Note: If you are not familiar with Sagan, you may want to check out the Sagan site first: http://sagan.quadrantsec.com

What is Netflow?

"Routers and switches that support Netflow can collect IP traffic statistics on all interfaces where Netflow is enabled, and later export those statistics as Netflow records, toward at least one Netflow collector - typically a server that does the actual traffic analysis." - Wikipedia.

In short, Netflow allows your routers/switches to send information about traffic it is "seeing" to a "collector". The information it sends is source IP address, destination IP address, source port, destination port, duraction of session, protocol type (TCP, UDP, ICMP, etc), bytes transfered and other session information.

The idea is to "feed" Netflow data to Sagan so that it may be analyzed for malicious traffic.

Using Sagan with Netflow data.

Sagan does not natively support the Netflow protocol. In order to get Netflow data into Sagan, Sagan relies on a "collector". This is a program that can recieve incoming Netflow data from network devices and then translate that data into something useful for Sagan to consume.

The program we've choosen to use it Nfdump (http://nfdump.sf.net). This project is a collection of command line *nix utilities used to collect and process Netflow data. What is nice about the Nfdump tools are that they are drop dead simple to use. Unfortunately, the stock Nfdump tools ("nfcapd" in particular) lack some of the functionality needed for Sagan to analyze the data. In particular, Sagan expects data via a FIFO. Nfdump's "nfcapd" lacks the ability to write to such a FIFO. To get around this problem, we're released a "patched" version of the Nfdump tools.

The "patch" contains a few minor modifications to the Nfdump source code which allow it to send Netflow data received to the Sagan FIFO in the expected Sagan FIFO format.

Other than adding this functionality to Nfdump, no other modifications have been made. That is, Nfdump will work as normal even if the Sagan flags are not used.

The modifications made to the Nfdump tool are released under the same licenses Nfdump tools uses. (BSD licenses).

How Sagan works with the Nfdump tools

The core of what the Nfdump utilities do is revieve incoming Netflow feeds (data), store and translate that data for analysis. We have simply "bent" the Nfdump tools to supply this data to Sagan. The target program that Sagan uses to receive and decode Netflow data from the Nfdump tools is "nfcapd". From a Sagan standpoint, this is the only program that is needed.

"nfcapd" will listen on a user defined UDP port for Netflow data (versions 1, 5-7 and 9). When "nfcapd" recieves Netflow data, it is handled as "nfcapd" normally would (archive and rotate Netflow data). The Sagan / Nfdump modifications allow "nfcapd" to also "dump" the translated Netflow data to a Sagan FIFO in the Sagan FIFO format.

This means that no modification to the Sagan back end are necessary.

Our goal is to get Sagan to analyze Netflow data the easiest way possible. As you will see, from a configuration standpoint, it is pretty simple.

Compiling and building "nfdump" tools with Sagan support.

The normal "nfdump" tools do not natively support writing to a Sagan FIFO in real time. To get around this, Quadrant Information Security, decided to create a slightly modified version of the "nfdump" tools. Rather than using the stock/normal "nfdump" tools that come from the primary "nfdump" site, or the tools that might come with your *nix distribution, we'll need to use the Quadrant Information Security modified version. The site for the modified version is at:

Quadrant's Modified "nfdump" site: https://github.com/beave/nfdump-1.6.10p1-sagan

Direct Download: https://github.com/beave/nfdump-1.6.10p1-sagan/archive/master.zip

Git: git clone https://github.com/beave/nfdump-1.6.10p1-sagan.git

Once downloaded, you'll need to build and install the sofware. To do so, do the following:

./configure --enable-sagan # Important!
make && sudo make install 

Once this completes, you should be good to go!

Using the modified "nfcapd" with Sagan

The primary tool we'll be using from the "nfdump" suite is named "nfcapd". This is the tool that will "listen" for incoming Netflow traffic and write the decoded output to the Sagan FIFO. This means we'll need a FIFO that "nfcapd" can write to and "Sagan" can read from. To do this, as "root", type:

mkfifo /var/run/sagan-netflow.fifo

This means, that in our Sagan configuration file, we'll want to use "/var/run/sagan-netflow.fifo" as well. You'll likely want to enable the "nfcapd.rules" and "nfcapd-malware.rules". You might want to consider enabling the Sagan "blacklist" processor to monitor for system going to know "bad" addresses.

To start the "nfcapd" process, we'll be using the following flags:

/usr/local/bin/nfcapd -p 2056 -l /var/archive -F /var/run/sagan-netflow.fifo  

-p = UDP port to listen for incoming Netflow traffic

-l = Where to "archive" Netflow traffic

-F = the Sagan FIFO to write data to

-D = Not shown. Causes "nfcapd" run in the background as a daemon.

With any luck, you'll see something like this:

nfcap-sagan-startup.png

If "nfcapd" get stuck on "waiting for reader", don't worry. It's simply waiting on Sagan to be started. Once Sagan is started, "nfcapd" will successfully open the FIFO and processsing will commence.

Once you have Sagan configured how you want to, simply start it up. Basically, rather than the FIFO being fed from syslog-ng or rsyslog, it's being fed from "nfcapd". No modification to Sagan need to be done.

If everything work out, you'll see something like this:

Sagan-running-nfpcap.png

At this point, Sagan is analyzing input from "nfcapd" in real time. Using Sagan's "Websense processor", "Blacklist Processor" and "nfcapd" rules allows you to identify malicous traffic coming in/out of your network.

If you have any question, please visiti the Sagan mailing list: https://groups.google.com/forum/#!forum/sagan-users

-- Main.ChampClark - 2014-01-01

Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng Sagan-running-nfpcap.png r1 manage 113.7 K 2014-01-01 - 21:40 ChampClark Sagan running with nfcapd FIFO data
PNGpng nfcap-sagan-startup.png r1 manage 73.2 K 2014-01-01 - 21:39 ChampClark "nfcapd" startup with Sagan support.
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2014-01-01 - ChampClark
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback