[netsa-tools-discuss] Using rwfilter --flags-inital to fitler servers and clients addresses

Tue Oct 27 09:51:12 EDT 2015

The absence of the initial TCP flag fields makes it more difficult
to find servers in your network.

For TCP data, you can ignore sessions that have fewer than four
packets (--packets=4-).  (Unless your flow generator is a Cisco ASA
router, would does not provide counts of packets.)

Assuming your flow generator provides a summary of TCP flags across
all packets in the flow (e.g., not a Cisco Meraki MX), filter for
flows that contain both SYN and ACK flags (--flags-all=SA/SA).

Busy, well-known servers have a large volume of traffic either
arriving (an SMTP server) or leaving (a web server) on a well-known
port.  Use rwstats with sip,sport as the key and bytes as the value.
Repeat for dip,dport.

Servers typically communicate with a lot distinct hosts.  Use
rwstats to find hosts that communicate with a lot of distinct IPs.

Look for other suggestions in the "Network Profiling Using Flow"
paper.  http://www.sei.cmu.edu/reports/12tr006.pdf

There are resources and papers on the Internet that discuss finding
servers with network flow data.

-Mark

On Mon, 26 Oct 2015 20:03:46 +0500, asad wrote:

> Mark-
>
> This begs the question that how I change the command to suit its purpose,
> I'm not using YAF but I have seen in analyst handbook there are examples
> using all-flags without ever mentioning YAF involvement.
>
> So, for this case to work what should I be changing in my command?
>
> On Mon, Oct 26, 2015 at 7:05 PM, Mark Thomas <mthomas at cert.org> wrote:
>
>> asad-
>>
>> The "initialFlags" field of the SiLK flow record (which is the field
>> checked by the --flags-initial switch on rwfilter) is only populated
>> when the flow record was converted from an IPFIX record generated by
>> YAF.
>>
>> Unless you are using YAF as your flow generator, the initialFlags
>> field is always empty.
>>
>> -Mark
>>
>>
>> -----Original Message-----
>> From: asad <a.alii85 at gmail.com>
>> Date: Mon, 26 Oct 2015 13:43:15 +0500
>> To: <netsa-tools-discuss at cert.org>
>> Subject: [netsa-tools-discuss] Using rwfilter --flags-inital to fitler
>>         servers and clients addresses
>>
>> Hello,
>>
>> I'm processing nexsus 7k logs, and on 1 vlan I have tried to filter
>> all those IP addresses that are responsible for initial query
>> (handshake). My cmd and results looks like
>>
>> "rwfilter  --sensor=S1 --type=int2int  --start-date=2015/10/15
>> --end-date=2015/10/23 --flags-initial=S/SA --print-statistics
>> --pass=query.rw
>> Files   216.  Read      35403.  Pass          0. Fail       35403."
>>
>> If the filter is correct, it means I don't have a client in my VLAN
>> all are servers?Can this query be converted to identity list of source
>> IP addresses which requested connection to the servers in specific
>> vlan?
>>
>> Thanks.
>>