1FLOW-TOOLS-EXAMPLES(1)                                  FLOW-TOOLS-EXAMPLES(1)
2
3
4

NAME

6       flow-tools-examples - Example usage of flow-tools.
7

EXAMPLE - CONFIGURING CISCO IOS ROUTER

9       NetFlow is configured on each input interface, then global commands are
10       used to specify the export destination. To ensure a  consistant  source
11       address address Loopback0 is configured as the export source.
12
13       ip cef distributed
14       ip flow-export version 5 origin-as
15       ip flow-export destination 10.0.0.100 5004
16       ip flow-export source Loopback0
17
18       interface Loopback0
19        ip address 10.1.1.1 255.255.255.255
20
21       interface FastEthernet0/1/0
22        ip address 10.0.0.1 255.255.255.0
23        no ip directed-broadcast
24        ip route-cache flow
25        ip route-cache distributed
26
27       Many other options exist such as aggregated NetFlow and sampled NetFlow
28       which are detailed at  <URL:http://www.cisco.com>.
29

EXAMPLE - CONFIGURING CISCO CATIOS SWITCH

31       Some Cisco Catalyst switches support a different implementation of Net‐
32       Flow that is performed on the supervisor. With the cache based forward‐
33       ing model which is implemented in the Catalyst 55xx with  Route  Switch
34       Module  (RSM)  and  NetFlow  Feature Card (NFFC), the RSM processes the
35       first flow and the remaining packets in the flow are forwarded  by  the
36       Supervisor.  This is also implemented in the early versions of the 65xx
37       with MSFC. The deterministic forwarding model used  in  the  65xx  with
38       MSFC2  do  not  use  NetFlow to determine the forwarding path, the flow
39       cache is only used for statistics as in  the  current  IOS  implementa‐
40       tions.  In  all of of the above configurations flow exports arrive from
41       both the RSM/MSFC and the Supervisor engines as  distinct  streams.  In
42       the  worst cast the RSM exports in version 5 and the Supervisor exports
43       in version 7.  Fortunately flow-capture and flow-receive can  sort  all
44       this out by processing flows from both sources and converting them to a
45       common export format.
46
47       The router side running IOS is configured identically  to  the  example
48       given above. The CatIOS NetFlow Data Export configuration follows:
49
50       set mls flow full
51       set mls nde version 7
52       set mls nde 10.0.0.1 9800
53       set mls nde enable
54
55
56       When  the  65xx is running in Native mode, from a users perspective the
57       switch is only running IOS.
58
59       More detailed examples can be found on Cisco's web site
60        <URL:http://www.cisco.com>.
61

EXAMPLE - CONFIGURING JUNIPER ROUTER

63       Juniper supports flow exports by the  routing  engine  sampling  packet
64       headers  and  aggregating  them  into flows. Packet sampling is done by
65       defining a firewall filter to accept and sample all  traffic,  applying
66       that  rule  to  the interface, then configuring the sampling forwarding
67       option.
68
69       interfaces {
70           ge-0/3/0 {
71               unit 0 {
72                   family inet {
73                       filter {
74                           input all;
75                           output all;
76                       }
77                       address 10.0.0.1/24;
78                   }
79               }
80           }
81
82       firewall {
83           filter all {
84               term all {
85                   then {
86                       sample;
87                       accept;
88                   }
89               }
90           }
91       }
92
93       forwarding-options {
94           sampling {
95               input {
96                   family inet {
97                       rate 100;
98                   }
99               }
100               output {
101                   cflowd 10.0.0.100 {
102                       port 9800;
103                       version 5;
104                   }
105               }
106           }
107       }
108
109
110       Other options exist such as aggregated  flows  which  are  detailed  at
111       <URL:http://www.juniper.net>.
112

EXAMPLE - NETWORK TOPOLOGY AND FLOW.ACL

114       The network topology and flow.acl will be used for many of the examples
115       that follow. Flows are collected and stored in /flows/R.
116
117
118                              ISP-A       ISP-B
119                                +           +
120                                 +         +
121                   IP=10.1.2.1/24 +       + IP=10.1.1.1/24
122                        ifIndex=2  +     +  ifIndex=1
123              interface=serial1/1   +   +   interface=serial0/0
124                                    -----
125                                    | R | Campus Router
126                                    -----
127                                    +   +
128                  IP=10.1.4.1/24   +     +   IP=10.1.3.1/24
129                       ifIndex=4  +       +  ifIndex=3
130           interface=Ethernet1/1 +         + interface=Ethernet0/0
131                                +           +
132                              Sales      Marketing
133
134
135       ip access-list standard sales permit 10.1.4.0 0.0.0.255
136       ip access-list standard not_sales deny 10.1.4.0 0.0.0.255
137       ip access-list standard marketing permit 10.1.3.0 0.0.0.255
138       ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255
139       ip access-list standard campus permit 10.1.4.0 0.0.0.255
140       ip access-list standard campus permit 10.1.3.0 0.0.0.255
141       ip access-list standard not_campus deny 10.1.4.0 0.0.0.255
142       ip access-list standard not_campus deny 10.1.3.0 0.0.0.255
143       ip access-list standard evil_hacket permit host 10.6.6.6
144       ip access-list standard spoofer permit host 10.9.9.9
145       ip access-list standard multicast 224.0.0.0 15.255.255.255
146
147

EXAMPLE - FINDING SPOOFED ADDRESSES

149       A common problem on the Internet is the  use  of  "spoofed"  (addresses
150       that  are  not  assigned  to an organization) for use in DoS attacks or
151       compromising servers that rely on the source IP address for authentica‐
152       tion.
153
154       Display all flow records that originate from the campus and are sent to
155       the Internet but are not using legal addresses.
156
157       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print
158
159       Summary of the destinations of the internally spoofed addresses  sorted
160       by octets.
161
162       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2
163
164       Summary  of  the  sources of the internally spoofed addresses sorted by
165       flows.
166
167       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1
168
169       Summary of the internally spoofed sources and destination pairs  sorted
170       by packets.
171
172       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4
173
174       Display  all  flow  records  that originate external to the campus that
175       have campus addresses. Many times these  can  be  attackers  trying  to
176       exploit  host  based  authentication  mechanisms like unix r* commands.
177       Another common source is mobile clients which send packets  with  their
178       campus addresses before obtaining a valid IP.
179
180       flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print
181
182       Summary  of the destinations of the externally spoofed addresses sorted
183       by octets.
184
185       flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2
186

EXAMPLE - LOCATE HOSTS USING OR RUNNING SERVICES

188       Find all SMTP servers active during the  collection  period  that  have
189       established connections to the Internet. Summarize sorted by octets.
190
191       flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2
192
193       Find  all  outbound  NNTP  connections  to the Internet. Summarize with
194       source and destination IP sorted by octets.
195
196       flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3
197
198       Find all inbound NNTP  connections  to  the  Internet.  Summarize  with
199       source and destination IP sorted by octets.
200
201       flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3
202

EXAMPLE - MULTICAST USAGE

204       Summarize Multicast S,G where sources are on campus.
205
206       flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3
207
208       Summarize Multicast S,G where sources are off campus.
209
210       flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3
211

EXAMPLE - FIND SCANNERS

213       Find  SMTP  scanners  with flow-dscan. This will also find SMTP clients
214       which try to contact many servers. This behavior is characterized by  a
215       recent Microsoft worm.
216
217       touch dscan.suppress.src dscan.suppress.dst
218
219       flow-cat /flows/R | flow-filter -P25 | flow-dscan -b
220
221

AUTHOR

223       Mark Fullmer <maf@splintered.net>
224

SEE ALSO

226       flow-tools(1)
227
228
229
230                                26 Август 2010          FLOW-TOOLS-EXAMPLES(1)
Impressum