Friday 3 February 2012

Installing NfSen on FreeBSD 9

UPDATE: The latest version of nfdump (>=1.6.9) now include NSEL (http://sourceforge.net/p/nfdump/news/). See Installing Nfsen 1.6.12 on Centos for further info.


This package allows you to view netflow statistics and generate some interesting graphs.




1) Install apache22 with all the defaults:
cd /usr/ports/www/apache22

make -DBATCH install

To run apache www server from startup, add apache22_enable="YES"
in your /etc/rc.conf. Extra options can be found in startup script .


Startup and shut can also be done:

/usr/local/sbin/apachectl [start|stop]

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

All the publicly accessible files are located in
/usr/local/www/apache22/data

2) Install PHP with the apache module
cd /usr/ports/lang/php5
make config (and turn on the "Build Apache module option")
make install

Now make/check the following options in the apache configuration file (/usr/local/etc/apache22/httpd.conf):

a) The following option is automatically inserted if you install PHP after apache

LoadModule php5_module        libexec/apache22/libphp5.so

b) Make sure index.php is part of your DirectoryIndex.
DirectoryIndex index.html index.php

c) You should add the following to your Apache configuration file:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps


d) You need to set the timezone for php. Create the file /usr/local/etc/php.ini and add the following
[PHP]
date.timezone = Australia/Sydney


Other timezones can be found here: http://nl3.php.net/manual/en/timezones.php

3) Install nfsen
cd /usr/ports/net-mgmt/nfsen
make install


This will drop a base set of web files in /usr/local/www/nfsen. Create a symlink so you can get to them:
cd /usr/local/www/apache22/data
ln -s /usr/local/www/nfsen nfsen


Restart apache to pick up this symbolic link.  Start nfsen:

/usr/local/bin/nfsen start


Then visit http://<ip address>/nfsen/nfsen.php and you will get the following page



Add the following to /usr/local/etc/nfsen.conf

%sources = (
    'rtr01'    => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
);

Note: rtr01 needs to be resolvable to the ip address of the netflow source device

Then run
/usr/local/bin/nfsen stop
/usr/local/bin/nfsen reconfig
/usr/local/bin/nfsen start
 

When you visit the webpage again you should get:



4) Configure your source

In my case its a Cisco Router running c1841-adventerprisek9-mz.150-1.M4.3.bin
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.0(1)M4.3, MAINTENANCE INTERIM SOFTWARE

On the interface(s) you want to monitor add the ip flow ingress command. Generally you should do this for all enabled interfaces.

interface FastEthernet0/0
 description Uplink

 ip flow ingress
 !

interface FastEthernet0/1
  description Downlink
 ip flow ingress
 !

ip flow-cache timeout active 1
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination <<ip address of NfSen server>> <<port as configured in nfsen.conf = 2055
>>

Confirm its all working using:

show ip cache flow
IP packet size distribution (1216M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .444 .160 .025 .013 .019 .038 .016 .006 .004 .001 .004 .005 .007 .001

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .005 .000 .001 .041 .200 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  280 active, 3816 inactive, 158979266 added
  1941309328 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  280 active, 744 inactive, 158979207 added, 158979207 added to flow
  0 alloc failures, 0 force free
  1 chunk, 7808 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet          21      0.0         5   104      0.0       3.7      10.2
TCP-FTP            722      0.0        19    74      0.0       5.4       2.5
TCP-WWW         776375      0.1        18   800      3.3       1.8       8.6
TCP-SMTP        384158      0.0         7   140      0.6       0.0       5.7
TCP-other     78760020     18.3        11   476    210.7       1.4       3.2
UDP-DNS       15334661      3.5         1    78      5.3       0.2      15.4
UDP-NTP        1995576      0.4         1    55      0.7       1.0      15.4
UDP-other     27839025      6.4         7   153     49.7       2.6      15.3
ICMP          33748168      7.8         1    81     12.4       0.9      15.4
IP-other        140260      0.0         7    81      0.2      59.6       0.9
Total:       158978986     37.0         7   396    283.3       1.4       9.3

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         10.48.2.151     Fa0/0         10.48.8.74      11 973E 00A1    19
Fa0/0         10.48.4.72      Fa0/1         10.48.2.151     11 00A1 8B6B     1
Fa0/1         10.48.2.151     Fa0/0         10.48.3.88      11 8810 00A1     6
Fa0/0         10.48.3.88      Fa0/1         10.48.2.151     11 00A1 8810     4



You can read this post to see how to neflow and nfsen interact and provide the stats that you can use.

4) Create a profile

Follow the steps here to create a new continuous profile so that you can detect and colour the traffic. There is a bug in v1.3.5 which lets you modify an existing profile with new traffic types or sources but does not update the graphs. The only work around is to delete this profile and re-create it.


The easiest way around this I've found is to delete the profile and create is via the command line as follows:


nfsen --add-profile MYPROF tstart="2012-02-03-11-50" (Start date from where you want to regenerate the graphs)
nfsen --add-channel MYPROF/ntp filter='port 123' colour='#FF6530'
nfsen --add-channel MYPROF/ssh filter='port 22' colour='#FFBE20'
nfsen --add-channel MYPROF/http filter='port 80' colour='#FFFF40'
nfsen --add-channel MYPROF/https filter='port 443' colour='#C9FF70'
nfsen --add-channel MYPROF/xmlrpc filter='port 8080' colour='#4FFF10'
nfsen --add-channel MYPROF/dca filter='port 8090' colour='#BFFFFF'
nfsen --add-channel MYPROF/dns filter='port 53' colour='#305FFF'
nfsen --add-channel MYPROF/icmp filter='proto icmp' colour='#FFC7FF'
nfsen --add-channel MYPROF/snmp filter='port 123' colour='#FF6887'
nfsen --commit-profile MYPROF



Use the command below to get a list of all the options available:

/usr/local/bin/nfsen --help




5) Supporting Cisco ASAs


This configuration cannot support ASAs because they have a special netflow format. See this for what is required to implement ASA support. A quick writeup of NSEL can be found here.

Basically you need to install nfdump-1.5.8-2-NSEL. Download the latest version of nfdump NSEL from here. Install this last because performing the initial install (step 3) from ports allows all the dependencies to be easily installed.

Build and install this as follows:


tar -xvzf nfdump-1.5.8-2-NSEL.tar.gz
cd nfdump-1.5.8-2-NSEL
ln -s /usr/local/lib/librrd.so /usr/lib/librrd.so
ln -s /usr/local/include/rrd.h /usr/include/rrd.h
./configure --enable-nfprofile
make
./make install


Check that this version has been installed:

nfdump -V
nfdump: Version: 1.5.8-2-NSEL $LastChangedDate: 2011-12-30 15:43:40 +0100 (Fri, 30 Dec 2011) $
$Id: nfdump.c 72 2011-12-30 14:47:39Z peter $



Edit /usr/local/etc/nfsen.conf and add the ASA as a source:


%sources = (
    'rtr01'    => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
    'fw03'    => { 'port' => '2056', 'col' => '#00ff00', 'type' => 'netflow' },
);


Configure the ASA as follows:

flow-export destination <Interface> <netflow server ip> <port as defined in nfsen.conf = 2056>
flow-export template timeout-rate 1
flow-export delay flow-create 60
 

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect snmp
 class class-default
  flow-export event-type all destination <netflow server ip>




Check the ASA is exporting the flows:


show flow-export counters
destination: CentralLAN 10.48.2.156 2056
  Statistics:
    packets sent                                            11334
  Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0






6) Installing NSELTracker Plugin (not working yet)


NSELTracker plugin reads the events from the capture files and build a hash table to maintain the following statistics:
  - Completed flows --> Flows that have both create and teardown events observed
  - Open flows      --> Flows that have only flow creation events observed with in the collection time interval
  - Denied flows    --> Flows that are denied by ASA

Statistics regarding denied flows are maintained per protocol (TCP, UDP and ICMP) for various denial reasons. Flows could be denied due to

  Extended code 1001 -> Denied by ingress ACL
  Extended code 1002 -> Denied by egress ACL
  Extended code 1003 -> The device denied an attempt to connect to the interface service
  Extended code 1004 -> Denied since first packet on TCP Flow was not a TCP SYN packet




Create a location to store the RRD data


mkdir /usr/local/var/nfsen/nselD
chown www:www /usr/local/var/nfsen/nselD

Install the NSELTracker processing engine

cd ~/nfdump-1.5.8-2-NSEL/NSELTracker/

cp nseld /usr/local/bin/nselD
chown root:www /usr/local/bin/nselD


Initialize the RRD Data Store

/usr/local/bin/nselD -I -d /usr/local/var/nfsen/nselD


Install the plugins

#Front end plugin
cp NSELTracker.php /usr/local/www/nfsen/plugins 
#Back end plugin
cp NSELTracker.pm /usr/local/libexec/nfsen/plugins

#Modify the backend plugin to point to the RRD data directory and fix code bugs
vi /usr/local/libexec/nfsen/plugins/NSELTracker.pm
 
# On line 27 Change $PORTSDBDIR  from "/data/nfsen/nsel" to "/usr/local/var/nfsen/nselD"
my $PORTSDBDIR = "/usr/local/var/nfsen/nselD";

# On line 427 removed the extra " marked in red below
my $pid = open(NSELD, ""$NfConf::PREFIX/nseld $args  2>&1|");

# On line 482 remove the reference to "/data/nfsen/nsel/" and replace with $PORTSDBDIR
my $command = "$nselD -M $netflow_sources -r nfcapd.$timeslot -d $PORTSDBDIR -A -t $timeslot -l 1 -s 1 -w $PORTSDBDIR/nsel_stat.txt";

Add the plugin for profile 'live'


vi /usr/local/etc/nfsen.conf
## Change @plugins to

@plugins = (
    # profile    # module
      [ 'live',   'NSELTracker'],
);
 


Start nfsen (or reload it)


/usr/local/bin/nfsen reload



When you vistit the plugins page on nfsen you then see:





However for some reason I cannot get this to populate any data at the moment! If you have any ideas please drop me a line.

2 comments:

  1. UPDATE: it looks the latest version of nfdump (>=1.6.9) now include NSEL (http://sourceforge.net/p/nfdump/news/)

    ReplyDelete
  2. NSELTracker
    Error reading time stamp info

    ReplyDelete