On 17/4/2023 4:48 μ.μ., Brian Candler wrote:
...
For case 2, I don't think nfdump is the ideal data feed, but there are
lots of other options. Elastic's own Filebeat
<https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html>
is free; there are lots of commercial options too, e.g.
ntop-ng/nprobe, elastiflow.
...
Thank you Brian, and all of you who responded, for your valuable info.
I was wondering whether nfcapd 1.7 (from nfdump project) coupled with
nfinflux (https://github.com/phaag/nfinflux/blob/master/README.md) would
be a workable scenario.
Splunk / Elastic would then be able to read data directly from an InfluxDB?
Any comments?
By the way, back from 2014 there is an nfsen plugin for detecting DDoS
attacks (https://github.com/CERT-GOV-GE/gabriel). Has anyone used it?
Not here, and I notice it's 9 years old. Also note that whilst
nfdump/nfcapd are actively maintained, nfsen isn't.
However I did come across this recently:
https://github.com/pavel-odintsov/fastnetmon
Very interesting, although the Community version is (not surprisingly)
limited in features. Thank you for pointing to it.
Cheers,
Nick
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
