<trying to catch up on the list...>
flow-report has two reports, "ip-source-address-destination-count" and "ip-destination-address-source-count" that will help.
-- mark
On Sep 18, 2004, at 4:34 PM, Craig Macdonald wrote:
Edwin,
Your solutions would show me a) the flows and b) the octets for
destination addresses. I was more interested in seeing how *many*
of this group of internal hosts had connected to the same external hosts.
With the curret flow-tools, I would have to post-process the flows to obtain this I think.
C
On Mon, 13 Sep 2004, Edwin Lok wrote:
Hi Craig,
You could use flow-nfilter.
create a file filter.cfg
# start file filter.cfg filter-primitive infected-hosts type ip-address permit <ipaddr> . . permit <ipaddr> default deny
filter-primitive external-hosts type ip-address permit <ipaddr> default deny
filter-definition find-infected-hosts match src-ip-addr infected-hosts match dst-ip-addr external-hosts # end file filter.cfg
then:
flow-nfilter -f filter.cfg -F find-infected-hosts < flowfile | flow-print -f5
or if you want to get the stats of the src and dst address sorted by octets
flow-nfilter -f filter.cfg -F find-infected-hosts < flowfile | flow-stat -f10 -S3
Rgds Edwin
On Sun, 12 Sep 2004, Craig Macdonald wrote:
Hi flow-tools people!
Background:
We've been investigating a virus lookup on campus last week, in light of
recent news from the Internet Storm Center.
We detected the virus on Friday using our flowscan modules that were processing the flow-tools files.
Last week we noted that the virus attempted to connect to 203.81.40.172 on
port 10009 (as per http://isc.sans.org/diary.php?date=2004-09-08)
So we checked our logs to see which machines had been attempting to
connect on that port - this identified most of the infected machines we
had previuosly identified and a few more.
Question:
We were wondering if it is possible, that given a list of (internal) IP
addresses, we could filter on them, and then aggregrate to determine if
there was anything else that many of the listed machines had attempted to
connect to. (Using flow-report etc)
If I were to explain this in a SQL like fashion: SELECT dstip, count(*) FROM flows WHERE srcip IS IN (infected hosts list) AND dstip IS external GROUP BY dstip
We could then monitor for other infected machines making connections to
the same machine (bot controller), thus identifying infections quickly.
All input welcome
Regards
Craig Macdonald [EMAIL PROTECTED] Glasgow University Computing Service
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
