Netflow is ...

… a C i s c o d r i v e n s t a n d a r d 1 2 . O k , a n d it ’ s e s s e n t i a l l y w h a t y o u u s e t o
m o n i t or t h e c on n e c t i o n s y o u a r e p i p i n g t h r o u gh t h i s k i n d of n e t w o r k
equipment.

N e t f l o w i s v e r y u s e f u l f or I n c id e n t R e s p on s e on D D o S a t t a c k s f o r e x a m p le .
H o we v e r s om e o f t h e n e t w or k d e v i c e s h a v e a c u t e C P U i s s u e s w h e n a D D o S
c o m e s in , a n d j u s t d o n ’ t p r od u c e N e t f l o w r e c o r d s a n y m o r e . D u r in g a D D o S
a t t a c k t h e y h a v e be t t e r t h in g s t o d o . O n e c o u l d s a y … bu t a c t u a l l y I n c id e n t
R e s p o n se on l a r ge sc a l e D D o S a t t a c k s a g a i n s t c om p l e x n e t wo r k s r e q u i r e s
Netflow.

O n e p o s s i b l e s o lu t i on i s g e n e r a t i n g N e t f lo w ( a n d I me a n r e a l N e t f l o w
n o t j u s t J S O N se r i a l iz e d d a t a w h i c h c o n t a i n s N e t f l o w in f or m a t i o n ) f r o m
S P A N ’ e d t r a f f i c . A sw i t c h c a n m ir r o r a l l t r a f f i c t o a L i n u x V M , w h i c h r e c e i v e s
i t o n a p r om i s c u ou s n e t w o r k in t e r f a c e . F r o m t h e i n c om i n g t r a f f i c i t w i l l
p r o d u c e N e t f l o w v 9 r e c o r d s , a n d c o mm i t t h e m t o a f i l e on d i s k , u s i n g CE RT
N e t S A S i L K . I n o r d e r t o a l l o w d a t a a n a l y s is w e c a n w r it e a q u i c k J S O N
s e r i a l i z e r a s w e l l , w h i c h a l l o w s u s t o c omm i t t h e d a t a i n t o m od e r n L o g
M a n a ge m e n t s o l u t i o n s s u c h a s S p lu n k , Su m o L o g i c o r E la s t i c s e a r c h f o r
e x a m p l e . W e c a n a l so h a v e a m od e r n d a sh b o a r d a n d ge n e r a t e a n e t w o r k
o v e r v ie w w i t h c h a r t s a n d p l o t s . La s t bu t n o t le a s t t h i s l o g d a t a c a n
c o n t r i b u t e t o a s se t in f or m a t i o n s y s t e m s .

Generate Netflow from a promiscu ous interface

H e r e ’ s my t i c k : ipt_netflow i s a L in u x k e r n e l mo d u l e , w h i c h h a s g ot t h e
u n i q u e a n d a l mo s t ma g i c a l a b i l i t y t o ge n e r a t e N e t f l o w r e c o r d s f r om a l o c a l
n e t w o r k in t e r f a c e . I t h a s pe r f o r me d w i l l i n a l l m y t e s t s .

F i r s t we in s t a l l i p t _ n e t f l o w 5 3 in a v i r t u a l m a c h i n e . L e t ’ s sa y a L i n u x K V M
g u e s t , r e s id i n g on a D e b i a n 7 or 8 h o s t . O r w e i n s t a l l i t on a h o s t - t h a t
d o e sn ’ t ma t t e r h e r e s p e c i f i c a l l y . Ch e c k i t o u t :

apt-get update
apt-get install iptables-dev pkg-config build-essential
linux-headers-amd64
O n G e n t o o y ou n e e d t o e m e r g e t h e r e le v a n t iptables p a c k a ge s , b u t t h e
k e r n e l s ou r c e s w i l l m o s t l i k e l y a l r e a d y be p r e s e n t .

user@box:~/Source/ipt-netflow$ ./configure --enable-promisc

Kernel version: 4.4.16-stamus-amd64 (uname)
Kernel sources: /lib/modules/4.4.16-stamus-amd64/build
(found)
Checking for presence of include/linux/llist.h... Yes
Checking for presence of include/linux/grsecurity.h... No
Iptables binary version: 1.4.21 (detected from
/sbin/iptables)
pkg-config for version 1.4.21 exists: Yes
Checking for presence of xtables.h... Yes
Iptables include flags: (pkg-config)
Iptables module path: /lib/xtables (pkg -config)
Searching for net-snmp-config... No.
Searching for net-snmp agent... No.
Assuming you don't want net-snmp agent support.
Otherwise do: apt-get install snmpd libsnmp-dev
Checking for DKMS... Yes.
Creating Makefile.. done.

If you need some options enabled run ./configure --help

Now run: make all install

I n s t a l l a t i o n d on e . N e x t n e x t f in i s h … a e h make, sudo make install. N o w

l e t ’ s l oa d it . Y ou c a n c o n f i g u r e i t v i a procfs.

/sbin/ifconfig eth0 promisc

sudo /sbin/ifconfig

eth0 Link encap:Ethernet HWaddr 52:54:00:5e:c9:7f

...
UP BROADCAST RUNNING PROMISC MULTICAST MTU: 1500
Metric:1
RX packets:291674658 errors:0 dropped:2
overruns:0 frame:0
...
RX bytes:232405128376 (216.4 GiB) TX
bytes:1089914538 (