12

Security Applications of cflowd
What can we do with the data?

    Monitor OC-3 ingress link for potential attack precursors,
    • e.g. RPC portmap requests, host sweeps, port sweeps, ...

    We have built an application from flowlog that tails the cflowd raw flow logs and filters for security policy violation.

    For example, SDSC does not support telnet, rlogin, or RPC services to external hosts. Connection attempts to these applications may be an intelligence gathering precursor to an intrusion.

      % flowlog -e '(((dstaddr&0xffff00)==0x84f90000) && \ (((protocol==6)&&((port==23)||(port=513))) || \ ((protocol==17)&&(port==111)))' cflowdRawDataFile
      Tue Jan 12 16:14:43 1999 WWW.XXX.YYY.ZZZ 132.249.AAA.BBB[23] 1 56
      Tue Jan 12 16:14:43 1999 WWW.XXX.YYY.ZZZ 132.249.AAA.BBB[111] 1 111
      Tue Jan 12 16:14:43 1999 WWW.XXX.YYY.ZZZ 132.249.AAA.BBB[513] 1 44

    Flow processing performance is adequate for relatively simple filters,

      no filters : 50 kFlows/sec;
      example: 32 kFlows/sec.

    Flowlog output is processed by 2swatch to generate alerts and hourly reports.