System and method for determining flow specification efficacy

What is claimed is: 1. A computer implemented method comprising: receiving, via a user interface, a first query of a storage device coupled to an external network; retrieving, by a network monitoring device disposed between the external network and a protected network, stored external network data, exported from the external network and aimed at the protected network, from the storage device; applying, by the network monitoring device, one or more flow specification rules to the retrieved stored external network data, wherein the one or more flow specification rules are configured to perform one or more flow specification actions on the retrieved stored external network data, wherein each of the one or more flow specification actions corresponds to performing, on the stored external network data, dropping, rate-limiting, traffic accepting, or passing of network traffic; finding, by the network monitoring device, a match of one of the one or more flow specification rules using a matching criteria; determining, by the network monitoring device, network traffic activity corresponding to the matched one of the one or more flow specification rules; identifying, by the network monitoring device, data from the determined network traffic activity that is respectively dropped, limited, passed, or accepted based on the flow specification actions corresponding to the matched one or more flow specification rules; and generating, by the network monitoring device based on the identified data, a user interface comprising a plurality of lists of ports of external network devices, each list corresponding to a different flow specification action and comprising a plurality of ports of external network devices ordered based on an amount of network traffic impacted by the flow specification action of the list. 2. The computer implemented method of claim 1 , wherein the matching criteria includes source and destination information. 3. The computer implemented method of claim 2 , wherein the source and destination information includes address prefixes, IP protocol, and transport protocol port numbers. 4. The computer implemented method of claim 1 , wherein the retrieved stored external network data is in at least one of the following formats: Netflow; IPIX; and sFlow. 5. The computer implemented method of claim 1 , further comprising building, based on the received first query, a request for stored external network data during a specified time period. 6. The computer implemented method of claim 1 , wherein the one or more flow specification rules are progressively applied to the retrieved stored external network data. 7. The computer implemented method of claim 1 , wherein responsive to the one or more flow specification rules matching the retrieved stored external network data, one or more flow actions on the retrieved stored external network data are determined. 8. The computer implemented method of claim 7 , wherein further responsive to the one or more flow specification rules matching the retrieved stored external network data, an index for each of the one or more specification rules is identified. 9. The computer implemented method of claim 8 , wherein the determined one or more flow actions and the one or more identified indexes associated with the one or more flow specification rules matching the retrieved stored external network data are displayed to a user. 10. The computer implemented method of claim 1 , further including displaying the one or more flow specification rules. 11. The computer implemented method as recited in claim 1 , wherein the one or more flow specification rules are configured to affect a change to the external network data flowing through at least one network device. 12. The computer implemented method of claim 1 , further including detecting a network attack in the network traffic activity. 13. The computer implemented method of claim 1 , wherein the applied one or more flow specification rules are selected from a database of preconfigured specification rules. 14. A network monitoring device, comprising: one or more databases storing external network data exported from a plurality of external network devices coupled to an external network aimed at a protected network; a processor disposed between the external network and the protected network in communication with memory configured to store instructions, wherein the processor upon execution of the instructions is configured to: receive, via a first user interface, a first query of the one or more databases storing the external network data; retrieve the stored external network data from the one or more databases in response to receipt of the first query; apply one or more flow specification rules to the retrieved stored external network data, wherein the one or more flow specification rules are configured to perform one or more flow specification actions on the retrieved stored external network data, wherein each of the one or more flow specification actions corresponds to performing, on the stored external network data, dropping, rate-limiting, traffic accepting, or passing of network traffic; find a match of one of the one or more flow specification rules using a matching criteria; determine network traffic activity corresponding to the matched one of the one or more flow specification rules; identify data from the determined network traffic activity that is respectively dropped, limited, passed or accepted based on the flow specification actions corresponding to the matched one or more flow specification rules; and generating, by the network monitoring device based on the identified data, a user interface comprising a plurality of lists of ports of external network devices, each list corresponding to a different flow specification action and comprising a plurality of ports of external network devices ordered based on an amount of network traffic impacted by the flow specification action of the list. 15. The network device of claim 14 , wherein the processor is further configured to: monitor the external network data flowing through one or more networks; and detect a network attack in the network data to the one or more networks. 16. The network device of claim 14 , wherein the one or more flow specification rules are selected from a plurality of preconfigured specification rules stored in the one or more databases. 17. The network device of claim 14 , wherein the one or more announced flow specification rules are configured and operative to mitigate a network attack. 18. The network device of claim 14 , wherein retrieving the network data further includes retrieving captured external network data corresponding to a user defined time period. 19. The network device of claim 14 , wherein the one or more flow specification rules are progressively applied to the retrieved captured external network data.