-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello!
First off, thank you for providing a great set of tools to deal with Netflow data. It a really valuable set of tools and I really appreciate it. I'm the primary author of "Sagan", a real time, multi-threaded log analysis engine. For more information, see: http://sagan.quadrantsec.com. I recent had an idea of using Sagan to analyze netflow data and nfdump seemed to be the best approach. The idea is to have Sagan examine traffic via the log analysis engine and identify malicious traffic (via blacklist, RBL lookup and rule sets). To keep it short, I had to make some minor modifications to nfdump to get the functionality I needed. In particular, "nfcapd". The modifications I did allow nfcapd to work as normal, but also send decoded Netflow data to a FIFO. Sagan can then read the FIFO and determine if the traffic is malicious or not. The modified code is at: https://github.com/beave/nfdump-1.6.10p1-sagan I also wrote up a brief "HOWTO": https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow I just wanted to get the word out. Please let me know if you have any thoughts and/or comments. - -- - - Champ Clark III (ccl...@quadrantsec.com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSxMCNAAoJENnmXt7Lmc3KaIEIAJTZYt52mrlogFkI8ppIu7YD oiHFje+wWQJ4D1Gb1FEk0AUj5a7khTr695Kmn1BS9ztptWs+DxzVJFg0Qk2bOMZC Pewbqaj389ItR4CNpnhpOU+62s1kr8UvXjggs1w0+RylEUXKTTOhi8gr0Q7RLBeN g4/RbZTW1uIbVl7cZyc8Jb8UVOGCa5UX3sz/82JULRgLlIgJGsgUWcCcocJYf4KV Wh5qB2zL+vyYXwuIuOEoJy55ZWIsT+TpNKSRafwK0YSRYTCLZlsd/7Zv4hqc+age hLgPelYiCf1b07QEVlv58deAJkT2Pfa6SdvSucDqzgJwoS4McWV+QGselsNq6Dk= =mwYA -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
