flow-dscan(1)               General Commands Manual              flow-dscan(1)
2
3
4

NAME
6       flow-dscan — Detect scanning and other suspicious network activity.
7

SYNOPSIS
9       flow-dscan   [-bBhlmpwW]   [-d  debug_level]   [-D  iplist_depth]   [-s
10       state_file]  [-i input_filter]  [-L suppress_list]  [-o  output_filter]
11       [-O  excessive_octets]   [-P  excessive_flows]   [-S port_scan_trigger]
12       [-t ager_timeout]
13

DESCRIPTION
15       The flow-dscan utility is used to detect suspicious  activity  such  as
16       port  scanning,  host scanning, and flows with unusually high octets or
17       packets.  A source and destination suppress list is supported  to  help
18       prevent  false  alarms  due to hosts such as nameservers or popular web
19       servers that exchange traffic with a large number of hosts.  Alarms are
20       logged  to  syslog  or stderr.  The internal state of flow-dscan can be
21       saved and loaded to allow for interrupted operation.
22
23       flow-dscan will work best if configured to only watch only  inbound  or
24       outbound traffic by using the input or output interface filter option.
25
26       The  host  scanner  works  by counting the length of the destination IP
27       hash chain.  If it goes above 64, then the  src  is  considered  to  be
28       scanning.
29
30       The port scanner works by keeping a bitmap of the destination port num‐
31       ber < 1024 per destination IP.  If it goes above 64, the src is consid‐
32       ered to be port scanning the destination.
33
34       When  a  src has been flagged as scanning it will not be reported again
35       until the record is aged out and enough flows trigger it again.
36
37       A SIGHUP signal will instruct flow-dscan to reload the suppress list.
38
39       A SIGUSR1 signal will instruct flow-dscan to dump its internal state.
40

OPTIONS
42       -b        Do not detach and  run  in  the  background.   Alerts  go  to
43                 stderr.
44
45       -B        Do  not  detach and run in the background.  Alerts go to sys‐
46                 log.
47
48       -d debug_level
49                 Enable debugging.
50
51       -D iplist_depth
52                 Depth of IP host list for detecting host scanning.
53
54       -h        Display help.
55
56       -i input_filter
57                 Input interface filter list.
58
59       -I output_filter
60                 Output interface filter list.
61
62       -l        Load state from /var/tmp/dscan.state or the  filename  speci‐
63                 fied with -s.
64
65       -L suppress_list
66                 Basename of suppress files.  There are two suppress files for
67                 input and output traffic.  The suppress file syntax is
68
69                 IP_address protocol source_port destination_port
70
71                 A '-' can be used as a wildcard in the protocol, source_port,
72                 and   destination_port   fields.   Only  a  single  protocol,
73                 source_port,  and  destination_port  is  supported   per   IP
74                 address.
75
76       -m        Multicast address filter.  Use to ignore multicast addresses.
77
78       -O excessive_octets
79                 Trigger an alert if a flow is processed with the octets field
80                 exceeding excessive_octets.
81
82       -p        Dump state to /var/tmp/dscan.state or the filename  specified
83                 with -s.
84
85       -P excessive_packets
86                 Trigger  an  alert  if  a  flow is processed with the packets
87                 field exceeding excessive_packets.
88
89       -s statefile
90                 State filename.  Defaults to /var/tmp/dscan.state
91
92       -S port_scan_trigger
93                 Number of ports a IP address must have used to be  considered
94                 scanning.
95
96       -t ager_timeout
97                 How  long  to  keep flows around.  Default to 90000.  This is
98                 measured in flows processed.
99
100       -T excessive_time
101                 Trigger an alert if a flow is processed  with  the  End-Start
102                 field exceeding excessive_time.
103
104       -w        Filter (ignore) candidate inbound www traffic, ie IP protocol
105                 6, source port 80, and destination port > 1023.
106
107       -W        Filter (ignore) candidate outbound www traffic, ie IP  proto‐
108                 col 6, destination port 80, and source  port > 1023.
109

EXAMPLES
111       In a topology where 25 is the only output interface run flow-dscan over
112       the data in /flows/krc4.  Ignore www and multicast traffic,  store  the
113       internal  state  in  dscan.statefile  on exit.  Use empty suppress list
114       files dscan.suppress.src and dscan.suppress.dst.  The  output  produced
115       by flow-dscan typically must be manually inspected by using flow-filter
116       and flow-print.  Many of the alerts will be false  until  the  suppress
117       lists are populated for the local environment.
118
119         flow-cat /flows/krc4 | flow-dscan -I25 -b -m -s dscan.statefile -p -W
120

BUGS
122       The  ager should automatically become more aggressive when a low memory
123       condition exists.
124
125       There is no upper limit on the number of records that can be allocated.
126       If  the  ager  is  not running often enough the host will be run out of
127       memory.
128

AUTHOR
130       Mark Fullmer maf@splintered.net
131

SEE ALSO
133       flow-tools(1)
134
135
136
137                                                                 flow-dscan(1)



        

    


            
        

        

            Impressum