2

I am trying to create a DoS detection program using netflow data in a SQL database. So far I have the general idea on how to accomplish this but need some direction.

The flow of the program thus far is:

<?php
$run = 'true';
$servername = "10.1.80.50";
$username = "netflow";
$password = "********";
$dbname = "netflow";
$flowQuery = 'SELECT distinct TIMESTAMP, SRCADDR, DSTADDR, SRCPORT, DSTPORT, PROT FROM netflow.flows ORDER BY DSTADDR ASC';

// Query flows for unique timed flows

$conn = mysqli_connect($servername, $username, $password, $dbname);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}

$flows = mysqli_query($conn, $flowQuery);

// Begin creating baseline data

while ($run == 'true') {
    while($row = $flows->fetch_assoc()) {
        $baselineQuery = 'SELECT FROM_UNIXTIME((UNIX_TIMESTAMP(TIMESTAMP) div (5*60))*(5*60)+(5*60)) as timeIntervals, 
        ROUND(SUM(DPKTS),0) as PACKETDATA,
        MIN(DPKTS) AS MINPACKETS, 
        MAX(DPKTS) AS MAXPACKETS,
        ROUND(SUM(DOCTETS),0) as OCTETDATA,
        MIN(DOCTETS) AS MINOCTETS, 
        MAX(DOCTETS) AS MAXOCTETS
        FROM (
        SELECT FLOW_ID,TIMESTAMP,EXADDR,SRCADDR,DSTADDR,SRCPORT,DSTPORT,DPKTS,DOCTETS 
        FROM netflow.flows WHERE SRCADDR = "'.$row["SRCADDR"].'" AND DSTADDR = "'.$row["DSTADDR"].'" AND DSTPORT = "'.$row["DSTPORT"].'" AND SRCPORT = "'.$row["SRCPORT"].'" AND PROT = "'.$row["PROT"].'" 
        ORDER BY FLOW_ID DESC LIMIT 500
        ) AS custom
        GROUP BY 1 ORDER BY timeIntervals DESC 
        LIMIT 240';
    $baselines = mysqli_query($conn, $baselineQuery);
    }        
usleep(60000000);
}

print_r($baselines);

?>

My logic is to:

  1. Find all unique flows for the last 8 hours.
  2. Using this data find all flow data for each of these unique flows.
  3. Split the created array into subarrays or individual arrays for each flow.
  4. Once each flow has its own array average the packets and data to get a pseudo-baseline.
  5. compare the latest flow entry to these averages and decide if there is an anomaly (over 200% increase/decrease in data flow in one direction).
  6. If an anomaly is detected, shoot off an email alerting about the event.
  7. Wait 60 seconds and resume the loop.

I know the code is far from finished and likely very sloppy, but any help is greatly appreciated!

TResponse
  • 3,940
  • 7
  • 43
  • 63
The Sorrow
  • 21
  • 2
  • After playing with the code for a few hours im probably going to just insert the baseline data into a baseline database. More updates to come. – The Sorrow Feb 08 '15 at 07:41

0 Answers0