[nsp-sec] Pre-classified netflow samples

Smith, Donald Donald.Smith at qwest.com
Tue Sep 2 14:03:17 EDT 2008 

Flow-dscan from flow tools provides some ddos and scanning recognition
abilities.

I have written some flow-nfilter and flow-filter acl's but most of those
have been fairly specific with host and port numbers based on reports
here or on another list.


Given an IDS/FW rule that doesn't require fields NOT included in netflow
5 you can translate them into flow-nfilter rules such as this one for
the stormworm's 60 echo request ddos.

filter-primitive test-protocol
type ip-protocol
permit icmp
default deny

filter-primitive dest-port
type ip-port
permit 2048

filter-primitive src-port
type ip-port
permit 0

filter-primitive length60
type counter
permit eq 60
default deny

filter-definition stormworm
match ip-protocol test-protocol
match ip-destination-port dest-port
match ip-source-port src-port
match octets length60



I don't know of a group publishing netflow filters at this time but
there may be one out there.


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Sebastian Abt
> Sent: Tuesday, September 02, 2008 11:08 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Pre-classified netflow samples
> 
> ----------- nsp-security Confidential --------
> 
> Hi everyone,
> 
> For a study on using data mining and machine learning concepts and
> techniques for network anomaly detection, I'm looking for a set of
> pre-classified ("good", "bad", portscan, dos, ...) netflow exports.
> 
> Does anyone on this list have this kind of data and would be 
> willing to
> share (placing them under NDA is perfectly ok)?  Or any pointers on
> where I should look?
> 
> Using google and a multitude of chatchwords, I had no luck finding
> anything useful so far..
> 
> Any hints are welcome!
> sebastian
> 
> -- 
> fon: +49 69 95411 15  e-mail: sa at rh-tec.de
> fax: +49 69 95411 45  mobile: +49 69 95411 55
> rh-tec Business GmbH  http://www.rh-tec.de/
> Ringstrasse 36        32584 Loehne
> Geschaeftsfuehrer:    Gerhard Roehrmann
> Registergericht:      AG Bad Oeynhausen, HRB 8112 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list