As you might already know the last time I installed nfsen was in FreeBSD v9 and it used a special NSEL fork for nfdump. This version allowed us to capture the extra information generated by ASA v9 netflow records.
My initial build of nfsen in Feb 2012 has been in continuous use for over two years now. We collect data from 9 sources and only have two two profiles: the default live and one we called services. The services profile basically displays the traffic for each type of service (eg ssh, web, https, dns, vnc, DVR etc). We also have defined a number of alerts which send snmptraps to our network management systems.
Since the orignal install two years ago, the main version of nfdump as been rewritten to incorporate NSEL. This post describes how I installed my first prototype system with the latest version of nfdump (1.6.12) and nfsen (1.3.6p1). The only difference will be that I'm going to use CentOS release 6.5 (Final) as the base OS. As this is a prototype build, I'm being very brief with explaining the commands.
(I think the commands should be similar if you wanted to install this in a FreeBSD instance)
I copied the first 7 command from here.
1) Install a new Centos 6.5 System
2) Check iptables is off
iptables -t filter -L -v –n
3) Check SELinux is off
cat /etc/selinux/config
sestatus (show show disabled)
vi /etc/selinux/config
set SELINUX=disabled
reboot
4) Install Apache and other per-requisits
yum install -y httpd php wget gcc make rrdtool-devel rrdtool-perl perl-MailTools perl-Socket6 flex byacc
yum install libtool.x86_64
5) Start HTTPd
service httpd start
6) Enable HTTPd at boot
chkconfig httpd on
7)Get nfdump and nfsen
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.12/nfdump-1.6.12.tar.gz (latest version supports nsel)
wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz/
8) Compile and install nfdump
tar -zxvf nfdump-1.6.12.tar.gz
./configure --enable-nfprofile --enable-nftrack --enable-sflow --enable-nsel
autoreconf
Make
Make install
9) Add a netflow user
adduser netflow
usermod -a -G apache netflow
10) Compile and install nfsen
tar -xvzf nfsen-1.3.6p1.tar.gz
cd nfsen-1.3.6p1/etc
cp nfsen-dist.conf nfsen.conf
(now make a /data/nfsen folder somwhere on the system, you need lots of space for this)
vi etc/nfsen.conf & change $WWWUSER to apache
vi etc/nfsen.conf & change $WWWGROUP to apache
vi etc/nfsec.conf & change $HTMLDIR = "/var/www/nfsen/"; to /var/www/html/nfsen
vi etc/nfsec.conf & uncomment $EXTENSIONS = 'all'; or add $EXTENSIONS = 'nsel';
cd ..
./install.pl etc/nfsen.conf
11) Configure ASA: -> https://supportforums.cisco.com/document/30471/netflow-asa
12)Add the data sources as described previously
/data/nfsen/bin/nfsen stop
vi /data/nfsen/etc/nfsen.conf
/data/nfsen/bin/nfsen reconfig
/data/nfsen/bin/nfsen start
chkconfig nfsen on (to make it autostart after reboot)
The web address should now be http://<hostip>/nfsen/nfsen.php. If you have done everthing right then you can see the following:
Once you have some data collected, pick a time slot and and select "List Flows" and hit process. You will then see the extended ASA information (Event / Extended Events)
One of the new features that the later version have introduced is that filers can now accept additional info other than standard tcpdump parameters. From the man page:
"The filter syntax is comparable to tcpdump and extended for netflow data."
This mean you can have a filter that does the following:
"asa event deny and port 80"
Here is a sample from the nfdump man page:
NSEL/ASA specific filters:
NSEL/ASA Event
asa event <ignore|create|term|delete|deny>
asa event [comp] <number>
select NSEL/ASA event by name or number. If given as number it can be compared with a number
NSEL/ASA denied reason
asa event denied <ingress|egress|interface|nosyn>
Select a NSEL/ASA denied event by type
NSEL/ASA extended events
asa xevent [comp] <num>
Select an extended NSELL ASA event by number, or optionally compared by a number.
X-late IP addresses and ports
[src|dst] xip <ip>
Select the translated IP address
[src|dst] xnet <net>/<num>
with <net> as a valid translated IPv4 or IPv6 network and <num> as maskbits. The number of mask bits must
match the appropriate address familiy in IPv4 or IPv6. Networks may be abreviated such as 172.16/16 if
they are unambiguous.
[src|dst] xport <port>
Select the translated port
NSEL/ASA ingress/egress
ingress <ACL|ACE|XACE> [comp] number
Select/compare an ingress ACL
egress ACL [comp] <number>
Select/compare an egress ACL
Thanks for the howto. I've been playing with nfdump/nfsen with mostly Cisco router netflows without any issues but trying to get our Cisco ASA & NSEL working. No matter what configuration I try, the NSEL flows come up empty.
ReplyDeleteThe following steps was done as troubleshooting :
* Upgraded from nfdump 1.6.11 to 1.6.12 with all the required configuration parameters (especially --enable-nsel)
* Configuring a second netflow v9 router source to make sure the setup works (the 2nd source works fine but no data in the first NSEL ASA source)
* The NSEL export from the ASA is definitely reaching the server (tcpdump udp port 9995 -vv -X) confirms the traffic.
* $EXTENTIONS= 'all' added to nfsen.conf
* Attempts to configure the NSEL source in nfsen.conf as type "netflow" or "sflow" or even not specifying a type gives the same result. What should a NSEL source be set to? Your article suggest type "netflow" ?
Any help will be appreciated
Thanks
Gerhard
I checked my conf files and I'm using "netflow" as the type:
Delete'test-asa-fw' => { 'IP' => '192.168.xx.1', 'port' => '2019', 'col' => '#CC00FF', 'type' => 'netflow' }
Are you able to run a nfdump on the captured data to see if the nsel has been written to disk?
Also can you check that the ASA is configured with:
flow-export template timeout-rate 1
flow-export delay flow-create 1
Cheers
Note Paper: Installing Nfsen 1.6.12 On Centos >>>>> Download Now
Delete>>>>> Download Full
Note Paper: Installing Nfsen 1.6.12 On Centos >>>>> Download LINK
>>>>> Download Now
Note Paper: Installing Nfsen 1.6.12 On Centos >>>>> Download Full
>>>>> Download LINK tH
Wow... I was in the same boat. I read this post, did it step by step, same thing.. didn't work. Then I read the comments about it not working for Gerhard. I thought, "Ok, this is what I am talking about.. it didn't work for him either!". So I went back and checked everything again! Then, I read your reply and thought, let me look these commands up and see what they actually do. They seemed harmless, so I copied them from your page. BOOM.. it started working immediately! Thanks... been looking at this for 30 minutes thinking, "I am not the only one having this issue, right?" Thanks again!!
ReplyDelete