Monday, June 11, 2007

It's all about Network Flow

Argus is my favorite tactical tool when performing flow based analysis and I have mentioned about it quiet a few times in my blog. While it works pretty well and flexible with its powerful client tools to do flow processing, it also offers complex usages. I have found two new weapons lately which can enhance my flow based analysis and complementing.

Undoubtedly argus can eat cisco netflow data, but that's not what argus do best. Argus is more pcap friendly instead of netflow data. Then which tools are great in Open Source arsenal to process netflow? I vote silktools where you can find at -

http://silktools.sourceforge.net/

Silktools is developed as part of NetSA security where you can find at -

http://tools.netsa.cert.org/

It is undeniable that all other projects are interesting too, but that doesn't make my point here and I have no time to check them out yet. The main reason why I'm looking into silktools is because it also offers wide range of analysis tools like argus do. Instead of just doing flow data collection, one can perform in depth analysis on the netflow data using the analysis tools that packed with silktools. But again I found out all these great tools come with complexity and that blow away a lot of new comers.

No fear, silktools comes with great documentation, I greatly appreciate all the hard works that have been put into it not only on the coding section but documentation. You can just learn them from the ground up at -

http://silktools.sourceforge.net/silk_docs.html

Check out the silktools analyst handbook and you may find it interesting, I have read through it and about time to bring them into practice.

The second weapon that worth mentioning is ourmon. You can find that I have installed it on FreeBSD. Ourmon is incredible in doing flow anomaly and heuristic detection that brought to you by Jim Binkley. While it doesn't emphasize on post or offline processing, it is the weapon that concentrating on real time analysis combining it's meaningful network graphs. I'm still learning to utilize ourmon in wide area network environment.

Combining argus, silktools and ourmon, I'm sured you will have a lot of fun to research on the network flow. Except argus 3, silktools and ourmon are available via FreeBSD port. Feel free to try them out. Other network flow processing tools that are great should be flow-tools and nfdump.

Peace ;]

3 comments:

Anonymous said...

Hi Geek00l'
if you talking about floow-tools you should check this artice: http://www.onlamp.com/pub/a/bsd/2005/08/18/Big_Scary_Daemons.html?page=1

I know, it is from 2005 but is very interesting :)

Anonymous said...

Have you looked @ Arbor's Peakflow tools?

geek00L said...

anonymous 1,

Yeah I have read that before. It's very useful article indeed.

anonymous 2,

I don't have access to Arbor device so no comment about it. Hopefully I can get chance to learn about it soon but currently all I do is more open source centric.

Sorry but I don't know how to differentiate so I name it 1 and 2.

Cheers.