cisco netflow data
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 4965
DB based NetFlow Collector 1.0
DB based NetFLow Collector aims to collect Cisco NetFlow data and store it to a database. more>>
DB based NetFLow Collector aims to collect Cisco NetFlow data and store it to a database.
DB based NetFlow Collector has a plugin interface, which makes it flexible for fitting in particular tasks.
Enhancements:
- First release. post your comments/bug reports.
<<lessDB based NetFlow Collector has a plugin interface, which makes it flexible for fitting in particular tasks.
Enhancements:
- First release. post your comments/bug reports.
Download (0.47MB)
Added: 2006-06-19 License: GPL (GNU General Public License) Price:
1231 downloads
Softflowd 0.9.8
Softflowd is flow-based network traffic analyser capable of Cisco NetFlow data export. more>> <<less
Download (0.080MB)
Added: 2006-11-02 License: BSD License Price:
1093 downloads
Cisco::IPPhone 0.05
Cisco::IPPhone is a package for creating Cisco IPPhone XML objects. more>>
Cisco::IPPhone is a package for creating Cisco IPPhone XML objects.
SYNOPSIS
use Cisco::IPPhone;
$mytext = new Cisco::IPPhone;
$mytext->Text({ Title => "My Title", Prompt => "My Prompt",
Text => "My Text" });
$mytext->AddSoftKeyItem( { Name => "Update", URL => "SoftKey:Update",
Position => "1" });
$mytext->AddSoftKeyItem( { Name => "Exit", URL => "SoftKey:Exit",
Position => "2" });
print $mytext->Content;
Cisco::IPPhone - Package for creating Cisco IPPhone XML applications
This Cisco IPPhone module was created to provide a simple convenient method to display Cisco IP Phone objects and gather input from a Cisco 7940 or 7960 IP Phone. This module supports all known Cisco XML objects for 7940 and 7960 phones. Knowledge of Cisco XML syntax is not a requirement.
This Perl module gives the ability to use simple PERL objects to display XML on the IP Phone unlike to Cisco Software Development Kit (SDK) which uses Microsoft IIS Server, ASPs, JSPs, Javascript, COM Objects, and requires knowledge of XML syntax.
The following list gives typical services that might be supplied to a phone:
- Weather
- Stock information
- Contact information
- Company news
- To-do lists
- Real-time NFL scores
- Daily schedule
<<lessSYNOPSIS
use Cisco::IPPhone;
$mytext = new Cisco::IPPhone;
$mytext->Text({ Title => "My Title", Prompt => "My Prompt",
Text => "My Text" });
$mytext->AddSoftKeyItem( { Name => "Update", URL => "SoftKey:Update",
Position => "1" });
$mytext->AddSoftKeyItem( { Name => "Exit", URL => "SoftKey:Exit",
Position => "2" });
print $mytext->Content;
Cisco::IPPhone - Package for creating Cisco IPPhone XML applications
This Cisco IPPhone module was created to provide a simple convenient method to display Cisco IP Phone objects and gather input from a Cisco 7940 or 7960 IP Phone. This module supports all known Cisco XML objects for 7940 and 7960 phones. Knowledge of Cisco XML syntax is not a requirement.
This Perl module gives the ability to use simple PERL objects to display XML on the IP Phone unlike to Cisco Software Development Kit (SDK) which uses Microsoft IIS Server, ASPs, JSPs, Javascript, COM Objects, and requires knowledge of XML syntax.
The following list gives typical services that might be supplied to a phone:
- Weather
- Stock information
- Contact information
- Company news
- To-do lists
- Real-time NFL scores
- Daily schedule
Download (0.17MB)
Added: 2006-07-31 License: Perl Artistic License Price:
1202 downloads
cflowd 2.0
cflowd is a flow analysis tool currently used for analyzing Ciscos NetFlow enabled switching method. more>>
cflowd is a flow analysis tool currently used for analyzing Ciscos NetFlow enabled switching method.
The current release (described below) includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful are: tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.
cflowd is no longer supported by CAIDA. Instead, please consider the use of flow-tools, which will provide a toolset for working with NetFlow data. flow-tools can also be used (like cflowd) in conjunction with FlowScan, maintained by Dave Plonka at the University of Wisconsin, Madison.
<<lessThe current release (described below) includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful are: tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.
cflowd is no longer supported by CAIDA. Instead, please consider the use of flow-tools, which will provide a toolset for working with NetFlow data. flow-tools can also be used (like cflowd) in conjunction with FlowScan, maintained by Dave Plonka at the University of Wisconsin, Madison.
Download (5.4MB)
Added: 2006-06-29 License: GPL (GNU General Public License) Price:
700 downloads
Common Data Format 3.1
Common Data Format is a self-describing data abstraction for the storage and manipulation of multidimensional data. more>>
Common Data Format is a self-describing data abstraction for the storage and manipulation of multidimensional data in a platform- and discipline-independent fashion.
It consists of a scientific data management package (known as the "CDF Library") that allows programmers and application developers to manage and manipulate scalar, vector, and multi-dimensional data arrays.
Enhancements:
- Adds new sets of APIs to allow Standard Interface to interact with zVariables and other CDF-related information.
- Adds MingW and FreeBSD ports.
- Adds support for Intel C++ and Fortran for Linux.
- Adds the ability to create legacy CDF 2.7 files.
- Fixes a bug that prevented directories from having .cdf or .skt extensions.
<<lessIt consists of a scientific data management package (known as the "CDF Library") that allows programmers and application developers to manage and manipulate scalar, vector, and multi-dimensional data arrays.
Enhancements:
- Adds new sets of APIs to allow Standard Interface to interact with zVariables and other CDF-related information.
- Adds MingW and FreeBSD ports.
- Adds support for Intel C++ and Fortran for Linux.
- Adds the ability to create legacy CDF 2.7 files.
- Fixes a bug that prevented directories from having .cdf or .skt extensions.
Download (1.5MB)
Added: 2006-03-13 License: Public Domain Price:
1320 downloads
Cisco IP Accounting Fetcher 1.4.3
Cisco IP Accounting Fetcher is a set of Perl scripts that allows you to fetch IP accounting data from Cisco routers. more>>
Cisco IP Accounting Fetcher is a set of Perl scripts that allows you to fetch IP accounting data from Cisco routers. There is the only one config file - "getdata.conf for configuration.
Main features:
- fetch accounting data from the router
- generate the HTML statistics
<<lessMain features:
- fetch accounting data from the router
- generate the HTML statistics
Download (0.012MB)
Added: 2006-06-28 License: GPL (GNU General Public License) Price:
710 downloads
OSSP flow2rrd 0.9.0
OSSP flow2rrd is a companion tool to the Flow-Tools toolkit. more>>
OSSP flow2rrd is a companion tool to the Flow-Tools toolkit for storing NetFlow network traffic data in an accumulating fixed-size RRDTool Round-Robin-Database (RRD) for visualization purposes.
This file is piece of OSSP flow2rrd, a tool for storing NetFlow data into an RRD which can be found at http://www.ossp.org/pkg/tool/flow2rrd/.
Enhancements:
- Created the initial version of OSSP flow2rrd.
<<lessThis file is piece of OSSP flow2rrd, a tool for storing NetFlow data into an RRD which can be found at http://www.ossp.org/pkg/tool/flow2rrd/.
Enhancements:
- Created the initial version of OSSP flow2rrd.
Download (0.060MB)
Added: 2006-06-29 License: (FDL) GNU Free Documentation License Price:
1214 downloads
Cisco Monitoring Tool 0.3
Cimon is Perl program wich monitors the load (memory and CPU) on Cisco routers using SNMP. more>>
Cimon is Perl program wich monitors the load (memory and CPU) on Cisco routers using SNMP, and generates graphics with statistics using rrdtool. Its good for information about your routers health.
It monitors and displays the cpu 5 minutes utilization in percents and free+used Processor memory. The I/O memory(usualy 2 MB) or Fast on high end routers is being monitored too, but there isnt graphic for it. Cimon is good source for information about your routers health. From version 0.2 cimon can do ip accounting using the cisco ip accounting feature.
The logfiles that it generates as the rrd files needed for the graphics are fully compatible with those produced by sasacct (SASs accounting statistics). So you can use its cgi interface also its posibility to generate graphics on demand or on a user defined interval (via crontab and -g option).
<<lessIt monitors and displays the cpu 5 minutes utilization in percents and free+used Processor memory. The I/O memory(usualy 2 MB) or Fast on high end routers is being monitored too, but there isnt graphic for it. Cimon is good source for information about your routers health. From version 0.2 cimon can do ip accounting using the cisco ip accounting feature.
The logfiles that it generates as the rrd files needed for the graphics are fully compatible with those produced by sasacct (SASs accounting statistics). So you can use its cgi interface also its posibility to generate graphics on demand or on a user defined interval (via crontab and -g option).
Download (0.007MB)
Added: 2006-06-29 License: BSD License Price:
1227 downloads
flowd 0.9
flowd application is a fast, small and secure NetFlow collector. more>>
flowd application is a fast, small and secure NetFlow collector.
Main features:
- Understands NetFlow protocol v.1, v.5, v.7 and v.9 (including IPv6 flows)
- Supports both IPv4 and IPv6 transport of flows
- Secure: flowd is privilege separated to limit the impact of any compromise
- Supports filtering and tagging of flows, using a packet filter-like syntax
- Stores recorded flow data in a compact binary format which supports run-time choice over which flow fields are stored
- Ships with both Perl and Python interfaces for reading and parsing the on-disk record format
- Is licensed under a liberal BSD-like license
- Supports reception of flow export datagrams sent to multicast groups (IPv4 and IPv6), thereby allowing the construction of redundant flow collector systems
flowd works with any standard NetFlow exporter, including hardware devices (e.g. routers) or software flow tracking agents, such as my own softflowd and pfflowd. Please refer to the README for more information.
The flowd daemon follows the Unix philosophy of "doing one thing well" - it doesnt try to do anything beyond accepting NetFlow packets and storing them in a standard format on disk. In particular, it does not include support for storing flows in multiple formats or performing data analysis. That sort of thing is left to external tools. The source distribution includes several example tools including a basic reporting script and one to store flows in a SQL database.
Enhancements:
- This release includes major improvements to performance and functionality.
- In particular, the flow format has been modified to store more information and be faster to read, input and output buffering has been improved, new flow filtering options have been added, and the Python API has been rewritten and extended to be many times faster.
<<lessMain features:
- Understands NetFlow protocol v.1, v.5, v.7 and v.9 (including IPv6 flows)
- Supports both IPv4 and IPv6 transport of flows
- Secure: flowd is privilege separated to limit the impact of any compromise
- Supports filtering and tagging of flows, using a packet filter-like syntax
- Stores recorded flow data in a compact binary format which supports run-time choice over which flow fields are stored
- Ships with both Perl and Python interfaces for reading and parsing the on-disk record format
- Is licensed under a liberal BSD-like license
- Supports reception of flow export datagrams sent to multicast groups (IPv4 and IPv6), thereby allowing the construction of redundant flow collector systems
flowd works with any standard NetFlow exporter, including hardware devices (e.g. routers) or software flow tracking agents, such as my own softflowd and pfflowd. Please refer to the README for more information.
The flowd daemon follows the Unix philosophy of "doing one thing well" - it doesnt try to do anything beyond accepting NetFlow packets and storing them in a standard format on disk. In particular, it does not include support for storing flows in multiple formats or performing data analysis. That sort of thing is left to external tools. The source distribution includes several example tools including a basic reporting script and one to store flows in a SQL database.
Enhancements:
- This release includes major improvements to performance and functionality.
- In particular, the flow format has been modified to store more information and be faster to read, input and output buffering has been improved, new flow filtering options have been added, and the Python API has been rewritten and extended to be many times faster.
Download (0.17MB)
Added: 2006-02-27 License: BSD License Price:
1337 downloads
File::Data 1.12
File::Data is a Perl module as a interface to file data. more>>
File::Data is a Perl module as a interface to file data.
Wraps all the accessing of a file into a convenient set of calls for reading and writing data, including a simple regex interface.
Note that the file needs to exist prior to using this module!
See new()
SYNOPSIS
use strict;
use File::Data;
my $o_dat = File::Data->new(./t/example);
$o_dat->write("complete file contentsn");
$o_dat->prepend("first linen"); # line 0
$o_dat->append("original second (last) linen");
$o_dat->insert(2, "new second linen"); # inc. zero!
$o_dat->replace(line, LINE);
print $o_dat->READ;
Or, perhaps more seriously :-}
my $o_sgm = File::Data->new(./sgmlfile);
print "new SGML data: ".$o_sgm->REPLACE(
s*((?s).*)s* ,
qq| key="val" |,
) if $o_sgm;
See METHODS and EXAMPLES.
IMPORTANT
lowercase method calls return the object itself, so you can chain calls.
my $o_obj = $o_dat->read; # ! READ; # !<<less
Wraps all the accessing of a file into a convenient set of calls for reading and writing data, including a simple regex interface.
Note that the file needs to exist prior to using this module!
See new()
SYNOPSIS
use strict;
use File::Data;
my $o_dat = File::Data->new(./t/example);
$o_dat->write("complete file contentsn");
$o_dat->prepend("first linen"); # line 0
$o_dat->append("original second (last) linen");
$o_dat->insert(2, "new second linen"); # inc. zero!
$o_dat->replace(line, LINE);
print $o_dat->READ;
Or, perhaps more seriously :-}
my $o_sgm = File::Data->new(./sgmlfile);
print "new SGML data: ".$o_sgm->REPLACE(
s*((?s).*)s* ,
qq| key="val" |,
) if $o_sgm;
See METHODS and EXAMPLES.
IMPORTANT
lowercase method calls return the object itself, so you can chain calls.
my $o_obj = $o_dat->read; # ! READ; # !<<less
Download (0.013MB)
Added: 2007-04-26 License: Perl Artistic License Price:
914 downloads
Deep Network Analyser 1.5 GA
Deep Network Analyser is an open, flexible, and extensible deep network analyzer server. more>>
DNA (Deep Network Analyser) is an open, flexible, and extensible deep network analyzer server and software architecture for passively gathering and analyzing network packets, network sessions, and applications protocols.
Deep Network Analyser project is designed to be used for Internet security, network management, intrustion detection, protocol and network analysis, information gathering, and network monitoring applications.
Main features:
- Extensible Java based network sensor (processing layers 2-7)
Configurable processing and output:
- Packet flows like Ethereal
- IP Flows like CISCO netflow
- Stateful Sessions (client/server flow pairs)
- Application protocol element output
- Configurable and extensible application protocol element parsing.
- Application protocol parsing toolkit APIs allows for new protocol parser to be easily developed and extended
- Targeting based full session capture facility, like a realtime targeted TCPDump.
- Flexible targeting from IPAddr, Port tuple to Application sensitive targeting.
- Configurable and extensible output forwarding (file, DB, Streams, JMS, RMI, etc.)
- Extensible realtime collection portable to many OS/Packet processing environments
Easily adaptable to packet processing environments:
- Specialized linux drivers mechanismon
- Network Appliances
- Network Switches / Routers
- Highly mutithreaded for increased performance over multi processor environments
Enhancements:
- Adoption of OpenAdaptor(tm) as the Output Adapter mechanism.
- Support for local-only administration.
- A new targeted packet capture parser, new run scripts, and a new install mechanism.
- Many bugfixes.
<<lessDeep Network Analyser project is designed to be used for Internet security, network management, intrustion detection, protocol and network analysis, information gathering, and network monitoring applications.
Main features:
- Extensible Java based network sensor (processing layers 2-7)
Configurable processing and output:
- Packet flows like Ethereal
- IP Flows like CISCO netflow
- Stateful Sessions (client/server flow pairs)
- Application protocol element output
- Configurable and extensible application protocol element parsing.
- Application protocol parsing toolkit APIs allows for new protocol parser to be easily developed and extended
- Targeting based full session capture facility, like a realtime targeted TCPDump.
- Flexible targeting from IPAddr, Port tuple to Application sensitive targeting.
- Configurable and extensible output forwarding (file, DB, Streams, JMS, RMI, etc.)
- Extensible realtime collection portable to many OS/Packet processing environments
Easily adaptable to packet processing environments:
- Specialized linux drivers mechanismon
- Network Appliances
- Network Switches / Routers
- Highly mutithreaded for increased performance over multi processor environments
Enhancements:
- Adoption of OpenAdaptor(tm) as the Output Adapter mechanism.
- Support for local-only administration.
- A new targeted packet capture parser, new run scripts, and a new install mechanism.
- Many bugfixes.
Download (12.3MB)
Added: 2006-01-09 License: GPL (GNU General Public License) Price:
1391 downloads
Sunrise Data Dictionary 1.00
Sunrise Data Dictionary is a library for hashtable storage of arbitrary data objects. more>>
Sunrise Data Dictionary is a library for hashtable storage of arbitrary data objects with built-in reference counting and guaranteed order iteration for the C programming language.
Sunrise Data Dictionary library can participate in external reference counting systems or use its own built-in reference counting. It comes with a variety of hash functions and allows the use of runtime supplied hash functions via callback mechanism. The source code is well documented.
The Sunrise Data Dictionary was specifically designed for use within the Afelio and Callweaver telephony servers, the implementation focuses on performance and scalability.
Enhancements:
- This is the initial release of the full API (all header files) and a developer snapshot of the implementation.
<<lessSunrise Data Dictionary library can participate in external reference counting systems or use its own built-in reference counting. It comes with a variety of hash functions and allows the use of runtime supplied hash functions via callback mechanism. The source code is well documented.
The Sunrise Data Dictionary was specifically designed for use within the Afelio and Callweaver telephony servers, the implementation focuses on performance and scalability.
Enhancements:
- This is the initial release of the full API (all header files) and a developer snapshot of the implementation.
Download (0.17MB)
Added: 2007-07-16 License: MIT/X Consortium License Price:
832 downloads
MySpace Data Mining Tools 1.1
MySpace Data Mining Tools are a set of Java classes designed to mine information from MySpace profile and blog pages. more>>
MySpace Data Mining Tools are a set of Java classes designed to mine information from MySpace profile and blog pages using a multi-threaded Web page access method.
Enhancements:
- Direct database connectivity via JDBC was implemented for data storage.
- A basic user profile class was created to handle both user data compression and database access.
- Minor bugs were fixed for some of the raw data accessing routines.
<<lessEnhancements:
- Direct database connectivity via JDBC was implemented for data storage.
- A basic user profile class was created to handle both user data compression and database access.
- Minor bugs were fixed for some of the raw data accessing routines.
Download (0.035MB)
Added: 2006-07-30 License: GPL (GNU General Public License) Price:
1191 downloads
Ipanto Lite for Cisco IOS DHCP 3.0.2
Ipanto Lite for Cisco IOS DHCP provides monitoring of Cisco IOS DHCP and IP address management. more>>
IpaLite for Cisco IOS DHCP provides monitoring of Cisco IOS DHnto CP and IP address management. It has a user-friendly and intuitive Web GUI, monitoring of Cisco IOS DHCP scopes, and reporting (IP utilization and history).
Ipanto Lite is quick and easy to implement, reduces manual repetitive operations, and can replace your spreadsheet
Major Features
User-friendly and intuitive Web GUI,
1 user profile with full admin rights,
Reporting (IP utilization and history).
Major Benefits
Quick and easy implementation,
Reduce manual repetitive operations,
Replace your speadsheet.
Enhancements:
- This version is a service release that provides miscellaneous corrections and improvements.
- The Ipanto Database has been updated to provide more accurate statistics and to improve log storage usage.
- The Ipanto WebGUI has been improved to provide localized settings, DHCP hosts listing per subnet, and optimized display for large subnet/location sets.
<<lessIpanto Lite is quick and easy to implement, reduces manual repetitive operations, and can replace your spreadsheet
Major Features
User-friendly and intuitive Web GUI,
1 user profile with full admin rights,
Reporting (IP utilization and history).
Major Benefits
Quick and easy implementation,
Reduce manual repetitive operations,
Replace your speadsheet.
Enhancements:
- This version is a service release that provides miscellaneous corrections and improvements.
- The Ipanto Database has been updated to provide more accurate statistics and to improve log storage usage.
- The Ipanto WebGUI has been improved to provide localized settings, DHCP hosts listing per subnet, and optimized display for large subnet/location sets.
Download (71.3MB)
Added: 2007-05-20 License: Freeware Price:
898 downloads
glFlow 0.1.4
glFlow is a (D)DoS logger written with speed in mind. more>>
glFlow is a (D)DoS logger written with speed in mind. glFlow detects attacks on high speed links through real-time flow aggregation and analysis.
What do I run it on ?
It was written on FreeBSD and tested on both FreeBSD and Linux. It should work on any OS to which libpcap and OpenSSL were ported. The rest of the code is perfectly portable.
How does it work ?
Cisco Systems have defined the flow as a four value tuplet: {srcaddr, srcport, dstaddr, dstport}. The format evolved over time. The complete structures for various NetFlow versions are available on Ciscos site. Now, lets assume that the attacker floods the victim with packets that keep the same characteristics throughout the duration of the attack. No source spoof, no
source port increments or randomizations. That would lead to a very large packet rate inside that flow. glFlow calculates the average packet rate in every flow and raises an alarm signal if the threshold is hit.
What about spoofed attacks ? How are they detected ? Simple. glFlow keeps a history for every destination host that it sees. When a new flow is created, the flow counter for that host is incremented. The average number of newly created flows corresponding to a specific host in a specific amount of time is calculated, and, as above, an alarm is raised if the threshold is hit.
To prevent attacks that dont hit any of the above thresholds, theres
a new one starting with v0.1, measuring the packet rate for a destination.
Cant other tools, like SNORT, do this ?
We sincereley believe not. Remember, glFlow was written with high
speeds in mind. Weve been using it at over 500Mbps. At that speed, with an
ordinary x86 machine, even with a strong motherboard/NIC combination, you cant
do anything fancy. glFlow was specifically designed for detecting large floods
in real time, or at least something close to that.
How is it that its so fast ?
Well, Andrei did a great job implementing a very fast binary tree. That allowed us to drop the threaded model and choose a single loop design. The new results were stunning. The tests were made on a P4 Xeon/3 GHz, with an Intel GigE NIC. The average traffic rate was about 500Mbps, with an average packet rate of 100kpps. That lead to about 200k active flows. glFlow managed to clean the inactive ones in less than 0.3 seconds. There was no alarm raised
after more than 5 seconds of flooding. glFlow ate ~50% of the CPU, while consuming about 40MB of system memory.
How do I install and run it ?
Run ./configure --help. Youll see two adjustable knobs: --with-hash and --enable-debug. The first one permits you to switch between MD4 and MD5 summing of the flow and host structures kept in the memory. The second lets you run glflow in the foreground, printing some statistics on stdout.
The thresholds are harcoded in defs.h. You shouldnt have any trouble tweaking them. However, weve observed that the best results are obtained when using the same values for flow lifetime and the time between flow cleanups. And they shouldnt be much over 20. The smaller the tree is, the faster it will be cleaned.
Finally, edit your /etc/syslog.conf and write something like this: "local6.*< tabs >/var/log/something". Restart sys[k]logd afterwards.
Fire glFlow up, like this: "./glFlow < interface > < bpf filter >" and watch /var/log/something for changes. You may play with nmap or some DoS programs to test it. The IPs in the syslog will be shown as integers rather than in dotted notation. We decided to leave this job to the log analyzer.
Can it go even faster ?
Sure. There are a few methods which permit you to improve the packet capture. For more info read Luca Deris paper: http://luca.ntop.org/Ring.pdf
Enhancements:
- This is a bugfix release.
<<lessWhat do I run it on ?
It was written on FreeBSD and tested on both FreeBSD and Linux. It should work on any OS to which libpcap and OpenSSL were ported. The rest of the code is perfectly portable.
How does it work ?
Cisco Systems have defined the flow as a four value tuplet: {srcaddr, srcport, dstaddr, dstport}. The format evolved over time. The complete structures for various NetFlow versions are available on Ciscos site. Now, lets assume that the attacker floods the victim with packets that keep the same characteristics throughout the duration of the attack. No source spoof, no
source port increments or randomizations. That would lead to a very large packet rate inside that flow. glFlow calculates the average packet rate in every flow and raises an alarm signal if the threshold is hit.
What about spoofed attacks ? How are they detected ? Simple. glFlow keeps a history for every destination host that it sees. When a new flow is created, the flow counter for that host is incremented. The average number of newly created flows corresponding to a specific host in a specific amount of time is calculated, and, as above, an alarm is raised if the threshold is hit.
To prevent attacks that dont hit any of the above thresholds, theres
a new one starting with v0.1, measuring the packet rate for a destination.
Cant other tools, like SNORT, do this ?
We sincereley believe not. Remember, glFlow was written with high
speeds in mind. Weve been using it at over 500Mbps. At that speed, with an
ordinary x86 machine, even with a strong motherboard/NIC combination, you cant
do anything fancy. glFlow was specifically designed for detecting large floods
in real time, or at least something close to that.
How is it that its so fast ?
Well, Andrei did a great job implementing a very fast binary tree. That allowed us to drop the threaded model and choose a single loop design. The new results were stunning. The tests were made on a P4 Xeon/3 GHz, with an Intel GigE NIC. The average traffic rate was about 500Mbps, with an average packet rate of 100kpps. That lead to about 200k active flows. glFlow managed to clean the inactive ones in less than 0.3 seconds. There was no alarm raised
after more than 5 seconds of flooding. glFlow ate ~50% of the CPU, while consuming about 40MB of system memory.
How do I install and run it ?
Run ./configure --help. Youll see two adjustable knobs: --with-hash and --enable-debug. The first one permits you to switch between MD4 and MD5 summing of the flow and host structures kept in the memory. The second lets you run glflow in the foreground, printing some statistics on stdout.
The thresholds are harcoded in defs.h. You shouldnt have any trouble tweaking them. However, weve observed that the best results are obtained when using the same values for flow lifetime and the time between flow cleanups. And they shouldnt be much over 20. The smaller the tree is, the faster it will be cleaned.
Finally, edit your /etc/syslog.conf and write something like this: "local6.*< tabs >/var/log/something". Restart sys[k]logd afterwards.
Fire glFlow up, like this: "./glFlow < interface > < bpf filter >" and watch /var/log/something for changes. You may play with nmap or some DoS programs to test it. The IPs in the syslog will be shown as integers rather than in dotted notation. We decided to leave this job to the log analyzer.
Can it go even faster ?
Sure. There are a few methods which permit you to improve the packet capture. For more info read Luca Deris paper: http://luca.ntop.org/Ring.pdf
Enhancements:
- This is a bugfix release.
Download (0.10MB)
Added: 2006-12-05 License: GPL (GNU General Public License) Price:
1054 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above cisco netflow data search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
