📜 ⬆️ ⬇️

Catching online virus activity with Netflow

In this topic I will tell you how to establish a simple collection of statistics on anomalous activity in the network in a couple of scripts.

Abnormal for us will be at the time of removal of statistics:

1. More than 20 outgoing connections on port 25 with 1 IP.
2. More than 100 outgoing connections on port 80 with 1 IP.
3. More than 100 outgoing connections on port 53 with 1 IP.
4. Think of yourself, everything is flexible.
')
Statistics will be removed from the cache netflow routers. Whether it will be Cisco or FreeBSD is not important. I talked about setting up netflow on FreeBSD in my previous articles.

Since we are going to process statistics of outgoing connections, outflow of outgoing traffic from your network is a must in netflow.

In cisco, this will be the hanging of the “ip flow egress” parameter to the interface from which we want to analyze the outgoing traffic.
About FreeBSD, read Netgraph ipfw and flexible traffic accounting via netflow .

Principle of operation


Cisco command "sh ip cache flow"

7206#sh ip cache flow
IP packet size distribution (50885M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .367 .018 .009 .005 .004 .019 .005 .004 .002 .015 .001 .002 .003 .002

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .003 .012 .030 .486 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
14372 active, 51164 inactive, 1424895745 added
595073185 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 1057544 bytes
14372 active, 18396 inactive, 1424881570 added, 1424881570 added to flow
0 alloc failures, 0 force free
2 chunks, 63 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 2394420 0.5 2 59 1.2 1.6 17.3
TCP-FTP 693781 0.1 12 67 1.9 4.1 7.6
TCP-FTPD 16673 0.0 4116 815 15.9 29.6 10.9
TCP-WWW 705969510 164.3 46 843 7698.6 4.6 11.0
TCP-SMTP 4790885 1.1 16 593 18.5 4.8 8.6
TCP-X 586390 0.1 3 176 0.5 1.0 17.5
TCP-BGP 377369 0.0 3 490 0.3 11.7 17.2
TCP-NNTP 492 0.0 6 270 0.0 4.5 10.8
TCP-Frag 1878 0.0 27 194 0.0 12.3 17.2
TCP-other 283995180 66.1 37 715 2505.0 5.9 12.1
UDP-DNS 42291343 9.8 1 73 10.1 0.0 19.3
UDP-NTP 1781711 0.4 1 76 0.6 7.4 17.9
UDP-TFTP 49776 0.0 5 52 0.0 21.6 17.3
UDP-Frag 293665 0.0 352 106 24.0 15.7 18.1
UDP-other 347985517 81.0 18 618 1503.7 4.4 18.7
ICMP 33442833 7.7 2 80 21.9 5.0 18.4
IGMP 2 0.0 2 28 0.0 0.9 26.5
IPv6INIP 178 0.0 4 68 0.0 13.4 18.1
GRE 60567 0.0 2878 162 40.5 185.4 15.4
IP-other 150016 0.0 89 614 3.1 69.2 17.0
Total: 1424882186 331.7 35 781 11846.6 4.7 13.5

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/1 80.75.131.2 Null 123.456.123.14 06 40A0 0050 29
Gi0/1 82.116.35.44 Null 123.456.123.23 06 D52A 0050 5
Gi0/2.105 123.456.789.54 Null 195.151.255.253 06 0050 F9F0 3
Gi0/1 217.172.29.5 Null 123.456.123.33 06 E469 0050 279
Gi0/1 217.172.29.5 Null 123.456.123.43 06 E46B 0050 25
Gi0/1 217.172.29.5 Null 123.456.123.53 06 E46D 0050 51
Gi0/1 82.116.35.44 Null 123.456.123.64 06 D531 0050 5
Gi0/1 217.172.29.5 Null 123.456.123.73 06 E46E 0050 55
Gi0/1 217.172.29.5 Null 123.456.123.13 06 E46F 0050 23
Gi0/1 217.172.29.5 Null 123.456.123.23 06 E464 0050 39
Gi0/2.105 123.456.789.54 Null 67.195.111.40 06 0050 E9FC 5
Gi0/2.105 123.456.789.53 Null 83.167.97.145 06 0050 CF77 7
Gi0/2.105 123.456.789.56 Null 213.180.199.34 11 C479 0035 1
Gi0/2.103 123.456.789.30 Null 123.456.123.56 11 BB7D 0035 1
Gi0/2.105 123.456.789.56 Null 123.456.123.30 11 0035 BB7D 1

[--cut--] - [--cut--]

here comes such a conclusion, its upper part is not interesting to us, there are general statistics.

A similar conclusion, but without general statistics, under FreeBSD is given by the command “flowctl netflow show” , where netflow is the name of your ng_netflow node.

[root@border] /root/> /usr/sbin/flowctl netflow show
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
lo0 123.456.161.48 vlan3 212.119.237.214 6 0f93 0050 6
lo0 123.456.153.8 vlan2 154.153.8.109 17 6df4 f45f 20
lo0 123.456.164.126 vlan2 154.164.126.104 17 68eb eb5f 16
lo0 123.456.134.168 vlan2 154.134.168.139 17 8b2c 2c5f 40
lo0 123.456.169.132 vlan2 154.169.132.219 17 db31 315f 28
lo0 123.456.153.13 vlan2 154.153.13.62 17 3e3a 3a5f 28
lo0 123.456.147.214 vlan2 154.147.214.54 17 3658 585f 4
lo0 123.456.161.167 vlan2 154.161.167.102 17 66f5 f55f 4
lo0 123.456.144.147 vlan2 154.144.147.248 17 f88b 8b5f 4
lo0 123.456.162.220 vlan2 154.162.220.42 17 2adc dc5f 27
lo0 123.456.170.119 vlan2 154.170.119.198 17 c60a 0a5f 64

[--cut--] - [--cut--]


In this output, we are interested in the “DstP” column. This is the port number in Hex.
Port 25 will look like 0019, 80 - 0050, 53 - 0035.

Job



Analyzing the output of this statistic:

We take statistics and allocate port 25:
flowctl netflow show | grep 0019
We select only the source IP from the second column “SrcIPaddress” and sort the output.
awk '{print $ 2}' | sort
We consider unique IP addresses, and display only those that are repeated more than 20 times.
uniq -c | awk '{if ($ 1> 20) print $ 2}'

We get for port 25:
[root@border] /root/>flowctl netflow show | grep 0019 | awk '{print $2}' | sort | uniq -c | awk '{ if( $1 > 20 ) print $2 }'
123.456.123.10
123.456.123.17
123.456.123.140
123.456.123.220


For port 80:
[root@border] /root/>flowctl netflow show | grep 0050 | awk '{print $2}' | sort | uniq -c | awk '{ if( $1 > 100 ) print $2 }'
123.456.123.10
123.456.123.17
123.456.123.165


For port 53:
[root@border] /root/>flowctl netflow show | grep 0035 | awk '{print $2}' | sort | uniq -c | awk '{ if( $1 > 100 ) print $2 }'
123.456.123.17
123.456.123.19


To get this statistics from cisco to the server, rsh is used, and google will tell how to configure it. In the final command, only the source of statistics will change from “flowctl netflow show” to “rsh -l login ip_cisco 'sh ip cache flow'”

Why all this?



What to do with these addresses decide for yourself.
For example, I have a crown every 5 minutes, the addresses are added to the database with which the radius server works.
The client is thrown out of the Internet, and with the next authorization, it is blocked completely. Also, when accessing via port 80, a message about violation of the network regulations due to virus activity on his computer is issued.

Thanks for attention. Net you networks!

Source: https://habr.com/ru/post/90489/


All Articles