Re: [pfSense] NetFlow analysis tools
> Le 18 janv. 2015 à 16:22, Larry Sampas a écrit : > > I haven't played with many GUI tools other than FlowBAT, which is very new, > but I have been using SiLK at scale for some time now, and it's been very > stable. > > Since we run securityonion, I've been using these instructions for installing > SiLK/Yaf and configuring rwflowpack: > http://www.appliednsm.com/silk-on-security-onion/ (With the latest code > version from CERT) > > it also works for collecting Netflow data if you listen on the right ports. > > I'm definitely going to look at FlowViewer as an alternative to our plan of > getting the SiLK flow records into R and using a chart package. While GUI > tools are great, the command-line SiLK tools work very well if you want to > know exactly which IPs a host has contacted, at what times, on which ports, > and how much data was sent/received. > > --Larry I would like to thank all the persons which have been answering this question. Thanks for your support, if we come with a bright idea regarding NetFlow analysis tools, I’ll let everyone know ! Sincerely yours. «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ BSD - BSD - BSD - BSD - BSD - BSD - BSD - BSD - «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID --> 0x1BA3C2FD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
I haven't played with many GUI tools other than FlowBAT, which is very new, but I have been using SiLK at scale for some time now, and it's been very stable. Since we run securityonion, I've been using these instructions for installing SiLK/Yaf and configuring rwflowpack: http://www.appliednsm.com/silk-on-security-onion/ (With the latest code version from CERT) it also works for collecting Netflow data if you listen on the right ports. I'm definitely going to look at FlowViewer as an alternative to our plan of getting the SiLK flow records into R and using a chart package. While GUI tools are great, the command-line SiLK tools work very well if you want to know exactly which IPs a host has contacted, at what times, on which ports, and how much data was sent/received. --Larry On Sat, Jan 17, 2015 at 5:27 AM, Mathieu Simon (Lists) < matsimon.li...@simweb.ch> wrote: > Hi > > Am 15.01.2015 um 17:08 schrieb b...@todoo.biz: > > > I am particularly interested in GUI back-end. > For a students project on the Uni's HPC cluster co-students and I were > also looking at first for such a tool and stumbled on FlowViewer used > and largely developed at NASA ESDIS: > http://sourceforge.net/projects/flowviewer/ > > FlowViewer was a beast to compile from source, but we made it run and it > look pretty good including graphs and had quite some documentation. Its > collector side supports NetFlow 5, 9 and IPFIX. Back then when we looked > at it looked promising but too big for our needs of a 1-semester > project. If it would have been for a serious deployment, we may have > ended up with that. > > Because of our tight schedule and the excellent examples found in > 'Network Flow Analysis' from the known BSD author Michael W. Lucas we > ended up filtering our NetFlow 5 data using good ol' flow-tools and > plotting data with gnuplot for our final report. > > -- Mathieu > > --- > Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. > http://www.avast.com > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
Hi Am 15.01.2015 um 17:08 schrieb b...@todoo.biz: > I am particularly interested in GUI back-end. For a students project on the Uni's HPC cluster co-students and I were also looking at first for such a tool and stumbled on FlowViewer used and largely developed at NASA ESDIS: http://sourceforge.net/projects/flowviewer/ FlowViewer was a beast to compile from source, but we made it run and it look pretty good including graphs and had quite some documentation. Its collector side supports NetFlow 5, 9 and IPFIX. Back then when we looked at it looked promising but too big for our needs of a 1-semester project. If it would have been for a serious deployment, we may have ended up with that. Because of our tight schedule and the excellent examples found in 'Network Flow Analysis' from the known BSD author Michael W. Lucas we ended up filtering our NetFlow 5 data using good ol' flow-tools and plotting data with gnuplot for our final report. -- Mathieu --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. http://www.avast.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
On Thu, 2015-01-15 at 17:08 +0100, b...@todoo.biz wrote: > Hello, > > I would like to know which flow-tools you are using in conjunction with > pfflowd / netflow > > I am particularly interested in GUI back-end. > > If you have any good pointer, that would really be helpful. > > > > Sincerely yours. Softflowd -> Logstash receiver -> Redis -> Logstash indexer -> Elasticsearch -> Kibana Logstash has a Netflow input and then I use the GeoIP and DNS filters to augment the data, finally in Kibana I plot the flows on a map from the GeoIP. That single report has told me an awful lot. For example someone came to our office and had a SSL VPN of some sort, they also use an external web proxy. Before they fired up the VPN their flows were going through European IPs. As soon as the VPN was started, their 443/tcp flows instantly switched to the US. When the VPN was shut down it moved back to Europe. Coincidence - perhaps. I couldn't do much more testing in the time available. Cheers Jon ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
On 15/01/2015 18:37, Kurt Buff wrote: On Thu, Jan 15, 2015 at 8:08 AM, b...@todoo.biz wrote: Hello, I would like to know which flow-tools you are using in conjunction with pfflowd / netflow I am particularly interested in GUI back-end. If you have any good pointer, that would really be helpful. I'm using NFSEN http://nfsen.sourceforge.net/ -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
On Thu, Jan 15, 2015 at 8:08 AM, b...@todoo.biz wrote: > Hello, > > I would like to know which flow-tools you are using in conjunction with > pfflowd / netflow > > I am particularly interested in GUI back-end. > > If you have any good pointer, that would really be helpful. o- ntop on *nix o- perhaps PRTG - a commercial Windows app Kurt ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] NetFlow analysis tools
Hello, I would like to know which flow-tools you are using in conjunction with pfflowd / netflow I am particularly interested in GUI back-end. If you have any good pointer, that would really be helpful. Sincerely yours. «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID --> 0x1BA3C2FD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold