On 17/04/2023 13:38, Nikolaos Milas <nmi...@noa.gr> wrote:
I know that nfsen includes features for alerts but I was wondering
whether there have been implementations that integrate nfsen with Splunk
or Elastic / ELK Stack and/or guidelines to follow with such
implementation.
I think there are two possible and very different things you might be
asking for there:
1. Getting nfsen alerts into Splunk/Elastic
2. Getting all the raw nfdump Netflow records into Splunk/Elastic (and
doing all the analysis and alerting there)
For case 1, it should just be a question of a small alerting plugin:
https://nfsen.sourceforge.net/#mozTocId859236
For case 2, I don't think nfdump is the ideal data feed, but there are
lots of other options. Elastic's own Filebeat
<https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html>
is free; there are lots of commercial options too, e.g. ntop-ng/nprobe,
elastiflow.
By the way, back from 2014 there is an nfsen plugin for detecting DDoS
attacks (https://github.com/CERT-GOV-GE/gabriel). Has anyone used it?
Not here, and I notice it's 9 years old. Also note that whilst
nfdump/nfcapd are actively maintained, nfsen isn't.
However I did come across this recently:
https://github.com/pavel-odintsov/fastnetmon
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss