[netsa-tools-discuss] SiLK 4.0.0 probe quirks
Mark Thomas
mthomas at cert.org
Fri Jul 7 11:13:40 EDT 2017
Bo-
During testing, all the input to SiLK 4 was from YAF, and the C code
converts the IPFIX data to the SiLK format assuming the input is
YAF.
Modifying the Lua-based packing function to handle sources other
than YAF is not too difficult. I have attached an rwflowpack
configuration file that works with the samples of NetFlow v9 data I
have that includes the firewallEvent information element (which is
sometimes exported as the NF_F_FW_EVENT information element).
I hope that helps.
-Mark
-----Original Message-----
From: Bo Bayles <bbayles at obsrvbl.com>
Date: Wed, 5 Jul 2017 13:42:45 -0500
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] SiLK 4.0.0 probe quirks
I was pleased to see some significant development of the SiLK tools
with the 4.0.0 beta release. However, when I went to test, I found it
difficult to figure out whether there is a way to adapt the "quirks"
that flowcap supported to the now-improve rwflowpack.
I glanced through the source to see if those had just not made the
documentation, but I wasn't able to come to a firm conclusion. Perhaps
someone on this list can answer whether I'm missing something or
whether this just isn't available yet in the beta?
My application is receiving NetFlow from Cisco ASA exporters, which
need the zero-packet and firewall-events quirks.
Many thanks,
-Bo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firewall.lua
Type: application/octet-stream
Size: 6349 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20170707/0e779ea6/attachment.obj>
More information about the netsa-tools-discuss
mailing list