fprobe-ulog
A network security analysis and monitoring toolkit Linux distribution.
Brought to you by:
pblankenbaker,
rwhalb
Greetings -
I see fprobe-ulog is on the newest version of NST. fprobe-ulog allows you to create netflow records on you NST box for delivery to a netflow collector. Very handy if you happen to have routers that don't support netflow.
Is there a configuration How-to on this? Particularly, I'm wondering -
How do you identify the source interface of the fprobe? In /etc/default/fprobe-ulog? That file is missing.
How do you start the service? /etc/init.d/fprobe-ulog ? That file is missing as well.
Docs on fprobe-ulog are not so great…
hoffswell:
2 options for using netflow on NST:
1) Use the NST WUI and go to the NfSen - Netflow Sensor Management page. You can start up a nflow probe using "ipt_netflow"
From the NST Menu: Network => Monitors => Netflow Sensor Management
Then use the graphical web-based netflow output with NfSen…
2) Use fprobe-ulog. This requires also the use of iptables. There is no startup script in /etc/init.d. So you will need to create one.
Example systemd startup script: "/lib/systemd/system/fprobe-ulog"
Description=NST Boot Service
After=syslog.target network.target
EnvironmentFile=/etc/sysconfig/fprobe-ulog
ExecStart=/usr/bin/fprobe-ulog $OPTIONS
WantedBy=multi-user.target
$OPTIONS can be defined in file: "/etc/sysconfig/fprobe-ulog"
OPTIONS="-Xeth0:100 localhost:9996"
A) First setup you iptables for logging. In this example we will log all flows on the NST probe.
iptables -t filter -N ULOGFLOW
iptables -A ULOGFLOW -j ULOG -ulog-nlgroup 1 -ulog-cprange 48 -ulog-qthreshold 50
iptables -t filter -A INPUT -j ULOGFLOW
iptables -t filter -A OUTPUT -j ULOGFLOW
iptables -t filter -A FORWARD -j ULOGFLOW
iptables -L -v
b) Run the fprobe-ulog netflow probe. Example Run it on interface eth0 and sent it to localhost port 9996
fprobe-ulog "-Xeth0:100" localhost:9996
c) To test the example above use 'ncat' on the same probe
ncat -u -l 127.0.0.1 9996 | hexdump -C
Good stuff.
I am seeing a bit of traffic, but only local NST traffic. I would like to monitor all traffic that is sent to port p1p1, that is connected to a Cisco mirror port:
iptables looks like this:
This does not seem to forward all flows, but only the local flows (ssh session, vnc, etc)
Incidentally, this iptable config seems to break the https: access to my NST Installation.
I start fprobe-ulog to process interface p1p1 that is my probe port with:
Any further thoughts?
Have you tried the NST WUI and go to the NfSen - Netflow Sensor Management page?
--RWH
Good morning -
No, I have not. But I am trying to get frprobe-ulog to send flows to my netflow collector. A different box.
I can try using the WUI and NfSen for testing, if that's what you were thinking….
I was suggesting to see if this configuration (i.e., WUI with Nfsen) works first to see if you get the desired results and then try troubleshooting frprobe-log next…
--RWH
Also one can use nfreplay if the WUI and Nfsen works to send the results to your netflow collector…
Greetings.
Thanks for helping me through this issue, which isn't really an NST issue. :)
I can get ipt_netflow to work, delivering flows into the local nfsen installation. But, from what I see, it is only processing packets that show up on my main interface. This is the interface with an ip address, and used for probe management.
The secondary port, p1p1, has a port mirror dumping traffic from our wan link. ipt_netfow doesn't seem to take this one into the mix.
How do I add port p1p1 to the flow in ipt_netflow?
As far as I know, ipt_netflow can only be used to provide information about packets routed through the system it is running on (the NST system in this situation). I don't think it can be used to monitor traffic routed by other systems using a stealth interface.