[netsa-tools-discuss] SiLK - Netstream Support

[GOODALL Richard]

Hi,

We currently use SiLK as a key part of our tool set in the investigation of security incidents.

Flow data is currently being exported from Cisco hardware using NetFlow, however we are about to migrate our entire network estate onto HP equipment which does not support NetFlow, but rather NetStream and SFlow.

I can see from the FAQ that SiLK does support SFlow. However, this seems less preferrable for security investigations as it is sampled and does not appear to log time. The omission of time stamps in addition with the use of sampled flow data (in the case of SFlow) seems to reduce the benefit of the flow data in a security investigation considerably.  Appreciate that this is not a limitation of SiLK, but curious if other SiLK users have faced this problem and if there are ways around it.

>From what I can gather, NetStream supports unsampled 1:1 flow data and does log time, so seems like the best alternative to NetFlow in my case.

I'd be extremely grateful if someone could confirm if SiLK supports NetStream?

Any other advice as to how I can continue to utilise SiLK practically in this situation would also be very welcome. It is a great network analysis tool and one that I am keen to continue using going forward if at all practically possible.

Much appreciated
Richard


Communications Infrastructure Services
IT Infrastructure Division, Information Services
The University of Edinburgh
Argyle House,
3 Lady Lawson Street,
Edinburgh,
EH3 9DR

Richard.Goodall at ed.ac.uk



The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th' ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
-------------- next part --------------
HTML attachment scrubbed and removed