[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: [security-onion] Re: Netflow Data
From: Michael Haney <michael-haney () utulsa ! edu>
Date: 2013-03-29 3:00:38
Message-ID: 3b9ec790-b3db-466d-8660-ade22c6c6646 () googlegroups ! com
[Download RAW message or body]
For SO to read it, you'll want to use Argus. nfreplay is the tool you want to take \
the data in and send it to a remote host, and it defaults to localhost, or you can \
use the "-H <hostname> -p <port number>" options.
Argus is configured in SO to take in network traffic and process it in a way that \
generates flow data from the raw traffic. By default, it doesn't listen on any \
specific port ("-P0" option), and just processes raw traffic into its flow/stream \
format. But it can be told to expect netflow data as input, using type "cisco" and \
generating a pcap recording of netflow packets being sent. That's like taking \
nfreplay to send it to another (or local-) host, tcpdump/netsniff-ng to record it \
into a pcap, and "argus -r cisco:pcap-file" to read it in. A little clunky.
Here's a good article that discusses some of the differences and gotchas \
(uni-directional versus bi-directional tracking, the importance of reading all data \
in the correct time order, etc): http://www.qosient.com/argus/argusnetflow.shtml
That article calls for using "ra -C" option, but the ra manpage (from SO, current \
version) says this is deprecated and to use "ra -S cisco://any:9996" which will read \
in your nfreplay data on port 9996 localhost. A better solution, in my opinion.
This will certainly give you the power of Argus tools for processing the data, but in \
my opinion, it's not very tightly integrated in the rest of what SO has to offer. And \
without the original packets to inspect, Snort, Suricata, and Bro won't really help \
here. You may consider looking at some other netflow tools, using the same idea to \
read in the nfreplay network output to localhost. I would recommend checking out \
nfsen (http://sourceforge.net/projects/nfsen/) and/or ntop \
(http://www.ntop.org/products/ntop/) to get web-based visibility into netflow data. \
The ntop package available in Ubuntu is out-dated. I was able to compile the latest \
code against the pf_ring that comes with SecurityOnion and have had good luck running \
it along side the other tools. This tool is also configured by default to listen to \
raw network traffic and interpret flows/streams. But it, too, has an option for \
listening to NetFlow data, via a "plugin".
I'd be interested in hearing more about how this works out for you (off list if you'd \
prefer).
Regards,
Michael
On Tuesday, March 26, 2013 6:56:30 PM UTC-5, Joe Borunda wrote:
> I was just wondering if it is possible to get Netflow binary file and do like a \
> nfreplay. Just like what you did for the pcaps. (tcpreplay)
> I have two months worth of nfcapd files but not able to read it.
>
> New to Security Onion.
>
>
> Thank you.
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic