Trace: using_nfsen
Table of Contents

Using nfSen

Requirement

Download from official site: http://nfsen.sourceforge.net/

Need these perl modules: 

# ubuntu
apt-get install libsocket6-perl libmail-sender-perl libmailtools-perl

# centos
yum install perl-Socket6 perl-MailTools perl-Mail-Sender

Installation

Must have nfdump installed first.

Follow README file. Inside extracted source, change to the etc directory and copy the NfSen config file nfsen-dist.conf to nfsen.conf. Edit nfsen.conf according your needs and setup.

Modify nfsen.conf, sample diff: 

--- nfsen-dist.conf	2012-01-14 18:13:53.000000000 +0800
+++ nfsen.conf	2012-02-16 15:13:57.580091471 +0800
@@ -18,7 +18,7 @@
 
 #
 # Required for default layout
-$BASEDIR = "/data/nfsen";
+$BASEDIR = "/opt/nfsen";
 
 #
 # Where to install the NfSen binaries
@@ -76,7 +76,7 @@
 
 #
 # nfdump tools path
-$PREFIX  = '/usr/local/bin';
+$PREFIX  = '/usr/bin';
 
 #
 # nfsend communication socket
@@ -92,8 +92,8 @@
 
 # user and group of the web server process
 # All netflow processing will be done with this user
-$WWWUSER  = "www";
-$WWWGROUP = "www";
+$WWWUSER  = "www-data";
+$WWWGROUP = "www-data";
 
 # Receive buffer size for nfcapd - see man page nfcapd(1)
 $BUFFLEN = 200000;
@@ -105,7 +105,8 @@
 # Example:
 # $EXTENSIONS = 'all';
 # $EXTENSIONS = '+3,+4';
-#
+$EXTENSIONS = '+1,+3,+4';
+
 # Directory sub hierarchy layout:
 # Possible layouts:
 #
@@ -160,9 +161,7 @@
 # Ident strings must be 1 to 19 characters long only, containing characters [a-zA-Z0-9_].
 
 %sources = (
-    'upstream1'    => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
-    'peer1'        => { 'port' => '9996', 'IP' => '172.16.17.18' },
-    'peer2'        => { 'port' => '9996', 'IP' => '172.16.17.19' },
+    'alix'    => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
 );
 
 #
@@ -233,7 +232,7 @@
 #
 # Alert module: email alerting:
 # Use this from address 
-$MAIL_FROM   = 'your@from.example.net';
+$MAIL_FROM   = 'root@example.com';
 
 # Use this SMTP server
 $SMTP_SERVER = 'localhost';

Then run: 

./install.pl etc/nfsen.conf

Define netflow sources (exporters)

Note the lines in nfsen.conf: 

%sources = (
  'alix'    => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
...

It means data you received on UDP port 9995 will be labeled as alix in the source selection box.

Profiles

Use profiles to classify traffic you want to monitor.

The live profile is the default profile after configured the sources in the nfsen.conf

Create example profile

For example, monitor traffic to my web server at 1.2.3.4.

Create profile http

  • Start and End time leave blank = Continuous
  • Type: shadow

Add Channels

Add one channel for incoming traffic with filter: 

proto tcp and dst port 80 and dst ip 1.2.3.4

Add one channel for outgoing traffic with filter: 

proto tcp and src port 80 and src ip 1.2.3.4

Better yet, add one channel for monitoring syn flood DoS attack: 

proto tcp and dst port 80 and dst ip 1.2.3.4 and flags S and not flags AFRPU
tips/using_nfsen.txt · Last modified: 2013-01-11 16:04 by admin
Back to top
GNU Free Documentation License 1.3
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0