Adrian,
> Does anyone know of anything other than flow-dscan that can identify
suspicious
> netflow, perhaps based on some sort of definition file like AV
engines use?
>
> I'd appreciate any pointers.
It's pretty easy to grok the output of flow-export with a Perl script to
find interesting traffic flows.
An IP address may be worthy of investigation if:
1) It talks to more than (say) 100 distinct ip address (unless excluded
by a white-list) {see below}
2) It attempts to talk to a known non-routable ip network.
3) It's last octet is outside of your standard DHCP or static ranges.
4) It sends more than (say) 100 flows that SYN only or SYN/Reset. {see
below}
5) It talks using a non-standard or unexpected TCP or UDP port. (Eg
Should your proxy server ever send telnet or SMTP?)
Hope this inspires you :-)
Cheers
Alistair
# Example filter definition for dubious flows from
# Syn with no fin or rst
filter-primitive fp-syn-only-or-syn-reset
type ip-tcp-flags
# Syn only
permit 0x2
# Syn 0x02 with reset 0x04 but no push or ack
permit 0x6
default deny
Here is a simple bit of code to solve #1 above. You can easily adapt
this into a cron job to send a trap or email
__CODE__
#!/usr/bin/perl
use strict;
use warnings;
my $_USAGE= <<END_USAGE;
flow-virus-check - Check for virus-like activity in a flow file
Usage: flow-virus-check <threshold>
Scans flow data and reports IP addresses worthy of investigation.
Threshold is the minimum acceptable number of destination IP
addresses that
and IP address should normally talk to.
Example: flow-cat ft-v07.2006-02-02.205538+0000 | flow-virus-check
License: This software is released under the same terms as perl itself.
END_USAGE
die $_USAGE unless @ARGV;
my $thresh = shift || 100;
#Build a hash of white-listed IP addresses;
my @while_list = grep {/^\d+\.\d+\.\d+\.\d+$/} <DATA>; # Get
chomp @while_list;
my %while_list; @[EMAIL PROTECTED](1)[EMAIL PROTECTED];
# Read flow export for src and dst IP fields in CSV format;
open IN, "/usr/local/netflow/bin/flow-export -f2 -m0x3000 2> /dev/null
| "
or die "Cannot pipe to flow-export : $!";
my %store;
warn "Reading\n";
while (<IN>) {
print STDERR "." if ( $. % 10_000 == 0) ; # Status check every 10K
flows
chomp;
my ($src,$dst) = split/,/;
next if $while_list{$src} || $while_list{$dst};
$store{$src}{$dst}++;
$store{$dst}{$src}++;
}
warn "Analysing\n";
while (my ($ip, $ref_dest)= each %store) {
next if $thresh > keys %$ref_dest;
printf "%15s has spoken to %5d distinct IP addresses\n",
$ip, scalar keys %$ref_dest;
# We could print more here if desired as we have the freq
# count of each destination
}
__DATA__
# Whitelist of IP addresses here:
# Eg Web proxy server
10.11.12.13
# SNMP Trap collector
172.21.21.172
**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
<<www.marksandspencer.com>>
Please note that electronic mail may be monitored.
This e-mail is confidential. If you received it by mistake, please let us know
and then delete it from your system; you should not copy, disclose, or
distribute its contents to anyone nor act in reliance on this e-mail, as this
is prohibited and may be unlawful.
2005
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
