DragonFly On-Line Manual Pages
FLOWGREP(8) DragonFly System Manager's Manual FLOWGREP(8)
NAME
flowgrep - TCP stream/UDP/IP payload 'grep' utility
SYNOPSIS
flowgrep [-ikVvx] [-a pattern] [-c pattern] [-D num] [-d device]
[-E name] [-e string] [-F pattern_file] [-f pattern_file]
[-l dir] [-r filename] [-s pattern] [-u username] [filter]
DESCRIPTION
flowgrep is a small tool to look for arbitrary payload content in TCP
streams or UDP packets. This search parameter is described as a regular
expression using the format described in re_format(7). The -s flag
indicates that the pattern should be looked for only in the server's data
stream (sent from the server to the client). These patterns can also be
loaded from the pattern_file specified using the -F flag, with each
pattern separated by a newline. Newlines are not considered part of a
pattern. The -c flag indicates that the pattern should only match data
sent by the client to the server. These patterns can also be loaded from
the pattern_file specified using the -f flag, with each line containing
one pattern to match. These newlines are not considered part of the
pattern. The -a flag indicates any matching stream should be matched. For
UDP and IP payloads these three flags are equivilent. Multiple
expressions can be searched for by successive calls to the appropriate
-a, -c or -s flag.
An optional pcap(3) filter can be specified to limit what data to
monitor. TCP, UDP, and IP connections are evaluated. Fragments are
reassembled according to their parent connection.
flowgrep drops privileges after initialization and runs as the user
specified using the -u flag or the user 'nobody' by default.
If -v is specified, the match is inverted and non-matching flows are
logged or killed. The -i flag specifies a case insensitive search.
Packets are captured on the first appropriate device unless the -d flag
is specified, in which case device is used to capture packets. The input
can also be a filename if -r is used. The filename must be in pcap(3)
format.
If the -k option is used, the matching TCP connection will be killed by
flowgrep. This is done by sending TCP RST packets to the two
participants. TCP connections can be both stored and killed.
If the -l option is given, matched flows will be logged relative to the
dir argument. Matched flows or packets are stored in files as the
complete payload or reassembled TCP stream payload. The filename is based
on the stream data and is logged as 'time-source-sport-dest-dport-proto',
with time as a 32 bit integer for seconds since the UNIX epoch. For
protocols other than TCP or UDP, the protocol is listed as 'protoN' where
'N' is the protocol number. See protocols(5) for more information about
these numbers and name. If the -x argument is given, these filenames will
be written to stdout(4) in a format suitable for use with xargs(1) (ie
for processing the flows). Flows are written out to the filesystem upon
the connection closure.
flowgrep can also use libdistance(3) for fuzzy string matching. Several
algorithms are supported, including the Levenshtein algorithm, Damerau
method, Hamming distance and the Jaccard distance. One or more strings
may be given using the -e flag. If the distance calculated using the
algorithms is below the value specified by -D a match has occured. Note
that this approach is slow and not well tested at this time.
The -V flag causes flowgrep to print the version information and exit.
EXAMPLES
To capture all mail traffic over SMTP and log it relative to the local
directory:
flowgrep -i -c "^ *mail +from" -l . tcp port 25
To capture all non-mail traffic on TCP port 25 and log it into the
directory suspicious:
flowgrep -i -a "^ *mail +from" -v -l suspicious tcp port 25
To turn flowgrep into a simple TCP flow recorder:
flowgrep -a "." -l flow tcp
To kill Blaster worm infection attempts:
flowgrep -i -c "^ *tftp -i \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} GET
msblast.exe" -k tcp port 4444
To stop successful web surfing on your segment:
flowgrep -s "HTTP/1.1 200 OK" -k tcp port 80
To detect and stop SSH usage on non-SSH ports:
flowgrep -i -a "ssh-" -k tcp not port 22
To detect non-HTTP use of port 80:
flowgrep -i -c "^GET *.+HTTP/1.[01]" -c "^POST *.+HTTP/1.[01]" -c
"^PUT *.+HTTP/1.[01]" -l suspicious -v tcp port 80
Detect Viagra spam on TCP port 25:
flowgrep -E levenshtein -D 5 -e Viagra -l spammers tcp port 25
SEE ALSO
pcap(3), libdistance(3), re_format(7), tcpkill(8), ngrep(8), tcpflow(8)
AUTHOR
Jose Nazario (jose@monkey.org)
BUGS
Using flowgrep as a IPS to enforce policies against tunnelling (ie using
TCP port 80 for SSH access) can be easily fooled if the tunnel wrapper
adds basic protocol headers to the connections. Use flowgrep for this
purpose with caution.
DragonFly 6.5-DEVELOPMENT 13 December, 2004 DragonFly 6.5-DEVELOPMENT