Security Applications of cflowd
What can we do with the data?
Monitor OC-3 ingress link for potential attack precursors,
- e.g. RPC portmap requests, host sweeps, port sweeps, ...
We have built an application from flowlog that tails
the cflowd raw flow logs and filters for security
policy violation.
For example, SDSC does not support telnet, rlogin,
or RPC services to external hosts. Connection attempts to these
applications may be an intelligence gathering precursor to an intrusion.
% flowlog -e '(((dstaddr&0xffff00)==0x84f90000) && \
(((protocol==6)&&((port==23)||(port=513))) || \
((protocol==17)&&(port==111)))' cflowdRawDataFile
Tue Jan 12 16:14:43 1999 WWW.XXX.YYY.ZZZ 132.249.AAA.BBB[23] 1 56
Tue Jan 12 16:14:43 1999 WWW.XXX.YYY.ZZZ 132.249.AAA.BBB[111] 1 111
Tue Jan 12 16:14:43 1999 WWW.XXX.YYY.ZZZ 132.249.AAA.BBB[513] 1 44
Flow processing performance is adequate for relatively simple
filters,
no filters : 50 kFlows/sec;
Flowlog output is processed by 2swatch to generate alerts and hourly
reports.