This is the command flow-dscan that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
flow-dscan — Detect scanning and other suspicious network activity.
SYNOPSIS
flow-dscan [-bBhlmpwW] [-d debug_level] [-D iplist_depth] [-s state_file] [-i
input_filter] [-L suppress_list] [-o output_filter] [-O excessive_octets] [-P
excessive_flows] [-S port_scan_trigger] [-t ager_timeout]
DESCRIPTION
The flow-dscan utility is used to detect suspicious activity such as port scanning, host
scanning, and flows with unusually high octets or packets. A source and destination
suppress list is supported to help prevent false alarms due to hosts such as nameservers
or popular web servers that exchange traffic with a large number of hosts. Alarms are
logged to syslog or stderr. The internal state of flow-dscan can be saved and loaded to
allow for interrupted operation.
flow-dscan will work best if configured to only watch only inbound or outbound traffic by
using the input or output interface filter option.
The host scanner works by counting the length of the destination IP hash chain. If it
goes above 64, then the src is considered to be scanning.
The port scanner works by keeping a bitmap of the destination port number < 1024 per
destination IP. If it goes above 64, the src is considered to be port scanning the
destination.
When a src has been flagged as scanning it will not be reported again until the record is
aged out and enough flows trigger it again.
A SIGHUP signal will instruct flow-dscan to reload the suppress list.
A SIGUSR1 signal will instruct flow-dscan to dump its internal state.
OPTIONS
-b Do not detach and run in the background. Alerts go to stderr.
-B Do not detach and run in the background. Alerts go to syslog.
-d debug_level
Enable debugging.
-D iplist_depth
Depth of IP host list for detecting host scanning.
-h Display help.
-i input_filter
Input interface filter list.
-I output_filter
Output interface filter list.
-l Load state from /var/tmp/dscan.state or the filename specified with -s.
-L suppress_list
Basename of suppress files. There are two suppress files for input and output
traffic. The suppress file syntax is
IP_address protocol source_port destination_port
A '-' can be used as a wildcard in the protocol, source_port, and
destination_port fields. Only a single protocol, source_port, and
destination_port is supported per IP address.
-m Multicast address filter. Use to ignore multicast addresses.
-O excessive_octets
Trigger an alert if a flow is processed with the octets field exceeding
excessive_octets.
-p Dump state to /var/tmp/dscan.state or the filename specified with -s.
-P excessive_packets
Trigger an alert if a flow is processed with the packets field exceeding
excessive_packets.
-s statefile
State filename. Defaults to /var/tmp/dscan.state
-S port_scan_trigger
Number of ports a IP address must have used to be considered scanning.
-t ager_timeout
How long to keep flows around. Default to 90000. This is measured in flows
processed.
-T excessive_time
Trigger an alert if a flow is processed with the End-Start field exceeding
excessive_time.
-w Filter (ignore) candidate inbound www traffic, ie IP protocol 6, source port 80,
and destination port > 1023.
-W Filter (ignore) candidate outbound www traffic, ie IP protocol 6, destination
port 80, and source port > 1023.
EXAMPLES
In a topology where 25 is the only output interface run flow-dscan over the data in
/flows/krc4. Ignore www and multicast traffic, store the internal state in
dscan.statefile on exit. Use empty suppress list files dscan.suppress.src and
dscan.suppress.dst. The output produced by flow-dscan typically must be manually
inspected by using flow-filter and flow-print. Many of the alerts will be false until the
suppress lists are populated for the local environment.
flow-cat /flows/krc4 | flow-dscan -I25 -b -m -s dscan.statefile -p -W
Use flow-dscan online using onworks.net services