⬆️ ⬇️

Catching online virus activity with Netflow

In this topic I will tell you how to establish a simple collection of statistics on anomalous activity in the network in a couple of scripts.



Abnormal for us will be at the time of removal of statistics:



1. More than 20 outgoing connections on port 25 with 1 IP.

2. More than 100 outgoing connections on port 80 with 1 IP.

3. More than 100 outgoing connections on port 53 with 1 IP.

4. Think of yourself, everything is flexible.

')

Statistics will be removed from the cache netflow routers. Whether it will be Cisco or FreeBSD is not important. I talked about setting up netflow on FreeBSD in my previous articles.



Since we are going to process statistics of outgoing connections, outflow of outgoing traffic from your network is a must in netflow.



In cisco, this will be the hanging of the “ip flow egress” parameter to the interface from which we want to analyze the outgoing traffic.

About FreeBSD, read Netgraph ipfw and flexible traffic accounting via netflow .



Principle of operation



Cisco command "sh ip cache flow"



7206#sh ip cache flow

IP packet size distribution (50885M total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .367 .018 .009 .005 .004 .019 .005 .004 .002 .015 .001 .002 .003 .002



512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.002 .003 .012 .030 .486 .000 .000 .000 .000 .000 .000



IP Flow Switching Cache, 4456704 bytes

14372 active, 51164 inactive, 1424895745 added

595073185 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 1057544 bytes

14372 active, 18396 inactive, 1424881570 added, 1424881570 added to flow

0 alloc failures, 0 force free

2 chunks, 63 chunks added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 2394420 0.5 2 59 1.2 1.6 17.3

TCP-FTP 693781 0.1 12 67 1.9 4.1 7.6

TCP-FTPD 16673 0.0 4116 815 15.9 29.6 10.9

TCP-WWW 705969510 164.3 46 843 7698.6 4.6 11.0

TCP-SMTP 4790885 1.1 16 593 18.5 4.8 8.6

TCP-X 586390 0.1 3 176 0.5 1.0 17.5

TCP-BGP 377369 0.0 3 490 0.3 11.7 17.2

TCP-NNTP 492 0.0 6 270 0.0 4.5 10.8

TCP-Frag 1878 0.0 27 194 0.0 12.3 17.2

TCP-other 283995180 66.1 37 715 2505.0 5.9 12.1

UDP-DNS 42291343 9.8 1 73 10.1 0.0 19.3

UDP-NTP 1781711 0.4 1 76 0.6 7.4 17.9

UDP-TFTP 49776 0.0 5 52 0.0 21.6 17.3

UDP-Frag 293665 0.0 352 106 24.0 15.7 18.1

UDP-other 347985517 81.0 18 618 1503.7 4.4 18.7

ICMP 33442833 7.7 2 80 21.9 5.0 18.4

IGMP 2 0.0 2 28 0.0 0.9 26.5

IPv6INIP 178 0.0 4 68 0.0 13.4 18.1

GRE 60567 0.0 2878 162 40.5 185.4 15.4

IP-other 150016 0.0 89 614 3.1 69.2 17.0

Total: 1424882186 331.7 35 781 11846.6 4.7 13.5



SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Gi0/1 80.75.131.2 Null 123.456.123.14 06 40A0 0050 29

Gi0/1 82.116.35.44 Null 123.456.123.23 06 D52A 0050 5

Gi0/2.105 123.456.789.54 Null 195.151.255.253 06 0050 F9F0 3

Gi0/1 217.172.29.5 Null 123.456.123.33 06 E469 0050 279

Gi0/1 217.172.29.5 Null 123.456.123.43 06 E46B 0050 25

Gi0/1 217.172.29.5 Null 123.456.123.53 06 E46D 0050 51

Gi0/1 82.116.35.44 Null 123.456.123.64 06 D531 0050 5

Gi0/1 217.172.29.5 Null 123.456.123.73 06 E46E 0050 55

Gi0/1 217.172.29.5 Null 123.456.123.13 06 E46F 0050 23

Gi0/1 217.172.29.5 Null 123.456.123.23 06 E464 0050 39

Gi0/2.105 123.456.789.54 Null 67.195.111.40 06 0050 E9FC 5

Gi0/2.105 123.456.789.53 Null 83.167.97.145 06 0050 CF77 7

Gi0/2.105 123.456.789.56 Null 213.180.199.34 11 C479 0035 1

Gi0/2.103 123.456.789.30 Null 123.456.123.56 11 BB7D 0035 1

Gi0/2.105 123.456.789.56 Null 123.456.123.30 11 0035 BB7D 1



[--cut--] - [--cut--]



here comes such a conclusion, its upper part is not interesting to us, there are general statistics.



A similar conclusion, but without general statistics, under FreeBSD is given by the command “flowctl netflow show” , where netflow is the name of your ng_netflow node.



[root@border] /root/> /usr/sbin/flowctl netflow show

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

lo0 123.456.161.48 vlan3 212.119.237.214 6 0f93 0050 6

lo0 123.456.153.8 vlan2 154.153.8.109 17 6df4 f45f 20

lo0 123.456.164.126 vlan2 154.164.126.104 17 68eb eb5f 16

lo0 123.456.134.168 vlan2 154.134.168.139 17 8b2c 2c5f 40

lo0 123.456.169.132 vlan2 154.169.132.219 17 db31 315f 28

lo0 123.456.153.13 vlan2 154.153.13.62 17 3e3a 3a5f 28

lo0 123.456.147.214 vlan2 154.147.214.54 17 3658 585f 4

lo0 123.456.161.167 vlan2 154.161.167.102 17 66f5 f55f 4

lo0 123.456.144.147 vlan2 154.144.147.248 17 f88b 8b5f 4

lo0 123.456.162.220 vlan2 154.162.220.42 17 2adc dc5f 27

lo0 123.456.170.119 vlan2 154.170.119.198 17 c60a 0a5f 64



[--cut--] - [--cut--]





In this output, we are interested in the “DstP” column. This is the port number in Hex.

Port 25 will look like 0019, 80 - 0050, 53 - 0035.



Job





Analyzing the output of this statistic:



We take statistics and allocate port 25:

flowctl netflow show | grep 0019

We select only the source IP from the second column “SrcIPaddress” and sort the output.

awk '{print $ 2}' | sort

We consider unique IP addresses, and display only those that are repeated more than 20 times.

uniq -c | awk '{if ($ 1> 20) print $ 2}'



We get for port 25:

[root@border] /root/>flowctl netflow show | grep 0019 | awk '{print $2}' | sort | uniq -c | awk '{ if( $1 > 20 ) print $2 }'

123.456.123.10

123.456.123.17

123.456.123.140

123.456.123.220





For port 80:

[root@border] /root/>flowctl netflow show | grep 0050 | awk '{print $2}' | sort | uniq -c | awk '{ if( $1 > 100 ) print $2 }'

123.456.123.10

123.456.123.17

123.456.123.165





For port 53:

[root@border] /root/>flowctl netflow show | grep 0035 | awk '{print $2}' | sort | uniq -c | awk '{ if( $1 > 100 ) print $2 }'

123.456.123.17

123.456.123.19





To get this statistics from cisco to the server, rsh is used, and google will tell how to configure it. In the final command, only the source of statistics will change from “flowctl netflow show” to “rsh -l login ip_cisco 'sh ip cache flow'”



Why all this?





What to do with these addresses decide for yourself.

For example, I have a crown every 5 minutes, the addresses are added to the database with which the radius server works.

The client is thrown out of the Internet, and with the next authorization, it is blocked completely. Also, when accessing via port 80, a message about violation of the network regulations due to virus activity on his computer is issued.



Thanks for attention. Net you networks!

Source: https://habr.com/ru/post/90489/



All Articles