Edwin, Your solutions would show me a) the flows and b) the octets for destination addresses. I was more interested in seeing how *many* of this group of internal hosts had connected to the same external hosts.
With the curret flow-tools, I would have to post-process the flows to obtain this I think. C On Mon, 13 Sep 2004, Edwin Lok wrote: > Hi Craig, > > You could use flow-nfilter. > > create a file filter.cfg > > # start file filter.cfg > filter-primitive infected-hosts > type ip-address > permit <ipaddr> > . > . > permit <ipaddr> > default deny > > filter-primitive external-hosts > type ip-address > permit <ipaddr> > default deny > > filter-definition find-infected-hosts > match src-ip-addr infected-hosts > match dst-ip-addr external-hosts > # end file filter.cfg > > then: > flow-nfilter -f filter.cfg -F find-infected-hosts < flowfile | flow-print -f5 > > or if you want to get the stats of the src and dst address sorted by octets > flow-nfilter -f filter.cfg -F find-infected-hosts < flowfile | flow-stat -f10 -S3 > > Rgds > Edwin > > On Sun, 12 Sep 2004, Craig Macdonald wrote: > > > Hi flow-tools people! > > > > Background: > > We've been investigating a virus lookup on campus last week, in light of > > recent news from the Internet Storm Center. > > > > We detected the virus on Friday using our flowscan modules that were > > processing the flow-tools files. > > > > Last week we noted that the virus attempted to connect to 203.81.40.172 on > > port 10009 (as per http://isc.sans.org/diary.php?date=2004-09-08) > > So we checked our logs to see which machines had been attempting to > > connect on that port - this identified most of the infected machines we > > had previuosly identified and a few more. > > > > Question: > > We were wondering if it is possible, that given a list of (internal) IP > > addresses, we could filter on them, and then aggregrate to determine if > > there was anything else that many of the listed machines had attempted to > > connect to. (Using flow-report etc) > > > > If I were to explain this in a SQL like fashion: > > SELECT dstip, count(*) FROM flows > > WHERE > > srcip IS IN (infected hosts list) > > AND dstip IS external > > GROUP BY dstip > > > > We could then monitor for other infected machines making connections to > > the same machine (bot controller), thus identifying infections quickly. > > > > All input welcome > > > > Regards > > > > Craig Macdonald > > [EMAIL PROTECTED] > > Glasgow University Computing Service > > > > _______________________________________________ > > Flow-tools mailing list > > [EMAIL PROTECTED] > > http://mailman.splintered.net/mailman/listinfo/flow-tools > > > _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
