Netflows

Necessary pieces of software

fprobe: sends flows from a remote machine
NfSen: graphical web based front end for the nfdump netflow tools.
Nfdump: netflow colletion tool

First of all, you need to enable the netflow collection for remote sensors on the AlienVault interface:

Configuration - AlienVault components - Sensors

Select a sensor and click on modify

Scroll down to **Netflow Collection Configuration**
Select a udp port not already in use "netstat -lnu" (default 12000) and a colour for this netflow.
Select if you are going to receive netflows(default) or sflows.
Click on configure and run
On the console run **ossim-reconfig** in order to open the firewall for this port.
You can also check the new flow has been added to /etc/nfsen.conf under "%sources" section

The following variables are necessary within /etc/ossim/ossim_setup.conf on every machine sending flows (fprobe)

[sensor]

ids_rules_flow_control=yes    **Default:yes. Set to no if snort is listening to asymmetric trafic, one interface for inbound another one for outbound**
interfaces=eth0    **Local interface receiving the port mirror**
###interfaces=eth0, eth2 **This will start snort on eth0 and eth2, it will also set fprobe interfaces to "any" on /etc/default/fprobe
###If the "interfaces" is not specified, fprobe interfaces on /etc/default/fprobe will be empty.
###If only one specified, that interface will be used for /etc/default/fprobe
###Note that fprobe captures on the `any' device will not be done in promiscuous mode.
ip=172.16.20.30    **Remote AV server IP address collecting flows**
name=slave        **It must match this machine's hostname**
netflow=yes        **Enable netflow sending**
netflow_remote_collector_port=555    **Remote listening port**

Once, this is completed, you should run ossim-reconfig in order to start fprobe
In order to check that fprobe is working, you should run: ps axf|grep fprobe
You should make sure the interface and port fprobe is using to connect to the AV server is the right one.

You may need to check the values introduced by ossim-reconfig on /etc/default/fprobe
You may want to check if the sensor is sending something to the server

tcpdump -i eth0 -n host 172.16.20.30 and port 555
netstat -puan

You can also check the size of the received flows on:

/var/cache/nfdump/flows/live/MachinName/Date/nfcapd.*
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License