[netsa-tools-discuss] Support for PaloAlto NFv9 fields?
Mike Donovan
mdonovan at sunyrockland.edu
Thu Feb 5 10:13:26 EST 2015
Hello, I'm just setting up my first SiLK/FlowViewer system, to monitor
NetFlow v9 data from a new Palo Alto firewall, which offers an option to
export two extra fields containing the username and application:
https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2014-
102-5-11072/Netflow-Fields-4.1-RevB.pdf
I saw a recent suggestion on this list to customize IPv6 data file
processing to hide extra data in unused fields, but I don't think there's
enough unused space (I'd need up to 96 bytes) to accommodate those two
text fields.
I'm assuming that SiLK can't do exactly what I want, yet; but please take
this as a note in the suggestion box, when you start adding support for
flexible file formats, that text fields (and text-matching operators)
would be very useful.
For now though, would it make sense to try to extend the packlogic
flowtype code to at least hash those strings into a class/type pair or
yaf-style applabel or in/out index value or bogus MAC address data I could
access later on? Can a packlogic module do all of the work, or would I
need to customize rwflowpack's stream parsing or other parts just to make
the strings available for hashing? Can PySiLK help?
More information about the netsa-tools-discuss
mailing list