In a previous post SiLK was setup on a Debian host using NetFlow v5 from a Cisco switch. This worked well but I also have a network tap and said Cisco switch is capable of capturing data via SPAN port(s). This got me thinking about what difference I may see between the two NetFlow sources. This guide walks through setting up YAF on a Debian Linux host to receive data from a network tap or Switched Port Analyzer (SPAN) and converting it using Yet Another Flowmeter (YAF).
First, your host will need to obtain data from your network tap or SPAN port. I have two network interface cards in my box so I connected the non-management interface to the tap and started the interface without an IP in promiscuous mode. If you would like to use a SPAN port seek guidance here.
Note that this guide assumes that you already have compiled and successfully built SiLK. If not checkout this [post][].
You first need libfixbuf - IPFIX Protocol Library. Before building IPFIX will need glib2 and its respective development libraries, I did not have the latter so a little APT action takes care of that for me.
$ sudo apt-get install libglib2-dev
Building libfixbuf is straigtforward once the prerequetes are in place.
$ ./configure --prefix=/usr
$ make
$ make install
Next we are going to build YAF is Yet Another Flowmeter which has several prerequisites. libpcap needs to be installed along with its respective development libraries. I also installed the required PCRE required libraries for application labeling.
$ sudo apt-get install libpcap-dev
$ sudo apt-get install libpcre3-dev
Next we can build YAF.
$ ./configure --prefix=/usr --enable-applabel
$ make
$ sudo make install
Now that everything is ready to go we have a little housekeeping to do
on the YAF configuration files. I placed the YAF configuration file in
/etc/silk/yaf.conf. This file contains all of the setting such as
which interface to listen on, IPFIX port, etc.
## ------------------------------------------------------------------------
## yaf.conf
## YAF daemon startup script configuration file
## ------------------------------------------------------------------------
## Copyright (C) 2007-2011 Carnegie Mellon University. All Rights Reserved.
## ------------------------------------------------------------------------
## Authors: Brian Trammell
## ------------------------------------------------------------------------
## GNU General Public License (GPL) Rights pursuant to Version 2, June 1991
## Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013
## ------------------------------------------------------------------------
# Must be non-empty to start YAF
ENABLED=yes
##### Capture Options ##########################################################
# Live capture type. Must be pcap, or dag for Endace DAG if YAF was built
# with libdag.
YAF_CAP_TYPE=pcap
# Live capture interface name.
YAF_CAP_IF=eth0
##### Export Options ###########################################################
# IPFIX transport protocol to use for export. Must be one of tcp or udp, or
# sctp if fixbuf was built with SCTP support.
YAF_IPFIX_PROTO=tcp
# Hostname or IP address of IPFIX collector to export flows to.
YAF_IPFIX_HOST=localhost
# If present, connect to the IPFIX collector on the specified port.
# Defaults to port 4739, the IANA-assigned port for IPFIX
YAF_IPFIX_PORT=18000
##### Logging and State Options ################################################
# Path to state location directory; contains the log and pidfiles unless
# modified by the following configuration parameters.
# Defaults to ${prefix}/var.
#YAF_STATEDIR=
# Path to PID file for YAF. Defaults to YAF_STATEDIR/yaf.pid
#YAF_PIDFILE=
# File or syslog facility name for YAF logging. If file, must be an absolute
# path to a logfile. Defaults to YAF_STATEDIR/yaf.log
#YAF_LOG=
# File or syslog facility name for YAF airdaemon logging. If file, must be an
# absolute path to a logfile. Defaults to YAF_STATEDIR/airdaemon-yaf.log
#YAF_DAEMON_LOG=
##### Miscellaneous Options ####################################################
# If present, become the specified user after starting YAF
#YAF_USER=
# Additional flags to pass to the YAF process. Use --silk --ip4-only for
# export to SiLK rwflowpack or SiLK flowcap.
YAF_EXTRAFLAGS="--silk"
Made sure there was a sensor definition in the /netflow/silk.conf.
sensor 0 s0 "v5 netflow from router"
sensor 1 s1 "YAF converted from tap"
class all
sensors s0 s1
end class
The /etc/silk/sensor.conf configuration file also need to be updated with the new sensor definition. In this case s1 is our tap.
probe s0 netflow-v5
listen-on-port 9990
protocol udp
accept-from-host 172.16.0.1
end probe
sensor s0
netflow-v5-probes s0
internal-ipblocks 172.16.0.0/24
external-ipblocks remainder
end sensor
probe s1 ipfix
listen-on-port 18000
protocol tcp
accept-from-host 127.0.0.1
end probe
sensor s1
ipfix-probes s1
internal-ipblocks 172.16.0.0/24
external-ipblocks remainder
end sensor
Lastly, start YAF assuming that you have rwflowpack running from the SiLK package per the previous [post][].
$ sudo yaf --silk --ipfix=tcp --live=pcap --in=eth0 --out=127.0.0.1 --ipfix-port=18000 &
You should now be capturing data and converting into a format that SiLK can process via YAF.
Comments
comments powered by Disqus