Greetings; First, thank you all (& Peter) for your great efforts in the nfdump project, it's become a great help to me recently.
I am working on a project which uses Splunk, but due to some license limitations, I have been forced (for now) to direct ASA firewall NF exporters to a Linux machine, which is then received by nfdump. I am using nfsen to view my data, and am hoping to be able to quickly profile the entire environment so that I can make recommendations for which outbound ports should be blocked (outbound everything is presently permitted). There are many outbound connections using ports > 1024 that have a legitimate business purposes, and weeding through them all would make my job 24x7. My goal is to identify non-business required ports greater that 1024 so that I can begin my block rules on my firewalls, allowing for exceptions as required. Since this is a monumental task, I was hoping to detect any outbound traffic against the many threat lists already contained in Splunk, these are mostly CSV files containing either subnets or IP addresses to known bad actor sites. Is there a plugin, or post-processing tool l could use that would report this information for me? Any insight or assistance would be greatly appreciated. Kind regards, -mike
------------------------------------------------------------------------------
_______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
