Tomorrow morning I teach Network Security Monitoring with Open Source Tools at USENIX 05. I've been taking another look at the tools I will be presenting tomorrow to ensure I'm up-to-date on their latest versions and features.
One of the tools I talk about is IPCAD, the
IP Cisco Accounting Daemon by Lev Walkin. I discuss IPCAD in the section on statistical data for network security monitoring (NSM) in my book and my talk. I like IPCAD because it presents data just like one sees with the Cisco show ip accounting command. I actually used IPCAD in an incident response scenario several years ago, before I learned of Carter Bullard's Argus.
The version available in the FreeBSD ports tree (net-mgmt/ipcad) requires more entries in the ipcad.conf file than what I present in my book and slides. Here is the ipcad.conf file I created after I installed IPCAD using the FreeBSD port.
capture-ports disable;
interface wi0;
rsh enable at 127.0.0.1;
rsh root@127.0.0.1 admin;
dumpfile = ipcad.dump;
chroot = /var/ipcad;
memory_limit = 1m;
Before starting IPCAD, I created the directory /var/ipcad to hold the ipcad.dump file. Here's how I started IPCAD.
orr:/root# ipcad -drs
Opening wi0... [LCap] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
Can't open dump file ipcad.dump
Daemonized.
The -drs meant "daemonize," "import saved accounting table on startup," and "save the active accounting table on exit," respectively. Starting IPCAD opened a rsh server on my loopback address.
orr:/home/richard$ sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root ipcad 736 3 tcp4 127.0.0.1:514 *:*
root dhclient 551 5 udp4 *:68 *:*
root sendmail 397 4 tcp4 127.0.0.1:25 *:*
root sshd 391 4 tcp4 *:22 *:*
Once IPCAD was running, I could query it as shown next. I ignore the "Connection refused" error caused by running an IPv6-enabled TCP/IP stack but not offering the rsh server in an IPv6-enabled manner.
orr:/root# rsh localhost stat
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 833, 5 m average 773 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 32
Memory usage: 0% (2816 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 17 minutes
We can also check the status of our interface. This should look similar to Cisco fans.
orr:/root# rsh localhost show interface wi0
connect to address ::1: Connection refused
Trying 127.0.0.1...
wi0 is up, line protocol is up
Hardware is Ethernet, address is 0004.e229.3bba
Internet address is 131.106.57.173 255.255.248.0
IP broadcast address is 131.106.63.255
Encapsulation Ethernet, loopback not set
MTU 1500 bytes, BW 11000 Kbit
Input queue: 0 drops
Last administrative status change at Thu Apr 14 02:58:55 2005
5 minute average rate 4208 bits/sec, 1 packets/sec
1914 packets input, 775739 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
704 packets output, 144852 bytes, 0 underruns
0 output errors, 45 collisions, 0 interface resets, 0 restarts
Next I ask IPCAD to display Cisco accounting data.
orr:/root# rsh localhost show ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...
Source Destination Packets Bytes
131.106.57.229 255.255.255.255 2 656
192.168.75.1 255.255.255.255 1 60
131.106.57.79 131.106.63.255 6 468
131.106.57.229 239.255.255.250 3 483
131.106.57.229 224.0.0.22 2 80
131.106.57.229 131.106.63.255 39 5237
216.218.215.226 131.106.57.173 6 3329
131.106.57.173 216.218.215.226 8 1147
66.35.250.209 131.106.57.173 16 2255
131.106.57.173 66.35.250.209 15 2039
...edited...
131.106.57.83 224.0.0.251 1 32
0.0.0.0 224.0.0.1 3 84
131.106.56.1 255.255.255.255 1 328
0.0.0.0 255.255.255.255 15 4920
Accounting data age is 2
Accounting data age exact 163
Accounting data saved 1113448566
Interface wi0: received 874, 5 m average 726 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 34
Memory usage: 0% (2992 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 18 minutes
This is very useful data. You can periodically dump these records, and then grep them to see the level of activity of hosts of interest.
You can collect more granular data by changing one line of the ipcad.conf file:
capture-ports enable;
As the ipcad.conf man page states:
capture-ports { enable | disable };
Make ipcad account for UDP/TCP ports, IP protocol and ICMP types on
a per-interface basis. This setting is relevant for RSH and inter-
active export methods only. Capturing UDP and TCP is disabled by
default to maintain historic RSH output format compatibility. To
selectively enable capturing ports on certain interfaces, specify
the capture-ports between the appropriate interface configuration
statements.
After making the change, I stop and start IPCAD.
orr:/root# rsh localhost shutdown
connect to address ::1: Connection refused
Trying 127.0.0.1...
Shutdown process started
orr:/root# ipcad -drs
Opening wi0... [LCap] [ERSH] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
No valid entries found in ipcad.dump.
Daemonized.
I clear the accounting database for good measure, pause, and then check some records.
orr:/root# rsh localhost clear ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...
IP accounting cleared
orr:/root# rsh localhost show ip accounting
connect to address ::1: Connection refused
Trying 127.0.0.1...
Source Destination Packets Bytes SrcPt DstPt Proto IF
207.171.166.48 131.106.57.173 60 82444 80 53255 6 wi0
131.106.57.173 207.171.166.48 37 2102 53255 80 6 wi0
207.171.166.48 131.106.57.173 10 1145 80 57108 6 wi0
131.106.57.173 207.171.166.48 8 1547 57108 80 6 wi0
131.106.56.1 131.106.57.173 1 220 53 59064 17 wi0
131.106.57.173 131.106.56.1 1 60 59064 53 17 wi0
131.106.56.1 131.106.57.173 1 60 53 51547 17 wi0
...edited...
131.106.58.189 224.0.0.251 3 2240 5353 5353 17 wi0
131.106.58.191 131.106.63.255 2 156 49407 137 17 wi0
Interface wi0: received 560, 5 m average 485 bytes/sec, 0 pkts/sec, dropped 0
Flow entries made: 19
Memory usage: 0% (1672 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 46 minutes
We have gotten closer to the realm of NSM session data here. While we have socket information (source IP, source port, destination IP, destionation port), we do not have timestamps. I prefer to leave the port information out of the equation and just keep the IP and byte counts.
There is one final aspect of IPCAD that deserves mention. In my book I mention Fprobe and ng_netflow as software-based NetFlow collectors. It turns out that IPCAD has the same functionality. IPCAD can act as a probe and send NetFlow records to a collector like Flow-capture in the Flow-tools collection.
Let's set up Flow-capture to collect NetFlow records:
orr:/root# mkdir -p /nsm/netflow/ipcad/wi0
orr:/root# flow-capture -w /nsm/netflow/ipcad/wi0 localhost/localhost/9995
I verify that Flow-capture is listening on the port I specified:
orr:/root# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root flow-captu 919 1 udp4 127.0.0.1:9995 *:*
Now I tell IPCAD to export NetFlow records by adding the following to the end of the ipcad.conf file.
netflow export destination 127.0.0.1 9995
Again I shut down IPCAD, restart it, and then clear the records. Notice that IPCAD reports a NetFlow destination.
orr:/root# rsh localhost shutdown
connect to address ::1: Connection refused
Trying 127.0.0.1...
Shutdown process started
orr:/root# ipcad -drs
Opening wi0... [LCap] [ERSH] [4096] Initialized as 1
Configured RSH Server listening at 127.0.0.1
Configured NetFlow destination at 127.0.0.1:9995
138 elements got from ipcad.dump.
Daemonized.
After a few minutes I check IPCAD's status.
orr:/root# rsh localhost status
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 548, 5 m average 683 bytes/sec, 1 pkts/sec, dropped 0
Flow entries made: 193
NetFlow cached flows: 21
Memory usage: 1% (16984 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 2 minutes
orr.taosecurity.com uptime is 1 hour,
Notice how IPCAD reports 21 cached NetFlows. This caused a problem, since apparently IPCAD had not flushed any flows to disk yet. I got the following error when trying to read the flows using Flow-cat and Flow-print:
orr:/root# flow-cat /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/ | flow-print
flow-print: ftiheader_read(): Warning, short read while loading header top.
flow-print: ftiheader_read(): failed
flow-print: ftio_init(): failed
Looking at the directory holding the flows, we see only a .tmp file:
orr:/root# ls /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/
tmp-v05.2005-04-13.235643-0400
One minute later I check IPCAD's status again:
orr:/root# rsh localhost status
connect to address ::1: Connection refused
Trying 127.0.0.1...
Interface wi0: received 638, 5 m average 638 bytes/sec, 0 pkts/sec, dropped 0
Flow entries made: 195
NetFlow cached flows: 0
Memory usage: 1% (17160 from 1048576)
Free slots for rsh clients: 9
IPCAD uptime is 4 minutes
orr.taosecurity.com uptime is 1:01
Now we see zero cached flows, so I use Flow-cat and Flow-print again.
orr:/root# flow-cat /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/ | flow-print
srcIP dstIP prot srcPort dstPort octets packets
131.106.56.63 224.0.0.251 17 5353 5353 686 2
131.106.58.184 224.0.0.251 17 5353 5353 189 1
0.0.0.0 224.0.0.1 2 65535 65535 28 1
...edited...
131.106.57.94 131.106.63.255 17 137 137 702 9
131.106.57.94 131.106.63.255 17 138 138 817 4
66.102.15.100 131.106.57.173 6 80 53759 125977 133
131.106.57.173 66.102.15.100 6 53759 80 47834 102
...truncated...
We can view these records because the .tmp file is replaced by a real flow record:
orr:/root# ls /nsm/netflow/ipcad/wi0/2005/2005-04/2005-04-13/
ft-v05.2005-04-13.235643-0400
Hopefully you have a better idea how NetFlow works. If you're a student, you have additional material I discussed in class but didn't appear on the slides!
Also -- here is a link to my blog entry on the method I'm using now to bond interfaces into ngeth0 on FreeBSD 5.3. Here is a link to my post on Flowgrep.
For news on the new Sguil FreeBSD port submissions, check on Problem Report ports/77473 for the Sguil-sensor and Problem Report ports/77690 for the Sguil-server.
0 komentar:
Posting Komentar