As a big believer in flow/session data collection in all NIDS locations, it is only right that there be an easy way to do so at home without putting a full-time IDS in place. So with a trusty Linksys router re-flashed with DD-WRT, an extra package installed on the router, and a suite of flow collection/analysis tools on your primary Linux desktop, we can easily achieve this.
On your Linksys:
- First things first. In this scenario we re-flashed a Linksys router with DD-WRT, following these instructions.
- Next, via the DD-WRT web interface, we enabled JFFS2 support and SSH located in subsections of the Administration tab.
- Moving on, update your ipkg configuration, with: ipkg update. Then install fprobe via ipkg: ipkg install fprobe.
- Finally, add a shell script to /jffs/etc/config/fprobe.startup. Change permissions: chmod 700 fprobe.startup and reboot your router. The file should contain the following command: fprobe -i br0 -f ip 192.168.1.100:9801
- -i specifies the interface you are interested in watching flows on. I chose my internal interface.
- - f specifies a bpf filter. In this scenario, I chose to only create flow records for IP traffic.
- IP:Port, is the remote IP address and UDP port that you have your flow collector listening on - this will be later on your desktop Linux box.
- Install flow-tools from here. All that is needed, is a standard: configure; make; make install. *There is one caveat to watch out for, if you use gcc 4.x, a patch available where you downloaded the tarball is necessary.
- Create a directory to store your flow data: mkdir -p /data/flows/internal
- If you run IPTables or some other host-based firewall, make sure to allow UDP 9801 connections from your router.
- Finally, both run the following command and add it somehow to your system startup (via /etc/rc.local, for example): /usr/local/netflow/bin/flow-capture 192.168.1.100/192.168.1.1/9801 -w /data/flows/internal
- You specify the network interface you want your collector to listen on, then the address of the flow probe, followed by the UDP port to use - all in a local/remote/UDP format.
- -w specifies to write out flow files to that directory. By default, flow-capture will have new ones for every 15 minute chunk of time.
Using flow-print:
flow-print < ft-v05.2007-09-11.080001-0400
The above command will print out the results contained in that particular flow file. The columns will contain srcIP/dstIP/protocol/srcPort/dstPort/octets/packets. The octets line is the equivalent of bytes. This is your standard session/flow data.
Adding a "-f 1" flag will produce timestamps among other things. The -f flag allows for numerous types of formatting and additional columns, etc.
On a sidenote, standard *nix tools - such as awk and grep can be very useful in pulling data from plain old dumps of the flow records.
Using flow-cat and flow-stat:
Much like Argus, with flow-tools you stack together various of the utilities to get output like you want.
flow-cat ft-v05.2007-09-11.0* | flow-stat -f9 -S2
In the above set of commands, flow-cat is used to concatenate all the files that names match that criteria. The resulting output is passed to flow-stat for crunching and displaying. The flow-stat command generates reports, taking formatting options via the -f flag and sorting on both -S and -s. Our example specified a report format on the Source IP address, and sorting based on the Octet (ie. Bytes) field (have a look at the man page for flow-stat to see all the various options). Thus, we now have detailed output from all those files, showing the *noisiest* source hosts listed by most bytes transferred.
Utilizing your desktop and a router, things you probably already have at home, you too can watch/collect/analyze flow data to keep a watchful eye on your network - without deploying a dedicated NIDS or NSM sensor.
No comments:
Post a Comment