Netflow Collection with AlienVault - Page 1 of 17 Netflow Collection Netflow Collection Netflow Collection Netflow Collection with AlienVault ith AlienVault ith AlienVault ith AlienVault Alienvault 2013 CONFIGURE Configuring Net Configuring Net Configuring Net Configuring NetFlow Capture of TCP/IP Traffic Flow Capture of TCP/IP Traffic Flow Capture of TCP/IP Traffic Flow Capture of TCP/IP Traffic from an AlienVault Sensor or Remote Hardware rom an AlienVault Sensor or Remote Hardware rom an AlienVault Sensor or Remote Hardware rom an AlienVault Sensor or Remote Hardware Level: Level: Level: Level: Beginner to Beginner to Beginner to Beginner to Intermediate Intermediate Intermediate Intermediate
17
Embed
NetFlow Collection With AlienVault - Add docshare01 ...docshare01.docshare.tips/files/30898/308984106.pdf · Netflow data can be sent to an AlienVault sensor, and incorporated into
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Configuring NetConfiguring NetConfiguring NetConfiguring NetFlow Capture of TCP/IP TrafficFlow Capture of TCP/IP TrafficFlow Capture of TCP/IP TrafficFlow Capture of TCP/IP Traffic
ffffrom an AlienVault Sensor or Remote Hardwarerom an AlienVault Sensor or Remote Hardwarerom an AlienVault Sensor or Remote Hardwarerom an AlienVault Sensor or Remote Hardware
Level: Level: Level: Level: Beginner to Beginner to Beginner to Beginner to IntermediateIntermediateIntermediateIntermediate
Netflow Collection with AlienVault - Page 2 of 17
Contents
Netflow Collection with AlienVault .................................................................................................. 1
Enabling Netflow Collection from an AlienVault SensorEnabling Netflow Collection from an AlienVault SensorEnabling Netflow Collection from an AlienVault SensorEnabling Netflow Collection from an AlienVault Sensor
After a default installation, Netflow defaults to being disabled on an AlienVault Sensor, and
must be activated and configured before collection will begin.
NetFlow Collection is configured on a per-sensor basis, in the sensor configuration screen:
access this through the sidebar menu at Deployment -> AlienVault Components
� Select the Sensors tab at the top:
� And click the IP Address of the sensor to be configured:
� The main sensor configuration screen will load: at the very bottom of the configuration
page is the Flow configuration section.
Netflow Collection with AlienVault - Page 7 of 17
There are three primary configuration options, all of which may safely be left with their default
values:
PORT: This is the port that the sensor will transmit netflow data back to the AlienVault server
via. Each sensor must transmit on a unique port number. A suitable default will appear in this
text box and is recommended to leave it as this default unless there is a specific operational
reason to (perhaps a specific port range your network has assigned for administrative traffic
ACLs).
TYPE: This is the type of netflow data that the sensor will receive from external sources. If you
are only using the Sensor to generate netflow data, this value can be ignored.
COLOR: A color value to visually identify flows collected from this sensor in the Flows analysis
section of the AlienVault User Interface.
Once you have chosen appropriate values (or left them as their defaults), click the Configure
and Run button to activate Netflow Collection/Generation from this Sensor
You will receive confirmation that the sensor is now generating netflow data – this message
assumes you are configuring an external collector however – the firewall exception for an
AlienVault sensor will be automatically created.
The configuration section will update to indicate that flow collection is now working.
Netflow Collection with AlienVault - Page 8 of 17
CollectingCollectingCollectingCollecting Netflow Netflow Netflow Netflow DatDatDatData a a a from an External Sourcefrom an External Sourcefrom an External Sourcefrom an External Source
Third party devices that support the collection and transmission of NetFlow (or the variant
sFlow) data, may also be configured as a source of traffic accounting information within
AlienVault.
The process to add an additional Flow source is:
� Create a new Sensor record for the transmitting device
� Configure the device to transmit NetFlow or sFlow information to the AlienVault
Server
Preparing the Preparing the Preparing the Preparing the Sensor EntrySensor EntrySensor EntrySensor Entry
To register Netflows from external devices with their own unique identify and color in flow
listings, a ‘Dummy’ Sensor entry must be created within the AlienVault UI
This Sensor entry will appear to be an AlienVault Sensor, but will permanently appear as
‘disconnected’ in the Sensor listing UI screen.
Add a New Sensor EntryAdd a New Sensor EntryAdd a New Sensor EntryAdd a New Sensor Entry
� Return to the Sensor Listing screen at Deployment -> AlienVault
Components
� Select the Sensors tab at the top:
� Select “New”
Netflow Collection with AlienVault - Page 9 of 17
� You will get the Sensor configuration screen – but with no information
populated. Fill it out with information about the NetFlow device you are
adding.
� Click Update, you will receive confirmation of the sensor record being
created
� Re-open the sensor configuration window (click the IP address of the newly
created sensor record)
� Scroll down the sensor config screen, down to the Services section, disable
all services. This is not necessary, but will prevent this ‘dummy’ sensor from
showing up as an available sensor in the parts of the AlienVault UI that refer
to these services.
Netflow Collection with AlienVault - Page 10 of 17
� At the bottom of the screen is the Netflow section.
o Select a port that the AlienVault Server will receive NetFlow data
over.
o Select NetFlow or sFlow as appropriate for what the device will be
sending to AlienVault.
o Choose a color to display flows in the Flow Analysis UI.
o Configure and Run
� You will receive a message stating that a new firewall exception must be
added to added to the AlienVault Server’s firewall settings.
As of version 4.2 this is no longer necessary
� Select Back
Netflow Collection with AlienVault - Page 11 of 17
Despite the message box, as of version 4.2 the firewall exception can be automatically created,
by disabling and re-enabling the AlienVault Server’s Firewall.
� This must be done from the AlienVault Physical Console, or remotely via
Secure Shell.
� You will need the root account credentials to perform this
� The root user account is only for console access, and is different from the
admin credentials used in the Web User Interface.
� root credentials are created during installation of AlienVault.
Log IntLog IntLog IntLog Into the Consoleo the Consoleo the Consoleo the Console
The next step involves forcing a global rebuild of the AlienVault core configuration. This must by
done at the AlienVault Console (Either by opening the physical console, or using Secure Shell
(SSH) log into the AlienVault Server with the root account)
Access the AlienVault Console, you will be presented with the Alienvault-Setup console tool.
Select the Jailbreak option to access the administrative command line.
� Select Jailbreak this Appliance to access the command line
� Accept the Disclaimer
Netflow Collection with AlienVault - Page 12 of 17
� Run the command ossim-reconfig
� The reconfiguration tool will run (may take a few minutes)
� The Server should now be reachable over UDP, on the port configured for the new
netflow source.
Configuring the External Device to send NetFlow/sFlowConfiguring the External Device to send NetFlow/sFlowConfiguring the External Device to send NetFlow/sFlowConfiguring the External Device to send NetFlow/sFlow data to Alienvaultdata to Alienvaultdata to Alienvaultdata to Alienvault
The final step is to configure the device itself to transmit flow data to the AlienVault Server. This
process is dependent upon the third party device itself. We have made efforts to assemble
configuration instructions for major device types into accompanying documents, but be aware
that these are third party devices and the information presented here may be outdated
because of more recent updates to these devices by their manufacturer.
Always consult your device documentation and support channels before carrying out any of the
configurations listed on the following pages.
Netflow Collection with AlienVault - Page 13 of 17
ValidationValidationValidationValidation
With the Server, Sensor and any appropriate devices now configured, all that remains is to
validate the successful collection of Netflow.
Since this process is dependent upon witnessing live data being collected by the system, it is
advisable to wait a short, appropriate length of time before validation (thirty minutes at the
most, should provide a good sampling size window)
Open the Netflow Analysis UIOpen the Netflow Analysis UIOpen the Netflow Analysis UIOpen the Netflow Analysis UI
Located under Situational Awareness -> Network:
The primary screen should give quick visual confirmation of Netflow data being captured:
The colors used to plot the flow graphs, are the colors assigned to each sensor during the
configuration stage.
If you see graph data with the color assigned to your new flow collector, this is the first
indicator of successful configuration.
Netflow Collection with AlienVault - Page 14 of 17
If flow data does not appear after a reasonable amount of time, validate that flow data is
successfully being transmitted and received by the AlienVault server.
Validate that Netflow Validate that Netflow Validate that Netflow Validate that Netflow packetpacketpacketpackets are being s are being s are being s are being generated generated generated generated by the Sensorby the Sensorby the Sensorby the Sensor
• If you are collecting netflow packets from a third party device, skip this section and do
whatever troubleshooting is appropriate to determine that netflow collection is
functioning correctly on that device
• Log in to the physical console of the Alienvault Sensor.
• Acquire commandline access via the ‘jailbreak this appliance’ option
• Validate that the fprobe system is running, and that it is listening to the correct
interface, and sending packets on the correct port to the server
# ps ax|grep fprobe
• The output should appear similar to the following:
• Confirm that –iethX is the correct interface number for the sensor interface connected
to the switch SPAN port.
• Confirm that the IP address is the IP address of you AlienVault Server
• Confirm that the port number (the number after the colon in the address) is the same
number you configured in the Netflow UI.
Netflow Collection with AlienVault - Page 16 of 17
Validate that Netflow Validate that Netflow Validate that Netflow Validate that Netflow packetpacketpacketpackets are being s are being s are being s are being receivedreceivedreceivedreceived by the Serverby the Serverby the Serverby the Server
� Log in to the physical console of the Alienvault Server.
� Acquire commandline access via the ‘jailbreak this appliance’ option
� Validate that nfcapd is running, and listening on the port assigned for the appropriate
� If packets are being received from the netflow source, you should see output similar to
the following
� Use ctrl-C to exit tcpdump.
Netflow Collection with AlienVault - Page 17 of 17
Validate that Netflow Validate that Netflow Validate that Netflow Validate that Netflow packetpacketpacketpackets are s are s are s are accepted by the Server Firewallaccepted by the Server Firewallaccepted by the Server Firewallaccepted by the Server Firewall
� Log in to the physical console of the Alienvault Server.
� Acquire commandline access via the ‘jailbreak this appliance’ option
� Validate that the firewall configuration has an exception to allow incoming netflow
packets over the appropriate UDP port
# iptables –L –n –v |grep <configured port>
� The output should resemble the following:
� The ‘udp dpt’ (destination port) is the important part here, indicating that traffic will be
ACCEPT’ed by the firewall configuration. The number in the left column indicates the
number of packets that have previously matched this ACCEPT rule.