AlienVault NetFlow Collection

Netflow Collection with with AlienVault Alienvault 2013

��

Configuring NetFlow NetFlow Capture of TCP/IP Traffic from an AlienVault Sensor or Remote Hardware from

Level: Beginner to Intermediate

�� C�� A�� 1 �� 17

��

Netflow Collection with AlienVault .................................................. ................................................ 1 Alienvault 2013 .............................................................................................................................. 1

��................................................................................................................................. 3 �� F�� ....................................................................................................... 3 ��F�� ...................................................................................................... 4 ��................................................................................................................................ 5 �� ................................................................................................................................... 5 C�� ............................................................................................................................... 6 E�� C�� A�� ......................................................... 6 C�� D�� E�� ................................................................... 8 C�� E�� D�� F��/�F�� A�� ........................ 12 �� .................................................................................................................................. 13 �� ........................................................................................................................ 15

�� C�� A�� 2 �� 17

Introduction The NetFlow Specification ��F�� C�� (�� C�/�� ) �� . F�� C� �� A �� B, � �� H�� B �� H�� A. A �� (�� 5, �� ), �� : 1. �� 2. �� 3. �� 4. �� 5. �� (�� , 0 �� . �� (�� , �� , �� 0 � �� ) �. ��

�� , �� 7 �� 9 �� . �� , �� A�� : 8. �C� F�� 9. �� F�� 10. �� B�� F�� 11. �� (��) 12. B�� (B��) 13. A�� B�� (B��) 14. D�� (��)

�� C�� A�� 3 �� 17

NetFlow as a Security Tool A�� , ��F�� , �� . �� , �� . �� (�� , �� ) �� , �� . �� , �� , �� , �� . C�� , �� .

17:28 ��

��

21:28 ��

��

�� 17.28 �� (�� ) ��: ��: �� :�� 18501291 ��

21.28 ��

��

�� C�� A�� 4 �� 17

Prerequisites �� . �� : 

�� , �� .



�� A�/�� , �� .

A�� : 

�� A�� , �� E� D��



�� (�� A� �� ) �� .

�� .

Installation �� C�� A�� A�� . E�� (��, ��) ��

�� C�� A�� 5 �� 17

Configuration Enabling Netflow Collection from an AlienVault Sensor A�� , �� A�� , �� . ��F�� C�� , �� : ��



�� :



A�� :



�� : �� F�� .

�� C�� A�� 6 �� 17

�� , �� : ��: �� A��

��. E�� . A �� (�� AC��). ��: �� . ��

�� , �� . ��: A �� F��

�� A�� .

�� (�� ), �� C��/G��

�� A�� .

�� .

�� C�� A�� 7 �� 17

Collecting Netflow Data Data from an External Source �� F�� (�� F��) ��, �� A��. �� F�� : 

C��



C�� F�� F�� A��

Preparing the Sensor Entry �� , � �D�� A�� A�� , �� .

Add a New Sensor Entry 

��



�� :



��

�� C�� A�� 8 �� 17



�� . F�� F�� .



C�� , ��



�� (�� )



�� , �� , �� . �� , �� A�� .

�� C�� A�� 9 �� 17



A� �� . o

�� A�� F�� .

o

�� A��.



o

C�� F�� A�� .

o

C��

�� A�� .

��



��

�� C�� A�� 10 �� 17

Firewall Exception D�� , �� 4.2 �� , �� A�� F��. 

�� A�� C��, �� .



��



�� , �� .



�� A��.

Log Into Into the Console �� A�� . �� A�� C�� (E�� , �� (��H) �� A�� ) A�� A�� C��, �� . �� .



��



A�� D��

�� C�� A�� 11 �� 17



��



�� (�� )



�� D�, �� .

Configuring the External Device to send NetFlow/sFlow data data to to Alienvault �� A�� . �� . �� , �� . �� .

�� C�� A�� 12 �� 17

Validation �� , �� , �� . �� , �� , �� (�� , �� )

Open the Netflow Analysis UI �� A�� > ��:

�� :

�� , �� . �� , �� .

�� C�� A�� 13 �� 17

View Individual Flows ��

�� , �� 500 �� A�� :

D�� , �� C�� .

�� C�� A�� 14 �� 17

Troubleshooting �� , �� A�� .

Validate that Netflow packet packets s are being generated by the Sensor •

�� , ��

•

�� A�� .

•

A��

•

�� , �� , ��

# ps ax|grep fprobe •

The output should appear similar to the following:

•

C�� A� ��.

•

C�� A��

•

C�� (�� ) �� .

�� C�� A�� 15 �� 17

Validate that Netflow packet packets s are being received by the Server 

�� A�� .



A��



�� , ��

# ps ax|grep fprobe 

�� :



�� , ��



�� .



�� .

# tcpdump – I ‘port ’
�� , ��



�� .

�� C�� A�� 16 �� 17

Validate that Netflow packet packets s are accepted by the Server Firewall 

�� A�� .



A��



�� D� ��

# iptables –L –n –v |grep < configured port > 

�� :



�� (�� ) �� , �� ACCE�� . �� ACCE�� .

�� C�� A�� 17 �� 17

AlienVault NetFlow Collection

Recommend Documents