[netsa-tools-discuss] alernate use of rwstats --percentage

asad a.alii85 at gmail.com
Tue Sep 22 07:47:59 EDT 2015 

Angela,

Here is the output of "ps -ef | grep silk"

/usr/local/sbin/rwflowpack
--sensor-configuration=/etc/nsm/NW-SEC-06-eth0/sensors.conf
--site-config-file=/etc/nsm/NW-SEC-06-eth0/silk.conf
--archive-directory=/nsm/sensor_data/NW-SEC-06-eth0/sil /archive
--output-mode=local-storage
--root-directory=/nsm/sensor_data/NW-SEC-06-eth0/silk/
--pidfile=/var/log/rwflowpack.pid --log-level=info
--log-directory=/var/log --log-basename=rwflowpack

Let be known that silk is configured on "security Onion platform".
Here is the sensors.conf (few first lines)

probe S0 netflow-v9
  listen-on-port 2055
  protocol udp
  quirks zero-packets

So, I'm not allowing YAF to talk to rwflowpack by allowing port 18001
in this case. Hope this answer your question?

On 9/21/15, Angela Horneman <ahorneman at cert.org> wrote:
> Asad,
>
> How are you getting the netflow logs into SiLK format/the SiLK repository? I
> know with yaf as the flow sensor, to see TCP flags, you must use the --silk
> flag as one of the yaf options.
>
> Angela
>
> -----Original Message-----
> From: asad [mailto:a.alii85 at gmail.com]
> Sent: Monday, September 21, 2015 2:46 AM
> To: Angela Horneman <ahorneman at cert.org>
> Cc: netsa-tools-discuss at cert.org
> Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage
>
> Any update/suggestions?
>
> On 9/18/15, asad <a.alii85 at gmail.com> wrote:
>> Please sorry for attachment , it may appear scrambled (thanks to my
>> proxy) you may open my simply renaming it as .png. Sorry for
>> inconvenience.
>>
>> On 9/18/15, asad <a.alii85 at gmail.com> wrote:
>>> This is update.
>>>
>>> I have edited the cmd as told by "Angela", now I get a very useful
>>> output which shows that the %Bytes value is never greater then
>>> 0.025112, this explains why the percentage =1 was not working.
>>>
>>> But what more strange is now, I start to question the suitability of
>>> cisco asa asel netflows logs here is reason why ..
>>>
>>>
>>> changing the command and adding params e.g --packets=4- --ack-flag=1
>>> delivers me zero output. Even more strange (please see attachment)
>>> that flags columns is empty. ( it is even empty when there is no
>>> --ack-flag=1 value set).
>>>
>>>
>>>
>>> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
>>>> Thanks Angela and Evgeniy. I believe I have been unfair to part I
>>>> have explained my case effectively.
>>>>
>>>> There is a critical server on enterprise network who traffic I want
>>>> to monitor for following usage :-
>>>>
>>>> " to monitor connection to and from the server w.r.t to bytes "
>>>>
>>>> This is done to get some way of knowing "normal" behavior for the
>>>> traffic i.e # between server and client no of bytes send per day.
>>>>
>>>> I will try out the suggestions as soon i get access to office
>>>> network (currently I'm at home) and will update accordingly.
>>>>
>>>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman
>>>> <ahorneman at cert.org>
>>>> wrote:
>>>>
>>>>> Asad,
>>>>>
>>>>> If you replace --percentage=1 with --count=10 in your first
>>>>> example, there will be a column "%Bytes" in the output. You can use
>>>>> that column to check if any of the 10 DIPs with the greatest byte
>>>>> volumes have a volume that is at least 1% of the total.
>>>>>
>>>>> Angela
>>>>>
>>>>> -----Original Message-----
>>>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
>>>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of
>>>>> asad
>>>>> Sent: Wednesday, September 16, 2015 12:49 AM
>>>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
>>>>> Cc: netsa-tools-discuss at cert.org
>>>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats
>>>>> --percentage
>>>>>
>>>>> Thanks Eugene,
>>>>>
>>>>> My output is:-
>>>>>
>>>>>             sIP       |sPort|      dIP|       dPort|     bytes|
>>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>>>
>>>>>
>>>>> With command
>>>>>
>>>>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
>>>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
>>>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>>>>>
>>>>> I'm getting bytes in last column, but as a percentage of total bytes
>>>>> from
>>>>> all records I don't know how to get that.
>>>>>
>>>>> thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
>>>>> > Ai,
>>>>> >
>>>>> > are you sure  that in your rwfilter results you have more than 1% of
>>>>> Bytes?
>>>>> >
>>>>> > From rwstats man page:
>>>>> >
>>>>> > *--percentage*=*N* Print the bins where the primary value is
>>>>> > greater-than (or less-than) *N* percent of the sum of the primary
>>>>> > values across all bins.
>>>>> >
>>>>> >
>>>>> > I think it will be useful to see --count --Packets
>>>>> >
>>>>> >
>>>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
>>>>> >
>>>>> >> Hi,
>>>>> >>
>>>>> >> I want to know what "alternate options" exists for following:-
>>>>> >>
>>>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
>>>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>>>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
>>>>> >> --fields=dip
>>>>> >>
>>>>> >> I don't know why but using --percentage=1 flag, I get zero results,
>>>>> >> even when in records I know this IP is present. Is there any reason
>>>>> >> why would such happpen?
>>>>> >>
>>>>> >> Or I can move to another rwstats switch parameters to perform same
>>>>> >> task as trying to achieve with percentage=1
>>>>> >>
>>>>> >> Thanks.
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >
>>>>> >
>>>>> > --
>>>>> > --
>>>>> > With regards,
>>>>> > Eugene Sudyr
>>>>> >
>>>>>
>>>>>
>>>>
>>>
>>
>
>

More information about the netsa-tools-discuss mailing list