Re: [Flow-tools] Aggregations on flow-report

Sun, 12 Sep 2004 18:08:39 -0700 

Hi Craig,

You could use flow-nfilter.

create a file filter.cfg

# start file filter.cfg
filter-primitive infected-hosts
        type ip-address
        permit <ipaddr>
        .
        .
        permit <ipaddr>
        default deny

filter-primitive external-hosts
        type ip-address
        permit <ipaddr>
        default deny

filter-definition find-infected-hosts
        match src-ip-addr infected-hosts
        match dst-ip-addr external-hosts
# end file filter.cfg

then:
flow-nfilter -f filter.cfg -F find-infected-hosts < flowfile | flow-print -f5

or if you want to get the stats of the src and dst address sorted by octets
flow-nfilter -f filter.cfg -F find-infected-hosts < flowfile | flow-stat -f10 -S3

Rgds
Edwin

On Sun, 12 Sep 2004, Craig Macdonald wrote:

Hi flow-tools people!

Background:
We've been investigating a virus lookup on campus last week, in light of
recent news from the Internet Storm Center.

We detected the virus on Friday using our flowscan modules that were
processing the flow-tools files.

Last week we noted that the virus attempted to connect to 203.81.40.172 on
port 10009 (as per http://isc.sans.org/diary.php?date=2004-09-08)
So we checked our logs to see which machines had been attempting to
connect on that port - this identified most of the infected machines we
had previuosly identified and a few more.

Question:
We were wondering if it is possible, that given a list of (internal) IP
addresses, we could filter on them, and then aggregrate to determine if
there was anything else that many of the listed machines had attempted to
connect to. (Using flow-report etc)

If I were to explain this in a SQL like fashion:
SELECT dstip, count(*) FROM flows
WHERE
srcip IS IN (infected hosts list)
AND dstip IS external
GROUP BY dstip

We could then monitor for other infected machines making connections to
the same machine (bot controller), thus identifying infections quickly.

All input welcome

Regards

Craig Macdonald
[EMAIL PROTECTED]
Glasgow University Computing Service

_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to