nanog mailing list archives
Re: [EXTERNAL] Re: Free-ish Linux Netflow collector/analyser options
From: "Compton, Rich A" <Rich.Compton () charter com>
Date: Tue, 17 May 2022 15:45:13 +0000
The ELK stack does a good job of collecting netflow records with the addition of Filebeat. Check out my tattle-tale tool that collects netflow data: https://github.com/racompton/tattle-tale It has numerous rules in logstash/conf.d to try to just look for spoofed DDoS amplification requests but if you remove those rules (except for 40-ifName.conf<https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/40-ifName.conf> and 50-reverse-dns.conf<https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/50-reverse-dns.conf>) it should be a pretty nice netflow collection solution. If you are looking for a free solution to identify DDoS attacks from netflow and generate Flowspec rules, check out https://github.com/pavel-odintsov/fastnetmon Also, here’s a doc for best practices when implementing Flowspec: https://www.m3aawg.org/flowspec-BP -Rich From: NANOG <nanog-bounces+rich.compton=charter.com () nanog org> on behalf of Joe Loiacono <jloiacon () gmail com> Date: Monday, May 16, 2022 at 1:11 PM To: NANOG list <nanog () nanog org>, Matthew Crocker <matthew () corp crocker com> Subject: [EXTERNAL] Re: Free-ish Linux Netflow collector/analyser options CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. Try FlowViewer (analyzing, graphing, tending software) + SiLK (robust, high-performance capture software from Carnegie-Mellon). Pretty full netflow analysis package; free. See: http://flowviewer.net Joe On 5/16/2022 2:34 PM, Matthew Crocker wrote: I’m looking for a free-ish Linux open sources Netflow collector/analyser. I have 5 Juniper MX routers that will send IPFIX flows to for an ISP network. I’m hoping it is something I can run in AWS/EC2 as I don’t want to worry about storage again in my lifetime. Does anyone have any recommendations? For reporting I would like to generate basic usage reports to/from IP/Subnet/ASN. It would be great if it could also detect DDoS and activate flowspec back into my core routers but that isn’t a requirement Thanks -Matt
Current thread:
- Free-ish Linux Netflow collector/analyser options Matthew Crocker (May 16)
- Re: Free-ish Linux Netflow collector/analyser options Joe Loiacono (May 16)
- Re: [EXTERNAL] Re: Free-ish Linux Netflow collector/analyser options Compton, Rich A (May 17)
- Re: Free-ish Linux Netflow collector/analyser options John Kristoff (May 16)
- Re: Free-ish Linux Netflow collector/analyser options Peter Phaal (May 17)
- Re: Free-ish Linux Netflow collector/analyser options Joe Loiacono (May 16)