headers
John Elliot | 24 May 2012 00:46
Picon
Favicon

Another question on flow-tools -> nfsen/nfdump migration.


Hi Guys,


We often receive requests from EC's to provide traffic analysis when there usuage is "abnormal"


Typically, with flow-tools it is analysis of a days flow data (24hours), and we provide:


Total Octets


Top port usage


Top src/dst IP


With flow-tools, we create a specific acl to only provide analysis on an EC's IP(could be a /32 or larger subnet)


Is the following the correct way to provide similar reports in nfdmp?  (i.e. No acl, all inclusions/exclusions are added in command line?)


nfdump  -R /data/nfsen/profiles-data/live/ASR1006/2012/05/21/  'dst net 10.1.1.0/24' -s dstip/bytes -s port/bytes -s record/bytes  -n 20| more


Thanks in advance.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Permalink | Reply |
headers
Peter Haag | 24 May 2012 07:39
Picon

Re: Another question on flow-tools -> nfsen/nfdump migration.

Hi John,

On 5/24/12 0:46, John Elliot wrote:
> 
> Hi Guys,
> 
> 
> We often receive requests from EC's to provide traffic analysis when there usuage is "abnormal"
> 
> 
> Typically, with flow-tools it is analysis of a days flow data (24hours), and we provide:
> 
> 
> Total Octets
> 
> 
> Top port usage
> 
> 
> Top src/dst IP
> 
> 
> With flow-tools, we create a specific acl to only provide analysis on an EC's IP(could be a /32 or larger subnet)
> 
> 
> Is the following the correct way to provide similar reports in nfdmp?  (i.e. No acl, all
inclusions/exclusions are added
> in command line?)

Yes - that's correct.

> 
> 
> nfdump  -R /data/nfsen/profiles-data/live/ASR1006/2012/05/21/  'dst net 10.1.1.0/24' -s
dstip/bytes -s port/bytes -s
> record/bytes  -n 20| more

Correct! - you don't evene need  '| more' :)

	- Peter
> 
> 
> Thanks in advance.
> 
> 
> This body part will be downloaded on demand.
> 
> 
> 
> This body part will be downloaded on demand.

--

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
John Elliot | 24 May 2012 07:50
Picon
Favicon

Re: Another question on flow-tools -> nfsen/nfdump migration.

> > nfdump -R /data/nfsen/profiles-data/live/ASR1006/2012/05/21/ 'dst net 10.1.1.0/24' -s dstip/bytes -s port/bytes -s
> > record/bytes -n 20| more
>
> Correct! - you don't evene need '| more' :)


Cheers Peter!  nfdump is exceeding my expectations atm....like it a lot (And appears a lot faster than flow-tools)...thumbs up to the developers! 


Havent had a chance to really look at nfsen as yet, but can similar reports be extracted via the webpage? 
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Permalink | Reply |
headers
Peter Haag | 24 May 2012 08:04
Picon

Re: Another question on flow-tools -> nfsen/nfdump migration.


On 5/24/12 7:50, John Elliot wrote:
>> > nfdump -R /data/nfsen/profiles-data/live/ASR1006/2012/05/21/ 'dst net 10.1.1.0/24' -s
dstip/bytes -s port/bytes -s
>> > record/bytes -n 20| more
>>
>> Correct! - you don't evene need '| more' :)
> 
> 
> Cheers Peter!  nfdump is exceeding my expectations atm....like it a lot (And appears a lot faster than
> flow-tools)...thumbs up to the developers! 
> 
> 
> Havent had a chance to really look at nfsen as yet, but can similar reports be extracted via the webpage? 

Not directly. But for this, it would be pretty simple to write a plugin.

Maybe it's a good trigger for all users, what kind of reports would be most wanted for which time intervals.
Feel free to send your ideas.

	- Peter

--

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
James Mcloughlin | 24 May 2012 10:37

Re: Another question on flow-tools -> nfsen/nfdump migration.

On 24/05/12 07:04, Peter Haag wrote:
> 
> 
> On 5/24/12 7:50, John Elliot wrote:
>>>> nfdump -R /data/nfsen/profiles-data/live/ASR1006/2012/05/21/ 'dst net 10.1.1.0/24' -s
dstip/bytes -s port/bytes -s
>>>> record/bytes -n 20| more
>>>
>>> Correct! - you don't evene need '| more' :)
>>
>>
>> Cheers Peter!  nfdump is exceeding my expectations atm....like it a lot (And appears a lot faster than
>> flow-tools)...thumbs up to the developers! 
>>
>>
>> Havent had a chance to really look at nfsen as yet, but can similar reports be extracted via the webpage? 
> 
> Not directly. But for this, it would be pretty simple to write a plugin.
> 
> Maybe it's a good trigger for all users, what kind of reports would be most wanted for which time intervals.
> Feel free to send your ideas.
> 
> 	- Peter
> 
It would be very useful to us to have an option to write to MySQL,
rather than to binary dump files...

--

-- 
Jamie Mcloughlin	+44 1235 822 383	PGP: FF7746C1
JANET CSIRT	0870 850 2340		(+44 1235 822 340)
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Permalink | Reply |
headers
Nikolaos Milas | 24 May 2012 12:46
Picon
Favicon

Re: Another question on flow-tools -> nfsen/nfdump migration.

On 24/5/2012 11:37 πμ, James Mcloughlin wrote:

> It would be very useful to us to have an option to write to MySQL,
> rather than to binary dump files...

+1

Note also that there exists a method to import nfdump data to mysql, 
e.g. here:

http://www.opsview.com/forum/developers/monitoring-plugins/netflow-based-nfdump-netflow-v9-support

The above was built in order to develop an opsview/nagios "netflow 
check" using nfdump.

It uses the scripts in the attached zip file.

I would, however, prefer to have a native mysql storage option, if 
possible, rather than an external script.

Nick
Attachment (nfsen_mysql.zip): application/octet-stream, 4323 bytes
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Permalink | Reply |

Gmane