Hint 1Name your vendors and OS versions

Mention the exact platforms you run (Cisco IOS/XE/XR, Juniper, Arista, …) so the generated analysis logic uses the right CLI/NETCONF syntax.

Hint 2State your real thresholds

Provide concrete values for Baseline window (mins), Anomaly sigma threshold, Min pps to score instead of the defaults — they shape what counts as a fault.

Hint 3Prioritize the checks you need

This tool can eWMA baselining per /24 and sYN-flood & UDP amp detect. Ask for the subset relevant to your incident to keep output focused.

Hint 4Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

exporters.csv
csv
8 flow exporters with sample rates, protocols, collector targets
terminal
hostname,mgmt_ip,role,sample_rate,protocol,collector,export_interfaces,nf_version
edge-rtr-01,10.30.0.11,edge,1:1000,sflow,10.50.5.10:6343,"Te0/0/0,Te0/0/1,Te0/0/2",-
edge-rtr-02,10.30.0.12,edge,1:1000,sflow,10.50.5.10:6343,"Te0/0/0,Te0/0/1,Te0/0/2",-
edge-rtr-03,10.30.0.13,edge,1:1000,netflow,10.50.5.11:9995,"xe-0/0/0,xe-0/0/1",v9
protected_targets.yaml
yaml
Customer prefixes with p95 baselines, RTBH authorization, geo baseline
yaml
# Customer prefixes worth alerting/RTBH'ing on
protected_prefixes:
  - prefix: 203.0.113.0/24
    customer: ACME

Expected output

Reference terminal output the script should produce — used as a stylistic and structural target.

terminal
NETFLOW ANOMALY SCAN — window=60m, σ=4.0
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

EXPORTER HEALTH:
  edge-rtr-01  flows/s=14,221  sample=1:1000  last seen 0s    ✓
  edge-rtr-02  flows/s=12,887  sample=1:1000  last seen 0s    ✓
  edge-rtr-03  flows/s=     0  sample=1:1000  last seen 14m   ← STALE EXPORTER

VOLUMETRIC ANOMALIES (score > 4σ):
  Dst 203.0.113.42/32   pps=  1,847,221  baseline=12,400  σ=148  ← DDoS LIKELY