xenial (1) flow-tools-examples.1.gz

Provided by: flow-tools_0.68-12.3build2_amd64 bug

flow-tools-examples(1)                       General Commands Manual                      flow-tools-examples(1)

NAME

       flow-tools-examples — Example usage of flow-tools.

EXAMPLE - Configuring Cisco IOS Router

       NetFlow  is  configured  on  each  input  interface,  then global commands are used to specify the export
       destination.  To ensure a consistant source address address Loopback0 is configured as the export source.

       ip cef distributed
       ip flow-export version 5 origin-as
       ip flow-export destination 10.0.0.100 5004
       ip flow-export source Loopback0

       interface Loopback0
        ip address 10.1.1.1 255.255.255.255

       interface FastEthernet0/1/0
        ip address 10.0.0.1 255.255.255.0
        no ip directed-broadcast
        ip route-cache flow
        ip route-cache distributed

       Many other options exist such as aggregated NetFlow and sampled NetFlow which are detailed at   (link  to
       URL http://www.cisco.com) .

EXAMPLE - Configuring Cisco CatIOS Switch

       Some  Cisco  Catalyst  switches  support  a  different implementation of NetFlow that is performed on the
       supervisor.  With the cache based forwarding model which is implemented in the Catalyst 55xx  with  Route
       Switch  Module  (RSM) and NetFlow Feature Card (NFFC), the RSM processes the first flow and the remaining
       packets in the flow are forwarded by the Supervisor.  This is also implemented in the early  versions  of
       the 65xx with MSFC.  The deterministic forwarding model used in the 65xx with MSFC2 do not use NetFlow to
       determine the forwarding path, the flow cache  is  only  used  for  statistics  as  in  the  current  IOS
       implementations.   In  all  of of the above configurations flow exports arrive from both the RSM/MSFC and
       the Supervisor engines as distinct streams.  In the worst cast the RSM  exports  in  version  5  and  the
       Supervisor  exports  in  version  7.   Fortunately flow-capture and flow-receive can sort all this out by
       processing flows from both sources and converting them to a common export format.

       The router side running IOS is configured identically to the example given  above.   The  CatIOS  NetFlow
       Data Export configuration follows:

       set mls flow full
       set mls nde version 7
       set mls nde 10.0.0.1 9800
       set mls nde enable

       When the 65xx is running in Native mode, from a users perspective the switch is only running IOS.

       More detailed examples can be found on Cisco's web site
        (link to URL http://www.cisco.com) .

EXAMPLE - Configuring Juniper Router

       Juniper  supports  flow  exports  by the routing engine sampling packet headers and aggregating them into
       flows.  Packet sampling is done by defining a firewall filter to accept and sample all traffic,  applying
       that rule to the interface, then configuring the sampling forwarding option.

       interfaces {
           ge-0/3/0 {
               unit 0 {
                   family inet {
                       filter {
                           input all;
                           output all;
                       }
                       address 10.0.0.1/24;
                   }
               }
           }

       firewall {
           filter all {
               term all {
                   then {
                       sample;
                       accept;
                   }
               }
           }
       }

       forwarding-options {
           sampling {
               input {
                   family inet {
                       rate 100;
                   }
               }
               output {
                   cflowd 10.0.0.100 {
                       port 9800;
                       version 5;
                   }
               }
           }
       }

       Other  options exist such as aggregated flows which are detailed at  (link to URL http://www.juniper.net)
       .

EXAMPLE - Network topology and flow.acl

       The network topology and flow.acl will be used for many of the examples that follow.  Flows are collected
       and stored in /flows/R.

                               ISP-A       ISP-B
                                +           +
                                 +         +
                   IP=10.1.2.1/24 +       + IP=10.1.1.1/24
                        ifIndex=2  +     +  ifIndex=1
              interface=serial1/1   +   +   interface=serial0/0
                                    -----
                                    | R | Campus Router
                                    -----
                                    +   +
                  IP=10.1.4.1/24   +     +   IP=10.1.3.1/24
                       ifIndex=4  +       +  ifIndex=3
           interface=Ethernet1/1 +         + interface=Ethernet0/0
                                +           +
                              Sales      Marketing

       ip access-list standard sales permit 10.1.4.0 0.0.0.255
       ip access-list standard not_sales deny 10.1.4.0 0.0.0.255
       ip access-list standard marketing permit 10.1.3.0 0.0.0.255
       ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255
       ip access-list standard campus permit 10.1.4.0 0.0.0.255
       ip access-list standard campus permit 10.1.3.0 0.0.0.255
       ip access-list standard not_campus deny 10.1.4.0 0.0.0.255
       ip access-list standard not_campus deny 10.1.3.0 0.0.0.255
       ip access-list standard evil_hacket permit host 10.6.6.6
       ip access-list standard spoofer permit host 10.9.9.9
       ip access-list standard multicast 224.0.0.0 15.255.255.255

EXAMPLE - Finding spoofed addresses

       A  common  problem  on  the  Internet  is  the  use  of  "spoofed" (addresses that are not assigned to an
       organization) for use in DoS attacks or compromising servers that rely  on  the  source  IP  address  for
       authentication.

       Display  all  flow  records that originate from the campus and are sent to the Internet but are not using
       legal addresses.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print

       Summary of the destinations of the internally spoofed addresses sorted by octets.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2

       Summary of the sources of the internally spoofed addresses sorted by flows.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1

       Summary of the internally spoofed sources and destination pairs sorted by packets.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4

       Display all flow records that originate external to the campus that have campus  addresses.   Many  times
       these  can  be  attackers  trying  to exploit host based authentication mechanisms like unix r* commands.
       Another common source is mobile clients which send packets with their campus addresses before obtaining a
       valid IP.

       flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print

       Summary of the destinations of the externally spoofed addresses sorted by octets.

       flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2

EXAMPLE - Locate hosts using or running services

       Find  all  SMTP  servers  active  during  the  collection period that have established connections to the
       Internet.  Summarize sorted by octets.

       flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2

       Find all outbound NNTP connections to the Internet.  Summarize with source and destination IP  sorted  by
       octets.

       flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3

       Find  all  inbound  NNTP connections to the Internet.  Summarize with source and destination IP sorted by
       octets.

       flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3

EXAMPLE - Multicast usage

       Summarize Multicast S,G where sources are on campus.

       flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3

       Summarize Multicast S,G where sources are off campus.

       flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3

EXAMPLE - Find scanners

       Find SMTP scanners with flow-dscan.  This will also find SMTP clients which try to contact many  servers.
       This behavior is characterized by a recent Microsoft worm.

       touch dscan.suppress.src dscan.suppress.dst
       flow-cat /flows/R | flow-filter -P25 | flow-dscan -b

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                                                          flow-tools-examples(1)