Installing Nfsen 1.6.12 on Centos

As you might already know the last time I installed nfsen was in FreeBSD v9 and it used a special NSEL fork for nfdump. This version allowed us to capture the extra information generated by ASA v9 netflow records.

My initial build of nfsen in Feb 2012 has been in continuous use for over two years now. We collect data from 9 sources and only have two two profiles: the default live and one we called services. The services profile basically displays the traffic for each type of service (eg ssh, web, https, dns, vnc, DVR etc). We also have defined a number of alerts which send snmptraps to our network management systems.

image

Since the orignal install two years ago, the main version of nfdump as been rewritten to incorporate NSEL. This post describes how I installed my first prototype system with the latest version of nfdump (1.6.12) and nfsen (1.3.6p1). The only difference will be that I’m going to use CentOS release 6.5 (Final) as the base OS. As this is a prototype build, I’m being very brief with explaining the commands.

(I think the commands should be similar if you wanted to install this in a FreeBSD instance)

I copied the first 7 command from here.

1) Install a new Centos 6.5 System

2) Check iptables is off

iptables -t filter -L -v –n

3) Check SELinux is off

cat /etc/selinux/config
sestatus (show show disabled)
vi /etc/selinux/config
set SELINUX=disabled
reboot

4) Install Apache and other per-requisits
yum install -y httpd php wget gcc make rrdtool-devel rrdtool-perl perl-MailTools perl-Socket6 flex byacc
yum install libtool.x86_64

5) Start HTTPd
service httpd start

6) Enable HTTPd at boot
chkconfig httpd on

7)Get nfdump and nfsen
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.12/nfdump-1.6.12.tar.gz (latest version supports nsel)
wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz/

8) Compile and install nfdump
tar -zxvf nfdump-1.6.12.tar.gz
./configure –enable-nfprofile –enable-nftrack –enable-sflow –enable-nsel
autoreconf
Make
Make install

9) Add a netflow user
adduser netflow
usermod -a -G apache netflow

10) Compile and install nfsen
tar -xvzf nfsen-1.3.6p1.tar.gz
cd nfsen-1.3.6p1/etc
cp nfsen-dist.conf nfsen.conf

(now make a /data/nfsen folder somwhere on the system, you need lots of space for this)

vi etc/nfsen.conf & change $WWWUSER to apache
vi etc/nfsen.conf & change $WWWGROUP to apache
vi etc/nfsec.conf & change $HTMLDIR    = “/var/www/nfsen/”; to /var/www/html/nfsen
vi etc/nfsec.conf & uncomment $EXTENSIONS = ‘all’; or add $EXTENSIONS = ‘nsel’;

cd ..
./install.pl etc/nfsen.conf

11) Configure ASA: -> https://supportforums.cisco.com/document/30471/netflow-asa

12)Add the data sources as described previously

/data/nfsen/bin/nfsen stop
vi /data/nfsen/etc/nfsen.conf
/data/nfsen/bin/nfsen reconfig
/data/nfsen/bin/nfsen start
chkconfig nfsen on (to make it autostart after reboot)

The web address should now be http:///nfsen/nfsen.php. If you have done everthing right then you can see the following:

image_001

  Once you have some data collected, pick a time slot and and select “List Flows” and hit process. You will then see the extended ASA information (Event / Extended Events)

image_002

One of the new features that the later version have introduced is that filers can now accept additional info other than standard tcpdump parameters. From the man page:

“The filter syntax is comparable to tcpdump  and  extended  for  netflow data.”

This mean you can have a filter that does the following:

“asa event deny and port 80”

image_003

Here is a sample from the nfdump man page:

NSEL/ASA specific filters:

NSEL/ASA Event
asa event
asa event [comp]
select NSEL/ASA event by name or number. If given as number it can be compared with a number

NSEL/ASA denied reason
asa event denied
Select a NSEL/ASA denied event by type

NSEL/ASA extended events
asa xevent [comp]
Select an extended NSELL ASA event by number, or optionally compared by a number.

X-late IP addresses and ports
[src|dst] xip
Select the translated IP address

[src|dst] xnet /
with as a valid translated IPv4 or IPv6 network and as maskbits.  The number of mask bits must
match  the  appropriate  address  familiy in IPv4 or IPv6. Networks may be abreviated such as 172.16/16 if
they are unambiguous.
[src|dst] xport
Select the translated port

NSEL/ASA ingress/egress
ingress [comp] number
Select/compare an ingress ACL

egress ACL [comp]
Select/compare an egress ACL

Advertisements

3 thoughts on “Installing Nfsen 1.6.12 on Centos

  1. Thanks for the howto. I've been playing with nfdump/nfsen with mostly Cisco router netflows without any issues but trying to get our Cisco ASA & NSEL working. No matter what configuration I try, the NSEL flows come up empty.

    The following steps was done as troubleshooting :
    * Upgraded from nfdump 1.6.11 to 1.6.12 with all the required configuration parameters (especially –enable-nsel)
    * Configuring a second netflow v9 router source to make sure the setup works (the 2nd source works fine but no data in the first NSEL ASA source)
    * The NSEL export from the ASA is definitely reaching the server (tcpdump udp port 9995 -vv -X) confirms the traffic.
    * $EXTENTIONS= 'all' added to nfsen.conf
    * Attempts to configure the NSEL source in nfsen.conf as type “netflow” or “sflow” or even not specifying a type gives the same result. What should a NSEL source be set to? Your article suggest type “netflow” ?

    Any help will be appreciated

    Thanks
    Gerhard

    Like

  2. I checked my conf files and I'm using “netflow” as the type:

    'test-asa-fw' => { 'IP' => '192.168.xx.1', 'port' => '2019', 'col' => '#CC00FF', 'type' => 'netflow' }

    Are you able to run a nfdump on the captured data to see if the nsel has been written to disk?

    Also can you check that the ASA is configured with:

    flow-export template timeout-rate 1
    flow-export delay flow-create 1

    Cheers

    Like

  3. Pingback: Embedding nfsen graphs in other pages | Random Tech Notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s