On 08/08/15 16:53, Mike wrote:
> Greetings;
>
> First, thank you all (& Peter) for your great efforts in the nfdump project,
> it's become a great help to me recently.
>
> I am working on a project which uses Splunk, but due to some license
> limitations, I have been forced (for now) to direct ASA firewall NF exporters
> to a Linux machine, which is then received by nfdump. I am using nfsen to
> view my data, and am hoping
> to be able to quickly profile the entire environment so that I can make
> recommendations for which outbound ports should be blocked (outbound
> everything is presently permitted). There are many outbound connections
> using ports > 1024 that have a
> legitimate business purposes, and weeding through them all would make my job
> 24x7. My goal is to identify non-business required ports greater that 1024 so
> that I can begin my block rules on my firewalls, allowing for exceptions as
> required.
>
> Since this is a monumental task, I was hoping to detect any outbound traffic
> against the many threat lists already contained in Splunk, these are mostly
> CSV files containing either subnets or IP addresses to known bad actor sites.
>
Hmm .. I'm not aware of an automatic plagin, but if you have IPs and net ranges
from a csv file, you should be able to easily create a filer file like
ip in [
1.2.3.4
2.3.4.5
3.4.5.6/27
..
]
I would create an simple profile and use the term "@include <filename>" as
filter, where as <filename> is the file you created as described above.
Hope, that helps
- Peter
> Is there a plugin, or post-processing tool l could use that would report this
> information for me?
>
> Any insight or assistance would be greatly appreciated.
>
> Kind regards,
>
>
> -mike
------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
