...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $ ...\" ...\" transcript compatibility for postscript use. ...\" ...\" synopsis: .P! ...\" .de P! \\&. .fl \" force out current output buffer \\!%PB \\!/showpage{}def ...\" the following is from Ken Flowers -- it prevents dictionary overflows \\!/tempdict 200 dict def tempdict begin .fl \" prolog .sy cat \\$1\" bring in postscript file ...\" the following line matches the tempdict above \\!end % tempdict % \\!PE \\!. .sp \\$2u \" move below the image .. .de pF .ie \\*(f1 .ds f1 \\n(.f .el .ie \\*(f2 .ds f2 \\n(.f .el .ie \\*(f3 .ds f3 \\n(.f .el .ie \\*(f4 .ds f4 \\n(.f .el .tm ? font overflow .ft \\$1 .. .de fP .ie !\\*(f4 \{\ . ft \\*(f4 . ds f4\" ' br \} .el .ie !\\*(f3 \{\ . ft \\*(f3 . ds f3\" ' br \} .el .ie !\\*(f2 \{\ . ft \\*(f2 . ds f2\" ' br \} .el .ie !\\*(f1 \{\ . ft \\*(f1 . ds f1\" ' br \} .el .tm ? font underflow .. .ds f1\" .ds f2\" .ds f3\" .ds f4\" .ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-dscan\fP" "1" .SH "NAME" \fBflow-dscan\fP \(em Detect scanning and other suspicious network activity\&. .SH "SYNOPSIS" .PP \fBflow-dscan\fP [-bBhlmpwW] [-d\fI debug_level\fP] [-D\fI iplist_depth\fP] [-s\fI state_file\fP] [-i\fI input_filter\fP] [-L\fI suppress_list\fP] [-o\fI output_filter\fP] [-O\fI excessive_octets\fP] [-P\fI excessive_flows\fP] [-S\fI port_scan_trigger\fP] [-t\fI ager_timeout\fP] .SH "DESCRIPTION" .PP The \fBflow-dscan\fP utility is used to detect suspicious activity such as port scanning, host scanning, and flows with unusually high octets or packets\&. A source and destination suppress list is supported to help prevent false alarms due to hosts such as nameservers or popular web servers that exchange traffic with a large number of hosts\&. Alarms are logged to syslog or stderr\&. The internal state of flow-dscan can be saved and loaded to allow for interrupted operation\&. .PP \fBflow-dscan\fP will work best if configured to only watch only inbound or outbound traffic by using the input or output interface filter option\&. .PP The host scanner works by counting the length of the destination IP hash chain\&. If it goes above 64, then the src is considered to be scanning\&. .PP The port scanner works by keeping a bitmap of the destination port number < 1024 per destination IP\&. If it goes above 64, the src is considered to be port scanning the destination\&. .PP When a src has been flagged as scanning it will not be reported again until the record is aged out and enough flows trigger it again\&. .PP A SIGHUP signal will instruct flow-dscan to reload the suppress list\&. .PP A SIGUSR1 signal will instruct flow-dscan to dump its internal state\&. .SH "OPTIONS" .IP "-b" 10 Do not detach and run in the background\&. Alerts go to stderr\&. .IP "-B" 10 Do not detach and run in the background\&. Alerts go to syslog\&. .IP "-d\fI debug_level\fP" 10 Enable debugging\&. .IP "-D\fI iplist_depth\fP" 10 Depth of IP host list for detecting host scanning\&. .IP "-h" 10 Display help\&. .IP "-i\fI input_filter\fP" 10 Input interface filter list\&. .IP "-I\fI output_filter\fP" 10 Output interface filter list\&. .IP "-l" 10 Load state from \fB/var/tmp/dscan\&.state\fP or the filename specified with -s\&. .IP "-L\fI suppress_list\fP" 10 Basename of suppress files\&. There are two suppress files for input and output traffic\&. The suppress file syntax is .IP "" 10 IP_address protocol source_port destination_port .IP "" 10 A \&'-\&' can be used as a wildcard in the protocol, source_port, and destination_port fields\&. Only a single protocol, source_port, and destination_port is supported per IP address\&. .IP "-m" 10 Multicast address filter\&. Use to ignore multicast addresses\&. .IP "-O\fI excessive_octets\fP" 10 Trigger an alert if a flow is processed with the octets field exceeding \fIexcessive_octets\fP\&. .IP "-p" 10 Dump state to \fB/var/tmp/dscan\&.state\fP or the filename specified with -s\&. .IP "-P\fI excessive_packets\fP" 10 Trigger an alert if a flow is processed with the packets field exceeding \fIexcessive_packets\fP\&. .IP "-s\fI statefile\fP" 10 State filename\&. Defaults to \fB/var/tmp/dscan\&.state\fP .IP "-S\fI port_scan_trigger\fP" 10 Number of ports a IP address must have used to be considered scanning\&. .IP "-t\fI ager_timeout\fP" 10 How long to keep flows around\&. Default to 90000\&. This is measured in flows processed\&. .IP "-T\fI excessive_time\fP" 10 Trigger an alert if a flow is processed with the End-Start field exceeding \fIexcessive_time\fP\&. .IP "-w" 10 Filter (ignore) candidate inbound www traffic, ie IP protocol 6, source port 80, and destination port > 1023\&. .IP "-W" 10 Filter (ignore) candidate outbound www traffic, ie IP protocol 6, destination port 80, and source port > 1023\&. .SH "EXAMPLES" .PP In a topology where 25 is the only output interface run flow-dscan over the data in \fB/flows/krc4\fP\&. Ignore www and multicast traffic, store the internal state in \fBdscan\&.statefile\fP on exit\&. Use empty suppress list files \fBdscan\&.suppress\&.src\fP and \fBdscan\&.suppress\&.dst\fP\&. The output produced by flow-dscan typically must be manually inspected by using flow-filter and flow-print\&. Many of the alerts will be false until the suppress lists are populated for the local environment\&. .PP \fBflow-cat /flows/krc4 | flow-dscan -I25 -b -m -s dscan\&.statefile -p -W\fP .SH "BUGS" .PP The ager should automatically become more aggressive when a low memory condition exists\&. There is no upper limit on the number of records that can be allocated\&. If the ager is not running often enough the host will be run out of memory\&. .SH "AUTHOR" .PP Mark Fullmer maf@splintered\&.net .SH "SEE ALSO" .PP \fBflow-tools\fP(1) ...\" created by instant / docbook-to-man, Sat 08 Jun 2002, 23:41