Netflows at The University of Chicago E. Larry Lidz, - - PowerPoint PPT Presentation

netflows at the university of chicago
SMART_READER_LITE
LIVE PREVIEW

Netflows at The University of Chicago E. Larry Lidz, - - PowerPoint PPT Presentation

Oct 23, 2022 263 likes •421 views

Netflows at The University of Chicago E. Larry Lidz, ellidz@uchicago.edu The University of Chicago A few notes to start This is how we use flows. There are other tools. Some are undoubtedly better. A brief intro to flows

slide-1
SLIDE 1

Netflows at The University of Chicago

  • E. Larry Lidz,

ellidz@uchicago.edu The University of Chicago

slide-2
SLIDE 2

A few notes to start…

  • This is how we use flows.
  • There are other tools.

– Some are undoubtedly better.

slide-3
SLIDE 3

A brief intro to flows…

  • Log flows, not connections.

– Harder to hide traffic – Sometimes direction of connection unclear.

  • Not an IDS, but can play one on TV.

– No signature checking. – Logs unknown traffic, too.

  • Forensic Tool!

– You get logs, even if you didn’t know there was a problem. – Can often get date, time, method of compromise. – Alaska story…

slide-4
SLIDE 4

Network layout

slide-5
SLIDE 5

What we watch

  • Net Flows

– All gateway traffic – Remotes

  • Argus

– Most, soon to be all, traffic through one of the core switches/routers.

slide-6
SLIDE 6

Flow-tools

  • Written by Mark Fulmer

– http://www.splintered.net/sw/flow-tools/

  • Capture flow exports from router
  • Stored in /var/log/flow/<router>/<file> on

log server.

– Keep 3 months worth, 840GB for flow+argus – Merge gateways to one location, kill duplicates.

slide-7
SLIDE 7

Flow-tools tools

  • flow-capture to capture flows.
  • flow-cat to cat a bunch of files together.
  • flow-merge to merge the gateways.
  • flow-stat to get statistics.
  • Occasionally use other programs.
  • demo of flow-cat/flow-stat:
slide-8
SLIDE 8

flow-extract

  • http://security.uchicago.edu/tools/net-forensics/
  • Port of TAMU Netlogger’s Extract program to

use flow files

– shows fields in flows but not netlogs – more options with which to select – ICMP printed similarly to TCP/UDP

  • Allows for flexible selection of flows on

command line with friendly awk-like syntax.

– DNS resolution – Can be used as a script with #!

slide-9
SLIDE 9

Some flow-extract options

  • -b, output in binary.

– Useful for piping into flow-stat, etc.

  • -n, don’t resolve IP or port names
  • -f, use as a script
  • -D, resolve IPs, but not port names.
  • -o, output to <file>
  • -z, compression level

– similar to flow-cat.

slide-10
SLIDE 10

flow-extract selection criteria

  • net, srcnet, dstnet
  • host, srchost, dsthost, hp, srchp, dsthp
  • iface, srciface, dstiface
  • port, srcport, dstport, proto, octets, pkts
  • flag FIN|SYN|RST|PUSH|ACH|URG
  • flags safrpu/safrpu
  • date, time, since, before
slide-11
SLIDE 11

flow-scripts

  • check-scans/check-pingflood

– flow-dscan does some of this, too…

  • flhosts, flports, combo-cx
  • connection reports
  • doflow.sh, scaneval.sh
  • check-scan/connrep output:
  • scaneval.sh demo:
slide-12
SLIDE 12

Argus

  • QoScient’s Argus:

http://www.qoscient.com/argus/

  • Uses promiscuous interface
  • Can export over network
  • Can log application data, too!

– We log 64 bytes… mostly header info.

  • argus sends the traffic over the network, ra

captures and views it.

  • demo of ra.
slide-13
SLIDE 13

Future Network

slide-14
SLIDE 14

New Design

  • Flow stuff stays about the same…
  • Argus at each core switch?

– Could export flows, but it would negatively impact performance as MLS currently uses uni-directional flows

  • Connection reports moved to argus?
  • …?
slide-15
SLIDE 15

Questions?

  • Any questions?