destination address,TCP or UDP source and destination ports, IP protocol
number, flags (possibly including TCP control flags like SYNs and FINS),
packet and byte counts, start-
and end-of-flow timestamps, and other infor-
mation.Thus a flow represents an aggregated statistic. A flow is not a packet; it
is an aggregated statistic for many packets. Also, it does not typically include
any Layer 7 information.You cannot use flows to look
for viral bit patterns in
the data payload as you can with an intrusion detection system (IDS) like
Snort.Typically applications are identified via well-known ports (as with ports
80 and 443 for network traffic). Of course, this might be wrong if the hackers
are using port 80 for an IRC command and control channel.
Typically, flows may be captured at a probe that could be a (Cisco) switch
or router.This is very convenient in the sense that
you do not need an extra
piece of gear.You may simply own a system that can be used for netflow,
although you might have to purchase more hardware to make it happen. On
the other hand, a UNIX-based host might be used to do the flow collection
via a switch with a port-mirroring interface.
Flows are typically collected via some
sort of sampling technique, since
collecting all the flow information can easily be beyond the CPU scope of a
router. Information is also usually collected with a certain amount of latency
because the probe has to somehow decide when a “flow” is finished. Under
some circumstances, the “finished” state is not easy to determine. (Consider a
UDP flow:TCP
has control packets, so a flow can be finished at a FIN but
UDP has no control state.) Sooner or later, flows are kicked out to a col-
lecting system via UDP. When
flows reach the collector, they are typically
stored on hard disk. Later they might be queried (or graphed) via various ana-
lytical tools.
Although Cisco has commercial tools, we want
to mention two sets of
open-source tools that could prove useful for flow analysis. One set is the
well-known flow-tool package (found at www.splintered.net/sw/flow-tools).
Note that it has a tool called flow-dscan for looking for scanners. Another
toolset of note is Silktools from CERT, at CMU’s Software Engineering
Institute.You can find this toolset at Sourceforge (http://silktoolslsource-
forge.net). Silktools includes tools for packing
flow information into a more
convenient searchable format and an analysis suite for querying the data.
Do'stlaringiz bilan baham: