-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you Peter,
I'm not sure who valuable they would be outside of Sagan, but I at least wanted to let you know how we are using nfdump. On 01/29/2014 01:41 PM, Peter Haag wrote: > Many thanks Champ! I'll definitely will have a look at the patches. > > Many thanks! > > - Peter > On 2/1/14 2:27 AM, Champ Clark III wrote: >> Hello! >> >> First off, thank you for providing a great set of tools to deal with >> Netflow data. It a really valuable set of tools and I really >> appreciate it. >> >> I'm the primary author of "Sagan", a real time, multi-threaded log >> analysis engine. For more information, see: >> >> http://sagan.quadrantsec.com. >> >> I recent had an idea of using Sagan to analyze netflow data and nfdump >> seemed to be the best approach. The idea is to have Sagan examine >> traffic via the log analysis engine and identify malicious traffic >> (via blacklist, RBL lookup and rule sets). >> >> To keep it short, I had to make some minor modifications to nfdump to >> get the functionality I needed. In particular, "nfcapd". The >> modifications I did allow nfcapd to work as normal, but also send >> decoded Netflow data to a FIFO. >> >> Sagan can then read the FIFO and determine if the traffic is malicious >> or not. >> >> The modified code is at: >> >> https://github.com/beave/nfdump-1.6.10p1-sagan >> >> I also wrote up a brief "HOWTO": >> >> https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow >> >> I just wanted to get the word out. Please let me know if you have any >> thoughts and/or comments. >> >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> _______________________________________________ >> Nfdump-discuss mailing list >> Nfdump-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >> > - -- - - Quadrant Information Security Champ Clark III o: 800.538.9357 x 101 c: 850.443.2440 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS6VC5AAoJENnmXt7Lmc3Kaa8IAIsz9LkbJVEVRieXqt6ezU2k RTY5iRZnB7QpBFF6bjKXWs0L8gQOaN9E6tTHkFQK2UfhUsDgLIax/tRuK6H6Gkg4 1AEyOIHQnyNnun4PfmwJ2bBHZyVw4VzRUIoS6VPV50NqXOx7mmQFY2H1cYWXFcSh QQGXIKAU9AkSxrnzs10FAtUzG5noI9C/JFsco+FMjWL73WLILdeV+WaH51vimndR SQ63eU+5nQWMYe22MVsGCauQtgoTVkAJNnl0DDm+UAv/EbDNq2io5dz8ncD6JYA5 4pA9gcsFgX5M+49K0sjnIkQWXx5/toM+LKc3A8x7DxiJWUTqjnmFcovl4FXZDwo= =1OJB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
