flow-dscan(1)                        General Commands Manual                        flow-dscan(1)

NAME

       flow-dscan — Detect scanning and other suspicious network activity.

SYNOPSIS

       flow-dscan   [-bBhlmpwW]   [-d  debug_level]   [-D  iplist_depth]   [-s  state_file]   [-i
       input_filter]   [-L  suppress_list]   [-o  output_filter]   [-O   excessive_octets]    [-P
       excessive_flows]  [-S port_scan_trigger]  [-t ager_timeout]

DESCRIPTION

       The  flow-dscan  utility is used to detect suspicious activity such as port scanning, host
       scanning, and flows with unusually high octets  or  packets.   A  source  and  destination
       suppress  list  is supported to help prevent false alarms due to hosts such as nameservers
       or popular web servers that exchange traffic with a large number  of  hosts.   Alarms  are
       logged  to  syslog or stderr.  The internal state of flow-dscan can be saved and loaded to
       allow for interrupted operation.

       flow-dscan will work best if configured to only watch only inbound or outbound traffic  by
       using the input or output interface filter option.

       The  host  scanner  works  by counting the length of the destination IP hash chain.  If it
       goes above 64, then the src is considered to be scanning.

       The port scanner works by keeping a bitmap of the  destination  port  number  <  1024  per
       destination  IP.   If  it  goes  above  64,  the src is considered to be port scanning the
       destination.

       When a src has been flagged as scanning it will not be reported again until the record  is
       aged out and enough flows trigger it again.

       A SIGHUP signal will instruct flow-dscan to reload the suppress list.

       A SIGUSR1 signal will instruct flow-dscan to dump its internal state.

OPTIONS

       -b        Do not detach and run in the background.  Alerts go to stderr.

       -B        Do not detach and run in the background.  Alerts go to syslog.

       -d debug_level
                 Enable debugging.

       -D iplist_depth
                 Depth of IP host list for detecting host scanning.

       -h        Display help.

       -i input_filter
                 Input interface filter list.

       -I output_filter
                 Output interface filter list.

       -l        Load state from /var/tmp/dscan.state or the filename specified with -s.

       -L suppress_list
                 Basename  of  suppress files.  There are two suppress files for input and output
                 traffic.  The suppress file syntax is

                 IP_address protocol source_port destination_port

                 A  '-'  can  be  used  as  a  wildcard  in  the   protocol,   source_port,   and
                 destination_port   fields.    Only   a   single   protocol,   source_port,   and
                 destination_port is supported per IP address.

       -m        Multicast address filter.  Use to ignore multicast addresses.

       -O excessive_octets
                 Trigger an alert if  a  flow  is  processed  with  the  octets  field  exceeding
                 excessive_octets.

       -p        Dump state to /var/tmp/dscan.state or the filename specified with -s.

       -P excessive_packets
                 Trigger  an  alert  if  a  flow  is  processed  with the packets field exceeding
                 excessive_packets.

       -s statefile
                 State filename.  Defaults to /var/tmp/dscan.state

       -S port_scan_trigger
                 Number of ports a IP address must have used to be considered scanning.

       -t ager_timeout
                 How long to keep flows around.  Default to 90000.  This  is  measured  in  flows
                 processed.

       -T excessive_time
                 Trigger  an  alert  if  a  flow  is processed with the End-Start field exceeding
                 excessive_time.

       -w        Filter (ignore) candidate inbound www traffic, ie IP protocol 6, source port 80,
                 and destination port > 1023.

       -W        Filter  (ignore)  candidate  outbound www traffic, ie IP protocol 6, destination
                 port 80, and source  port > 1023.

EXAMPLES

       In a topology where 25 is the only output  interface  run  flow-dscan  over  the  data  in
       /flows/krc4.    Ignore   www   and   multicast   traffic,  store  the  internal  state  in
       dscan.statefile  on  exit.   Use  empty  suppress  list   files   dscan.suppress.src   and
       dscan.suppress.dst.   The  output  produced  by  flow-dscan  typically  must  be  manually
       inspected by using flow-filter and flow-print.  Many of the alerts will be false until the
       suppress lists are populated for the local environment.

         flow-cat /flows/krc4 | flow-dscan -I25 -b -m -s dscan.statefile -p -W

BUGS

       The ager should automatically become more aggressive when a low memory condition exists.

       There  is  no  upper limit on the number of records that can be allocated.  If the ager is
       not running often enough the host will be run out of memory.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                                                    flow-dscan(1)