On 29/1/14 8:04 PM, Champ Clark III wrote:
>
> Thank you Peter,
>
> I'm not sure who valuable they would be outside of Sagan, but I at
> least wanted to let you know how we are using nfdump.
nfcapd will get real time capable anyway. However, it's not yet clear in what
form. So far UNIX sockets are also an option.
So any patch is valuable to study :)
- Peter
>
>
> On 01/29/2014 01:41 PM, Peter Haag wrote:
>> Many thanks Champ! I'll definitely will have a look at the patches.
>
>> Many thanks!
>
>> - Peter
>> On 2/1/14 2:27 AM, Champ Clark III wrote:
>>> Hello!
>>>
>>> First off, thank you for providing a great set of tools to deal with
>>> Netflow data. It a really valuable set of tools and I really
>>> appreciate it.
>>>
>>> I'm the primary author of "Sagan", a real time, multi-threaded log
>>> analysis engine. For more information, see:
>>>
>>> http://sagan.quadrantsec.com.
>>>
>>> I recent had an idea of using Sagan to analyze netflow data and nfdump
>>> seemed to be the best approach. The idea is to have Sagan examine
>>> traffic via the log analysis engine and identify malicious traffic
>>> (via blacklist, RBL lookup and rule sets).
>>>
>>> To keep it short, I had to make some minor modifications to nfdump to
>>> get the functionality I needed. In particular, "nfcapd". The
>>> modifications I did allow nfcapd to work as normal, but also send
>>> decoded Netflow data to a FIFO.
>>>
>>> Sagan can then read the FIFO and determine if the traffic is malicious
>>> or not.
>>>
>>> The modified code is at:
>>>
>>> https://github.com/beave/nfdump-1.6.10p1-sagan
>>>
>>> I also wrote up a brief "HOWTO":
>>>
>>> https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow
>>>
>>> I just wanted to get the word out. Please let me know if you have any
>>> thoughts and/or comments.
>>>
>>>
>>>
>>>
> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into
> your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics Pro!
>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Nfdump-discuss mailing list
>>> Nfdump-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>>
>
>
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends. Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
