Adrian,

> Does anyone know of anything other than flow-dscan that can identify
suspicious
> netflow,  perhaps based on some sort of definition file like AV
engines use?
> 
> I'd appreciate any pointers.

It's pretty easy to grok the output of flow-export with a Perl script to
find interesting traffic flows.

An IP address may be worthy of investigation if:
1) It talks to more than (say) 100 distinct ip address (unless excluded
by a white-list) {see below}
2) It attempts to talk to a known non-routable ip network.
3) It's last octet is outside of your standard DHCP or static ranges.
4) It sends more than (say) 100 flows that SYN only or SYN/Reset. {see
below}
5) It talks using a non-standard or unexpected TCP or UDP port.  (Eg
Should your proxy server ever send telnet or SMTP?)

Hope this inspires you :-)

Cheers

Alistair


# Example filter definition for dubious flows from 
# Syn with no fin or rst
filter-primitive fp-syn-only-or-syn-reset
  type ip-tcp-flags
# Syn only
  permit 0x2
# Syn 0x02 with reset 0x04 but no push or ack
  permit 0x6
  default deny

Here is a simple bit of code to solve #1 above.  You can easily adapt
this into a  cron job to send a trap or email 
__CODE__
#!/usr/bin/perl
use strict;
use warnings;

my $_USAGE= <<END_USAGE;
flow-virus-check   -  Check for virus-like activity in a flow file

Usage:   flow-virus-check <threshold>
   
    Scans flow data and reports IP addresses worthy of investigation.
    Threshold is the minimum acceptable number of destination IP
addresses that
    and IP address should normally talk to.    

Example: flow-cat ft-v07.2006-02-02.205538+0000  | flow-virus-check 

License: This software is released under the same terms as perl itself.

END_USAGE

die $_USAGE unless @ARGV;

my $thresh = shift || 100;

#Build a hash of white-listed IP addresses;
my @while_list = grep {/^\d+\.\d+\.\d+\.\d+$/} <DATA>; # Get 
chomp @while_list;
my %while_list; @[EMAIL PROTECTED](1)[EMAIL PROTECTED];

# Read flow export for src and dst IP fields in CSV format;
open IN, "/usr/local/netflow/bin/flow-export -f2 -m0x3000  2> /dev/null
| " 
    or die "Cannot pipe to flow-export : $!";

my %store;
warn "Reading\n";
while (<IN>) {
    print STDERR "." if ( $. % 10_000 == 0) ; # Status check every 10K
flows
    chomp;
    my ($src,$dst) = split/,/;
    next if $while_list{$src} || $while_list{$dst};
    $store{$src}{$dst}++;
    $store{$dst}{$src}++;
}
warn "Analysing\n";
while (my ($ip, $ref_dest)= each %store) {
    next if $thresh > keys %$ref_dest;
    printf "%15s has spoken to %5d distinct IP addresses\n",
        $ip, scalar keys %$ref_dest;
    # We could print more here if desired as we have the freq 
    # count of each destination
}

__DATA__
# Whitelist of IP addresses here:  
# Eg Web proxy server 
10.11.12.13
# SNMP Trap collector
172.21.21.172

**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

<<www.marksandspencer.com>>

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know 
and then delete it from your system; you should not copy, disclose, or 
distribute its contents to anyone nor act in reliance on this e-mail, as this 
is prohibited and may be unlawful.
2005


_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to