Installing Nfsen 1.6.12 on Centos

As you might already know the last time I installed nfsen was in FreeBSD v9 and it used a special NSEL fork for nfdump. This version allowed us to capture the extra information generated by ASA v9 netflow records.

My initial build of nfsen in Feb 2012 has been in continuous use for over two years now. We collect data from 9 sources and only have two two profiles: the default live and one we called services. The services profile basically displays the traffic for each type of service (eg ssh, web, https, dns, vnc, DVR etc). We also have defined a number of alerts which send snmptraps to our network management systems.

image

Since the orignal install two years ago, the main version of nfdump as been rewritten to incorporate NSEL. This post describes how I installed my first prototype system with the latest version of nfdump (1.6.12) and nfsen (1.3.6p1). The only difference will be that I’m going to use CentOS release 6.5 (Final) as the base OS. As this is a prototype build, I’m being very brief with explaining the commands.

(I think the commands should be similar if you wanted to install this in a FreeBSD instance)

I copied the first 7 command from here.

1) Install a new Centos 6.5 System

2) Check iptables is off

iptables -t filter -L -v –n

3) Check SELinux is off

cat /etc/selinux/config
sestatus (show show disabled)
vi /etc/selinux/config
set SELINUX=disabled
reboot

4) Install Apache and other per-requisits
yum install -y httpd php wget gcc make rrdtool-devel rrdtool-perl perl-MailTools perl-Socket6 flex byacc
yum install libtool.x86_64

5) Start HTTPd
service httpd start

6) Enable HTTPd at boot
chkconfig httpd on

7)Get nfdump and nfsen
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.12/nfdump-1.6.12.tar.gz (latest version supports nsel)
wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz/

8) Compile and install nfdump
tar -zxvf nfdump-1.6.12.tar.gz
./configure –enable-nfprofile –enable-nftrack –enable-sflow –enable-nsel
autoreconf
Make
Make install

9) Add a netflow user
adduser netflow
usermod -a -G apache netflow

10) Compile and install nfsen
tar -xvzf nfsen-1.3.6p1.tar.gz
cd nfsen-1.3.6p1/etc
cp nfsen-dist.conf nfsen.conf

(now make a /data/nfsen folder somwhere on the system, you need lots of space for this)

vi etc/nfsen.conf & change $WWWUSER to apache
vi etc/nfsen.conf & change $WWWGROUP to apache
vi etc/nfsec.conf & change $HTMLDIR    = “/var/www/nfsen/”; to /var/www/html/nfsen
vi etc/nfsec.conf & uncomment $EXTENSIONS = ‘all’; or add $EXTENSIONS = ‘nsel’;

cd ..
./install.pl etc/nfsen.conf

11) Configure ASA: -> https://supportforums.cisco.com/document/30471/netflow-asa

12)Add the data sources as described previously

/data/nfsen/bin/nfsen stop
vi /data/nfsen/etc/nfsen.conf
/data/nfsen/bin/nfsen reconfig
/data/nfsen/bin/nfsen start
chkconfig nfsen on (to make it autostart after reboot)

The web address should now be http:///nfsen/nfsen.php. If you have done everthing right then you can see the following:

image_001

  Once you have some data collected, pick a time slot and and select “List Flows” and hit process. You will then see the extended ASA information (Event / Extended Events)

image_002

One of the new features that the later version have introduced is that filers can now accept additional info other than standard tcpdump parameters. From the man page:

“The filter syntax is comparable to tcpdump  and  extended  for  netflow data.”

This mean you can have a filter that does the following:

“asa event deny and port 80”

image_003

Here is a sample from the nfdump man page:

NSEL/ASA specific filters:

NSEL/ASA Event
asa event
asa event [comp]
select NSEL/ASA event by name or number. If given as number it can be compared with a number

NSEL/ASA denied reason
asa event denied
Select a NSEL/ASA denied event by type

NSEL/ASA extended events
asa xevent [comp]
Select an extended NSELL ASA event by number, or optionally compared by a number.

X-late IP addresses and ports
[src|dst] xip
Select the translated IP address

[src|dst] xnet /
with as a valid translated IPv4 or IPv6 network and as maskbits.  The number of mask bits must
match  the  appropriate  address  familiy in IPv4 or IPv6. Networks may be abreviated such as 172.16/16 if
they are unambiguous.
[src|dst] xport
Select the translated port

NSEL/ASA ingress/egress
ingress [comp] number
Select/compare an ingress ACL

egress ACL [comp]
Select/compare an egress ACL

Advertisements

Installing NfSen on FreeBSD 9

UPDATE: The latest version of nfdump (>=1.6.9) now include NSEL (http://sourceforge.net/p/nfdump/news/). See Installing Nfsen 1.6.12 on Centos for further info.

This package allows you to view netflow statistics and generate some interesting graphs.

1) Install apache22 with all the defaults:
cd /usr/ports/www/apache22

make -DBATCH install

To run apache www server from startup, add apache22_enable=”YES”
in your /etc/rc.conf. Extra options can be found in startup script .

Startup and shut can also be done:

/usr/local/sbin/apachectl [start|stop]

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

All the publicly accessible files are located in
/usr/local/www/apache22/data

2) Install PHP with the apache module
cd /usr/ports/lang/php5
make config (and turn on the “Build Apache module option”)
make install

Now make/check the following options in the apache configuration file (/usr/local/etc/apache22/httpd.conf):

a) The following option is automatically inserted if you install PHP after apache

LoadModule php5_module        libexec/apache22/libphp5.so

b) Make sure index.php is part of your DirectoryIndex.
DirectoryIndex index.html index.php

c) You should add the following to your Apache configuration file:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

d) You need to set the timezone for php. Create the file /usr/local/etc/php.ini and add the following
[PHP]
date.timezone = Australia/Sydney

Other timezones can be found here: http://nl3.php.net/manual/en/timezones.php

3) Install nfsen
cd /usr/ports/net-mgmt/nfsen
make install

This will drop a base set of web files in /usr/local/www/nfsen. Create a symlink so you can get to them:
cd /usr/local/www/apache22/data
ln -s /usr/local/www/nfsen nfsen

Restart apache to pick up this symbolic link.  Start nfsen:

/usr/local/bin/nfsen start

Then visit http:///nfsen/nfsen.php and you will get the following page

Add the following to /usr/local/etc/nfsen.conf

%sources = (
    ‘rtr01’    => { ‘port’ => ‘2055’, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’ },
);

Note: rtr01 needs to be resolvable to the ip address of the netflow source device

Then run
/usr/local/bin/nfsen stop
/usr/local/bin/nfsen reconfig
/usr/local/bin/nfsen start
 

When you visit the webpage again you should get:

4) Configure your source

In my case its a Cisco Router running c1841-adventerprisek9-mz.150-1.M4.3.bin
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.0(1)M4.3, MAINTENANCE INTERIM SOFTWARE

On the interface(s) you want to monitor add the ip flow ingress command. Generally you should do this for all enabled interfaces.

interface FastEthernet0/0
 description Uplink

 ip flow ingress
 !

interface FastEthernet0/1
  description Downlink
 ip flow ingress
 !

ip flow-cache timeout active 1
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination <> <<port as configured in nfsen.conf = 2055
>>

Confirm its all working using:

show ip cache flow
IP packet size distribution (1216M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .444 .160 .025 .013 .019 .038 .016 .006 .004 .001 .004 .005 .007 .001

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .005 .000 .001 .041 .200 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  280 active, 3816 inactive, 158979266 added
  1941309328 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  280 active, 744 inactive, 158979207 added, 158979207 added to flow
  0 alloc failures, 0 force free
  1 chunk, 7808 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet          21      0.0         5   104      0.0       3.7      10.2
TCP-FTP            722      0.0        19    74      0.0       5.4       2.5
TCP-WWW         776375      0.1        18   800      3.3       1.8       8.6
TCP-SMTP        384158      0.0         7   140      0.6       0.0       5.7
TCP-other     78760020     18.3        11   476    210.7       1.4       3.2
UDP-DNS       15334661      3.5         1    78      5.3       0.2      15.4
UDP-NTP        1995576      0.4         1    55      0.7       1.0      15.4
UDP-other     27839025      6.4         7   153     49.7       2.6      15.3
ICMP          33748168      7.8         1    81     12.4       0.9      15.4
IP-other        140260      0.0         7    81      0.2      59.6       0.9
Total:       158978986     37.0         7   396    283.3       1.4       9.3

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         10.48.2.151     Fa0/0         10.48.8.74      11 973E 00A1    19
Fa0/0         10.48.4.72      Fa0/1         10.48.2.151     11 00A1 8B6B     1
Fa0/1         10.48.2.151     Fa0/0         10.48.3.88      11 8810 00A1     6
Fa0/0         10.48.3.88      Fa0/1         10.48.2.151     11 00A1 8810     4

You can read this post to see how to neflow and nfsen interact and provide the stats that you can use.

4) Create a profile

Follow the steps here to create a new continuous profile so that you can detect and colour the traffic. There is a bug in v1.3.5 which lets you modify an existing profile with new traffic types or sources but does not update the graphs. The only work around is to delete this profile and re-create it.

The easiest way around this I’ve found is to delete the profile and create is via the command line as follows:

nfsen –add-profile MYPROF tstart=”2012-02-03-11-50″ (Start date from where you want to regenerate the graphs)
nfsen –add-channel MYPROF/ntp filter=’port 123′ colour=’#FF6530′
nfsen –add-channel MYPROF/ssh filter=’port 22′ colour=’#FFBE20′
nfsen –add-channel MYPROF/http filter=’port 80′ colour=’#FFFF40′
nfsen –add-channel MYPROF/https filter=’port 443′ colour=’#C9FF70′
nfsen –add-channel MYPROF/xmlrpc filter=’port 8080′ colour=’#4FFF10′
nfsen –add-channel MYPROF/dca filter=’port 8090′ colour=’#BFFFFF’
nfsen –add-channel MYPROF/dns filter=’port 53′ colour=’#305FFF’
nfsen –add-channel MYPROF/icmp filter=’proto icmp’ colour=’#FFC7FF’
nfsen –add-channel MYPROF/snmp filter=’port 123′ colour=’#FF6887′
nfsen –commit-profile MYPROF

Use the command below to get a list of all the options available:

/usr/local/bin/nfsen –help




5) Supporting Cisco ASAs


This configuration cannot support ASAs because they have a special netflow format. See this for what is required to implement ASA support. A quick writeup of NSEL can be found here.

Basically you need to install nfdump-1.5.8-2-NSEL. Download the latest version of nfdump NSEL from here. Install this last because performing the initial install (step 3) from ports allows all the dependencies to be easily installed.

Build and install this as follows:


tar -xvzf nfdump-1.5.8-2-NSEL.tar.gz
cd nfdump-1.5.8-2-NSEL
ln -s /usr/local/lib/librrd.so /usr/lib/librrd.so
ln -s /usr/local/include/rrd.h /usr/include/rrd.h
./configure –enable-nfprofile
make
./make install

Check that this version has been installed:

nfdump -V
nfdump: Version: 1.5.8-2-NSEL $LastChangedDate: 2011-12-30 15:43:40 +0100 (Fri, 30 Dec 2011) $
$Id: nfdump.c 72 2011-12-30 14:47:39Z peter $

Edit /usr/local/etc/nfsen.conf and add the ASA as a source:

%sources = (
    ‘rtr01’    => { ‘port’ => ‘2055’, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’ },
    ‘fw03’    => { ‘port’ => ‘2056’, ‘col’ => ‘#00ff00’, ‘type’ => ‘netflow’ },
);

Configure the ASA as follows:

flow-export destination
flow-export template timeout-rate 1
flow-export delay flow-create 60
 

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect snmp
 class class-default
  flow-export event-type all destination


Check the ASA is exporting the flows:


show flow-export counters
destination: CentralLAN 10.48.2.156 2056
  Statistics:
    packets sent                                            11334
  Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0




6) Installing NSELTracker Plugin (not working yet)

NSELTracker plugin reads the events from the capture files and build a hash table to maintain the following statistics:
  – Completed flows –> Flows that have both create and teardown events observed
  – Open flows      –> Flows that have only flow creation events observed with in the collection time interval
  – Denied flows    –> Flows that are denied by ASA

Statistics regarding denied flows are maintained per protocol (TCP, UDP and ICMP) for various denial reasons. Flows could be denied due to

  Extended code 1001 -> Denied by ingress ACL
  Extended code 1002 -> Denied by egress ACL
  Extended code 1003 -> The device denied an attempt to connect to the interface service
  Extended code 1004 -> Denied since first packet on TCP Flow was not a TCP SYN packet



Create a location to store the RRD data


mkdir /usr/local/var/nfsen/nselD
chown www:www /usr/local/var/nfsen/nselD

Install the NSELTracker processing engine

cd ~/nfdump-1.5.8-2-NSEL/NSELTracker/

cp nseld /usr/local/bin/nselD
chown root:www /usr/local/bin/nselD

Initialize the RRD Data Store

/usr/local/bin/nselD -I -d /usr/local/var/nfsen/nselD

Install the plugins

#Front end plugin
cp NSELTracker.php /usr/local/www/nfsen/plugins 
#Back end plugin
cp NSELTracker.pm /usr/local/libexec/nfsen/plugins

#Modify the backend plugin to point to the RRD data directory and fix code bugs
vi /usr/local/libexec/nfsen/plugins/NSELTracker.pm
 
# On line 27 Change $PORTSDBDIR  from “/data/nfsen/nsel” to “/usr/local/var/nfsen/nselD”
my $PORTSDBDIR = “/usr/local/var/nfsen/nselD”;

# On line 427 removed the extra ” marked in red below
my $pid = open(NSELD, “$NfConf::PREFIX/nseld $args  2>&1|”);

# On line 482 remove the reference to “/data/nfsen/nsel/” and replace with $PORTSDBDIR
my $command = “$nselD -M $netflow_sources -r nfcapd.$timeslot -d $PORTSDBDIR -A -t $timeslot -l 1 -s 1 -w $PORTSDBDIR/nsel_stat.txt”;

Add the plugin for profile ‘live’

vi /usr/local/etc/nfsen.conf
## Change @plugins to

@plugins = (
    # profile    # module
      [ ‘live’,   ‘NSELTracker’],
);
 

Start nfsen (or reload it)


/usr/local/bin/nfsen reload

When you vistit the plugins page on nfsen you then see:

However for some reason I cannot get this to populate any data at the moment! If you have any ideas please drop me a line.

RPM Commands

Install an RPM Package

RPM packages have file naming conventions like foo-2.0-4.i386.rpm, which include the package name (foo), version (2.0), release (4), and architecture (i386). Also notice that RPM understands FTP and HTTP protocols for installing and querying remote RPM files.

rpm -ivh foo-2.0-4.i386.rpm
rpm -i ftp://ftp.redhat.com/pub/redhat/RPMS/foo-1.0-1.i386.rpm
rpm -i http://oss.oracle.com/projects/firewire/dist/files/kernel-2.4.20-18.10.1.i686.rpm

Un-install an RPM Package

To un-install an RPM package, we use the package name foo, not the name of the original package file foo-2.0-4.i386.rpm above.

rpm -e foo

Upgrade an RPM Package

To upgrade an RPM package, RPM automatically un-installs the old version of the foo package and installs the new package. It is safe to always use rpm -Uvh to install and upgrade packages, since it works fine even when there are no previous versions of the package installed! Also notice that RPM understands FTP and HTTP protocols for upgrading from remote RPM files.

rpm -Uvh foo-1.0-2.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/pub/redhat/RPMS/foo-1.0-1.i386.rpm
rpm -Uvh http://oss.oracle.com/projects/firewire/dist/files/kernel-2.4.20-18.10.1.i686.rpm

Query all Installed Packages

Use RPM to print the names of all installed packages installed on your Linux system.

rpm -qa

Query an RPM Package

Querying an RPM package will print the package name, version, and release number of the package foo only if it is installed. Use this command to verify that a package is or is not installed on your Linux system.

rpm -q foo

Display Package Information

RPM can display package information including the package name, version, and description of the installed program. Use this command to get detailed information about the installed package.

rpm -qi foo

List Files in Installed Package

The following command will list all of files in an installed RPM package. It works only when the package is already installed on your Linux system.

rpm -ql foo

Which package owns a file?

Use the following command to determine which installed package a particular file belongs to.

rpm -qf /usr/bin/mysql

For example:

# rpm -qf /usr/bin/mysql
mysql-3.23.52-3

List Files in RPM File

Use RPM to query a (possibly) un-installed RPM file with the use of the the “-p” option. You can use the “-p” option to operate on an RPM file without actually installing anything. This command lists all files in an RPM file you have in the current directory. Also note that RPM can query remote files through the FTP and HTTP protocols.

rpm -qpl kernel-2.4.20-18.10.1.i686.rpm
rpm -qpl ftp://ftp.redhat.com/pub/redhat/RPMS/foo-1.0-1.i386.rpm
rpm -qpl http://oss.oracle.com/projects/firewire/dist/files/kernel-2.4.20-18.10.1.i686.rpm

Verify an Installed Package

Use RPM to list all files that do NOT pass the verify tests (done on size, MD5 signature, etc).

rpm –verify mysql

Where a file does NOT pass, the output is listed using the following codes that signify what failed:

S File size
M Mode (includes permissions and file type)
5 MD5 sum
L Symlink
D Device
U User
G Group
T Mtime

Take for example the following:

# rpm –verify mysql
S.5….T c /etc/my.cnf

This example indicates that file /etc/my.cnf failed on:

File size
MD5 Sum
Modified Time

However, the “c” tells us this is a configuration file so that explains the changes. It should still be looked at to determine what the changes were.

Check an RPM Signature Package

RPM can be used to check the PGP signature of specified packages to ensure its integrity and origin. Always use this command first before installing a new RPM package on your system. Also, GnuPG or Pgp software must be already installed on your system before you can use this command.

rpm –checksig foo

Installing Postgresql in CentOS

Install

yum install postgresql84
yum install postgresql84-server
yum install postgresql-odbc.x86_64
yum install postgresql-jdbc.x86_64

#If you want to use modules as part of the tablefunc.sql
yum install postgresql84-contrib.x86_64

Initialize
service postgresql initdb

Start
/etc/init.d/postgresql start

Settings
vi /var/lib/pgsql/data/postgresql.conf
 Add –> listen_addresses = ‘*’
 to make it listen to inbound connections
vi /var/lib/pgsql/data/pg_hba.conf
 Add  –> host    all         all         10.0.0.0/8            ident
 to make allow for local subnet

Create a DB
su – postgres

createdb qainfo

Install tablefunc
cd /usr/share/pgsql/contrib
in a specific database
psql -d qainfo <tablefunc.sql
over all
psql <tablefunc.sql

Create a DB user
su – postgres
psql
create user <>;
GRANT ALL PRIVILEGES ON DATABASE <> to <>;

Where USERNAME should match a Unix/Linux user.

Use DB
#As <>
psql qainfo
create table test ( name varchar(40));
insert into test values (‘abc’);
insert into test values (‘123’);
insert into test values (‘you’);
insert into test values (‘me’);
select * from test;