flow-dscan(1)                                General Commands Manual                               flow-dscan(1)

NAME

       flow-dscan — Detect scanning and other suspicious network activity.

SYNOPSIS

       flow-dscan  [-bBhlmpwW]   [-d  debug_level]   [-D  iplist_depth]  [-s state_file]  [-i input_filter]  [-L
       suppress_list]  [-o output_filter]  [-O excessive_octets]  [-P excessive_flows]   [-S  port_scan_trigger]
       [-t ager_timeout]

DESCRIPTION

       The  flow-dscan  utility  is used to detect suspicious activity such as port scanning, host scanning, and
       flows with unusually high octets or packets.  A source and destination suppress list is supported to help
       prevent false alarms due to hosts such as nameservers or popular web servers that exchange traffic with a
       large number of hosts.  Alarms are logged to syslog or stderr.  The internal state of flow-dscan  can  be
       saved and loaded to allow for interrupted operation.

       flow-dscan will work best if configured to only watch only inbound or outbound traffic by using the input
       or output interface filter option.

       The  host  scanner  works  by counting the length of the destination IP hash chain.  If it goes above 64,
       then the src is considered to be scanning.

       The port scanner works by keeping a bitmap of the destination port number < 1024 per destination IP.   If
       it goes above 64, the src is considered to be port scanning the destination.

       When  a  src  has been flagged as scanning it will not be reported again until the record is aged out and
       enough flows trigger it again.

       A SIGHUP signal will instruct flow-dscan to reload the suppress list.

       A SIGUSR1 signal will instruct flow-dscan to dump its internal state.

OPTIONS

       -b        Do not detach and run in the background.  Alerts go to stderr.

       -B        Do not detach and run in the background.  Alerts go to syslog.

       -d debug_level
                 Enable debugging.

       -D iplist_depth
                 Depth of IP host list for detecting host scanning.

       -h        Display help.

       -i input_filter
                 Input interface filter list.

       -I output_filter
                 Output interface filter list.

       -l        Load state from /var/tmp/dscan.state or the filename specified with -s.

       -L suppress_list
                 Basename of suppress files.  There are two suppress files for input and  output  traffic.   The
                 suppress file syntax is

                 IP_address protocol source_port destination_port

                 A  '-'  can  be  used  as a wildcard in the protocol, source_port, and destination_port fields.
                 Only a single protocol, source_port, and destination_port is supported per IP address.

       -m        Multicast address filter.  Use to ignore multicast addresses.

       -O excessive_octets
                 Trigger an alert if a flow is processed with the octets field exceeding excessive_octets.

       -p        Dump state to /var/tmp/dscan.state or the filename specified with -s.

       -P excessive_packets
                 Trigger an alert if a flow is processed with the packets field exceeding excessive_packets.

       -s statefile
                 State filename.  Defaults to /var/tmp/dscan.state

       -S port_scan_trigger
                 Number of ports a IP address must have used to be considered scanning.

       -t ager_timeout
                 How long to keep flows around.  Default to 90000.  This is measured in flows processed.

       -T excessive_time
                 Trigger an alert if a flow is processed with the End-Start field exceeding excessive_time.

       -w        Filter (ignore) candidate  inbound  www  traffic,  ie  IP  protocol  6,  source  port  80,  and
                 destination port > 1023.

       -W        Filter  (ignore)  candidate  outbound  www  traffic, ie IP protocol 6, destination port 80, and
                 source  port > 1023.

EXAMPLES

       In a topology where 25 is the only output interface run flow-dscan over the data in /flows/krc4.   Ignore
       www  and multicast traffic, store the internal state in dscan.statefile on exit.  Use empty suppress list
       files dscan.suppress.src and dscan.suppress.dst.  The output produced by  flow-dscan  typically  must  be
       manually  inspected  by  using  flow-filter  and  flow-print.  Many of the alerts will be false until the
       suppress lists are populated for the local environment.

         flow-cat /flows/krc4 | flow-dscan -I25 -b -m -s dscan.statefile -p -W

BUGS

       The ager should automatically become more aggressive when a low memory condition exists.

       There is no upper limit on the number of records that can be allocated.  If the ager is not running often
       enough the host will be run out of memory.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                                                                   flow-dscan(1)