[netsa-tools-discuss] Support for PaloAlto NFv9 fields?

Chris Inacio inacio at cert.org
Thu Feb 5 11:52:41 EST 2015


Mike,

I’ll let the people who do the hard work answer the part about how to best leverage SiLK v3 to capture your use case.  I really more wanted to comment on flexible storage types in future releases of SiLK.  We have been hard at work for some time on that feature.  Flexible types, really supporting the IPFIX model, will be a big change in SiLK v4.  There are other changes as well, but the impacts of changing to a flexible data record are pretty significant.


Regards,
--
Christopher Inacio
Technical Manager, Development and Operations
CERT/CC, Software Engineering Institute
Carnegie Mellon University
inacio at cert.org



> On Feb 5, 2015, at 10:13 AM, Mike Donovan <mdonovan at sunyrockland.edu> wrote:
> 
> Hello, I'm just setting up my first SiLK/FlowViewer system, to monitor 
> NetFlow v9 data from a new Palo Alto firewall, which offers an option to 
> export two extra fields containing the username and application:
> 
> https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2014-
> 102-5-11072/Netflow-Fields-4.1-RevB.pdf
> 
> I saw a recent suggestion on this list to customize IPv6 data file 
> processing to hide extra data in unused fields, but I don't think there's 
> enough unused space (I'd need up to 96 bytes) to accommodate those two 
> text fields.
> 
> I'm assuming that SiLK can't do exactly what I want, yet; but please take 
> this as a note in the suggestion box, when you start adding support for 
> flexible file formats, that text fields (and text-matching operators) 
> would be very useful.
> 
> For now though, would it make sense to try to extend the packlogic 
> flowtype code to at least hash those strings into a class/type pair or 
> yaf-style applabel or in/out index value or bogus MAC address data I could 
> access later on? Can a packlogic module do all of the work, or would I 
> need to customize rwflowpack's stream parsing or other parts just to make 
> the strings available for hashing? Can PySiLK help?
> 
> 




More information about the netsa-tools-discuss mailing list