Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: netflow analysis

From: Wyman Miles <wm63 () CORNELL EDU>
Date: Wed, 18 May 2005 09:28:19 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've written a tool here, nfgrep that functions as a search against raw
NetFlow v5 records.  It's pretty rudimentary, but fast.  You can search by
IP, CIDR, regular expression, port/proto/TCP flags.

http://pecos.cit.cornell.edu/nfgrep

It compiles fine under Solaris and should, in theory, work under Linux,
though you'll need a -DLINUX to bring in all the little-endian stuff.


Wy

- --On Friday, May 13, 2005 11:04 AM -0400 David Shettler
<dshettle () HOLYCROSS EDU> wrote:


I've fooled around with ntop for netflow, but haven't really been
"satisfied".  Search functionality is what I'm aching for and I haven't
really been able to be happy with ntop in that regard.  While I want
trending stuff, I also want information from a forensics perspective.  I
use ntop a lot for on-the-fly stuff though.  Maybe I've miissed
something in ntop though in this regard, I'll have to relook it.

David C. Shettler - GCFA
Senior Technical Services Engineer
College of the Holy Cross
508-793-3073



Pete.Hoffswell () DAVENPORT EDU 05/13/05 7:46 AM >>>

Those look really nice, Tristan.  I might have to try this stuff out.

We have an installation of ntop

http://www.ntop.org/ntop.html




Pete Hoffswell                              616-732-1101 (Grand Rapids,
x1101)
University LAN/WAN Coordinator              616-510-1198 (Mobile)
IT Services                                 pete.hoffswell () davenport edu
Davenport University                        http://www.davenport.edu

Davenport University.  it's working.



TristanRhodes () WEBER EDU 5/12/2005 6:17 PM >>>


http://nfsen.sourceforge.net

http://nfdump.sourceforge.net

These projects go together (front-end and backend).  They are fairly
new projects, but they are actively developed.  I am looking into
testing these applications on our network.

Tristan Rhodes
Weber State University


dshettle () HOLYCROSS EDU wrote on 05/12/05 3:15 PM:

Hello,

I'm curious as to how people are handling their netflow data.  We're
thinking about putting it into a DB and designing our own interface

for

it.  I haven't found any decent analysis tools (web based with

search

functionality specifically).  Any recommendations?  A good deal of

tools

out there seem to no longer be maintained.

Appreciate any advice!

David C. Shettler - GCFA
Senior Technical Services Engineer
College of the Holy Cross
508-793-3073


**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.



**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.




Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQotC9MRE6QfTb3V0EQK06ACfWxWbFBg9gHGDqNCti+3BIcMq29EAoIyq
F8xO0Ic0M7LH2MkG30Xs0fw0
=A8qp
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: