[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] Re: Netflow Data
From:       Michael Haney <michael-haney () utulsa ! edu>
Date:       2013-03-29 3:00:38
Message-ID: 3b9ec790-b3db-466d-8660-ade22c6c6646 () googlegroups ! com
[Download RAW message or body]

For SO to read it, you'll want to use Argus.  nfreplay is the tool you want to take \
the data in and send it to a remote host, and it defaults to localhost, or you can \
use the "-H <hostname> -p <port number>" options.  

Argus is configured in SO to take in network traffic and process it in a way that \
generates flow data from the raw traffic. By default, it doesn't listen on any \
specific port ("-P0" option), and just processes raw traffic into its flow/stream \
format.  But it can be told to expect netflow data as input, using type "cisco" and \
generating a pcap recording of netflow packets being sent. That's like taking \
nfreplay to send it to another (or local-) host, tcpdump/netsniff-ng to record it \
into a pcap, and "argus -r cisco:pcap-file" to read it in. A little clunky.  

Here's a good article that discusses some of the differences and gotchas \
(uni-directional versus bi-directional tracking, the importance of reading all data \
in the correct time order, etc): http://www.qosient.com/argus/argusnetflow.shtml

That article calls for using "ra -C" option, but the ra manpage (from SO, current \
version) says this is deprecated and to use "ra -S cisco://any:9996" which will read \
in your nfreplay data on port 9996 localhost. A better solution, in my opinion.

This will certainly give you the power of Argus tools for processing the data, but in \
my opinion, it's not very tightly integrated in the rest of what SO has to offer. And \
without the original packets to inspect, Snort, Suricata, and Bro won't really help \
here.  You may consider looking at some other netflow tools, using the same idea to \
read in the nfreplay network output to localhost. I would recommend checking out \
nfsen (http://sourceforge.net/projects/nfsen/) and/or ntop \
(http://www.ntop.org/products/ntop/) to get web-based visibility into netflow data. \
The ntop package available in Ubuntu is out-dated. I was able to compile the latest \
code against the pf_ring that comes with SecurityOnion and have had good luck running \
it along side the other tools. This tool is also configured by default to listen to \
raw network traffic and interpret flows/streams. But it, too, has an option for \
listening to NetFlow data, via a "plugin". 

I'd be interested in hearing more about how this works out for you (off list if you'd \
prefer).

Regards,
Michael

On Tuesday, March 26, 2013 6:56:30 PM UTC-5, Joe Borunda wrote:
> I was just wondering if it is possible to get Netflow binary file and do like a \
> nfreplay. Just like what you did for the pcaps. (tcpreplay) 
> I have two months worth of nfcapd files but not able to read it. 
> 
> New to Security Onion. 
> 
> 
> Thank you.

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]