Netflow Collection with AlienVault Alienvault 2013

(1)

Netflow Collection

Netflow Collection w

w

with AlienVault

ith AlienVault

Alienvault 2013

CONFIGURE

Configuring Net

Configuring NetFlow Capture of TCP/IP Traffic

Flow Capture of TCP/IP Traffic

ffffrom an AlienVault Sensor or Remote Hardware

rom an AlienVault Sensor or Remote Hardware

Level:

Level: Beginner to

Beginner to

Beginner to Intermediate

Intermediate

(2)

Introduction

The NetFlow Specification

NetFlow is a protocol designed and published by Cisco Systems that has become the accepted industry standard for recording and transmitting information about network flows (connections between hosts via the TCP/IP protocols) on a network.

Flows are unidirectional – a standard TCP session will create two flows – one of the traffic from host A to host B, a second of the traffic from Host B to Host A.

A flow record (using netflow v5, the most commonly adopted version), will contain the following information about the traffic session:

1. Network Interface 2. Source IP Address 3. Destination IP Address 4. IP Protocol

5. Source port (for UDP or TCP flows, 0 for other protocols_

6. Destination port (for UDP or TCP, type and code for ICMP, or 0 for other protocols) 7. IP Type-Of-Service flags

This is the bare minimum information contained in a flow, however versions 7 and 9 of the netflow standard include many additional supported fields. Of these additional fields, the ones most relevant to Netflow in the content of AlienVault USM or OSSIM are:

8. TCP Flags

9. Total Packets in Flow 10.Total Bytes in Flow 11.Packets Per Second (PPS) 12.Bits Per Second (BPS)

(4)

NetFlow as a Security Tool

Although designed to assist network adminstrators generate metrics for performance and utilization of their networks, NetFlow has garnered increasing utility in recent years as a vital tool for security analysis, detection and forensic investigation. With many standard security controls placed around the perimeter of the network, netflow has proven to be vital when investigating intrusions that pass the ‘hard outer shell’ and start migrating throughout the ‘soft underbelly’ of an organization.

Operating Systems and applications are rarely configured to log every last action they perform - (unless placed into debug mode, an option rarely used since it carries an accompanying

performance cost ) and all too often, this can leave a critical gap in the forensic reconstruction of an event.

Services may log who connected to them, but not from where, or when a session was started, yet not when it was closed. Cross-referencing application and service logs against the records of network traffic to that host, can allow analysts to infer the missing information needed to trace the path of a successful intruder across the network.

17:28 Connection from

External Host

21:28 Connection from

Host A

Host B

Was our attacker still connected to Host A when it connected to Host B ?

17.28 Connection from External Host (to Host A)

21.28 Connection from Host A to Host B

Flow: src: extern

dst:host A duration

18501291

milliseconds

(5)

Prerequisites

Netflow is entirely dependent upon having visibility to traffic traversing the network – which means the routers and switches that traffic flows over. There are two ways to acquire this:

The Router or Switch is configured to accrue netflow data directly, and transmit it to a collector.

The Switch is configured with a SPAN/Mirror port to clone all traffic to a single port, attached to a system that will generate netflow data from the observed packets.

AlienVault supports both of these scenarios:

Netflow data can be sent to an AlienVault sensor, and incorporated into SIEM Data The Sensor (which should be connected to a SPAN port for normal functionality) can

generate its own netflow data from observed traffic.

These options are not mutually exclusive and many practical deployments will incorporate both methods of collection.

Installation

Netflow Collection and Analysis is included with AlienVault by default and no additional installation is necessary.

(6)

Configuration

Enabling Netflow Collection from an AlienVault Sensor

After a default installation, Netflow defaults to being disabled on an AlienVault Sensor, and must be activated and configured before collection will begin.

NetFlow Collection is configured on a per-sensor basis, in the sensor configuration screen: access this through the sidebar menu at Deployment -> AlienVault Components

Select the Sensors tab at the top:

And click the IP Address of the sensor to be configured:

(7)

There are three primary configuration options, all of which may safely be left with their default values:

PORT: This is the port that the sensor will transmit netflow data back to the AlienVault server via. Each sensor must transmit on a unique port number. A suitable default will appear in this text box and is recommended to leave it as this default unless there is a specific operational reason to (perhaps a specific port range your network has assigned for administrative traffic ACLs).

TYPE: This is the type of netflow data that the sensor will receive from external sources. If you are only using the Sensor to generate netflow data, this value can be ignored.

COLOR: A color value to visually identify flows collected from this sensor in the Flows analysis section of the AlienVault User Interface.

Once you have chosen appropriate values (or left them as their defaults), click the Configure

and Run button to activate Netflow Collection/Generation from this Sensor

You will receive confirmation that the sensor is now generating netflow data – this message assumes you are configuring an external collector however – the firewall exception for an AlienVault sensor will be automatically created.

(8)

Collecting

Collecting Netflow

Netflow

Netflow Dat

Netflow

Dat

Data

a

a from an External Source

from an External Source

Third party devices that support the collection and transmission of NetFlow (or the variant sFlow) data, may also be configured as a source of traffic accounting information within AlienVault.

The process to add an additional Flow source is:

Create a new Sensor record for the transmitting device

Configure the device to transmit NetFlow or sFlow information to the AlienVault Server

Preparing the

Preparing the Sensor Entry

Sensor Entry

To register Netflows from external devices with their own unique identify and color in flow listings, a ‘Dummy’ Sensor entry must be created within the AlienVault UI

This Sensor entry will appear to be an AlienVault Sensor, but will permanently appear as ‘disconnected’ in the Sensor listing UI screen.

Add a New Sensor Entry

Return to the Sensor Listing screen at Deployment -> AlienVault

Components

Select the Sensors tab at the top:

(9)

You will get the Sensor configuration screen – but with no information populated. Fill it out with information about the NetFlow device you are adding.

Click Update, you will receive confirmation of the sensor record being created

Re-open the sensor configuration window (click the IP address of the newly created sensor record)

(10)

At the bottom of the screen is the Netflow section.

o Select a port that the AlienVault Server will receive NetFlow data over.

o Select NetFlow or sFlow as appropriate for what the device will be sending to AlienVault.

o Choose a color to display flows in the Flow Analysis UI. o Configure and Run

You will receive a message stating that a new firewall exception must be added to added to the AlienVault Server’s firewall settings.

As of version 4.2 this is no longer necessary

(11)

Firewall

Firewall Exception

Exception

Despite the message box, as of version 4.2 the firewall exception can be automatically created, by disabling and re-enabling the AlienVault Server’s Firewall.

This must be done from the AlienVault Physical Console, or remotely via Secure Shell.

You will need the root account credentials to perform this

The root user account is only for console access, and is different from the

admin credentials used in the Web User Interface.

root credentials are created during installation of AlienVault.

Log Int

Log Into the Console

o the Console

The next step involves forcing a global rebuild of the AlienVault core configuration. This must by done at the AlienVault Console (Either by opening the physical console, or using Secure Shell (SSH) log into the AlienVault Server with the root account)

Access the AlienVault Console, you will be presented with the Alienvault-Setup console tool. Select the Jailbreak option to access the administrative command line.

(12)

Run the command ossim-reconfig

The reconfiguration tool will run (may take a few minutes)

The Server should now be reachable over UDP, on the port configured for the new netflow source.

Configuring the External Device to send NetFlow/sFlow

Configuring the External Device to send NetFlow/sFlow data to Alienvault

data to Alienvault

The final step is to configure the device itself to transmit flow data to the AlienVault Server. This process is dependent upon the third party device itself. We have made efforts to assemble configuration instructions for major device types into accompanying documents, but be aware that these are third party devices and the information presented here may be outdated because of more recent updates to these devices by their manufacturer.

(13)

Validation

With the Server, Sensor and any appropriate devices now configured, all that remains is to validate the successful collection of Netflow.

Since this process is dependent upon witnessing live data being collected by the system, it is advisable to wait a short, appropriate length of time before validation (thirty minutes at the most, should provide a good sampling size window)

Open the Netflow Analysis UI

Located under Situational Awareness -> Network:

The primary screen should give quick visual confirmation of Netflow data being captured:

The colors used to plot the flow graphs, are the colors assigned to each sensor during the configuration stage.

(14)

View Individual Flows

Scroll to the bottom of this UI section and locate the Netflow Processing section of the UI

Select and highlight only the sensor you have just configured, then click List last 500 Sessions; After a few seconds a new panel should display beneath the Netflow Processing panel:

(15)

Troubleshooting

If flow data does not appear after a reasonable amount of time, validate that flow data is successfully being transmitted and received by the AlienVault server.

Validate that Netflow

Validate that Netflow packet

packet

packets are being

s are being

s are being generated

generated

generated by the Sensor

by the Sensor

• If you are collecting netflow packets from a third party device, skip this section and do whatever troubleshooting is appropriate to determine that netflow collection is functioning correctly on that device

• Log in to the physical console of the Alienvault Sensor.

• Acquire commandline access via the ‘jailbreak this appliance’ option

• Validate that the fprobe system is running, and that it is listening to the correct interface, and sending packets on the correct port to the server

# ps ax|grep fprobe

• The output should appear similar to the following:

• Confirm that –iethX is the correct interface number for the sensor interface connected to the switch SPAN port.

• Confirm that the IP address is the IP address of you AlienVault Server

(16)

Validate that Netflow

Validate that Netflow packet

packet

packets are being

s are being

s are being received

received

received by the Server

received

by the Server

Log in to the physical console of the Alienvault Server.

Acquire commandline access via the ‘jailbreak this appliance’ option

Validate that nfcapd is running, and listening on the port assigned for the appropriate sensor

# ps ax|grep fprobe # ps ax|grep fprobe # ps ax|grep fprobe # ps ax|grep fprobe

The output should appear similar to this:

There will be multiple instances of nfcapd, one for each netflow source

The number after the –p argument should match the port assigned to a particular netflow source.

Use tcpdump to validate that packets are being transmitted to the Server.

# tcpdump # tcpdump # tcpdump

# tcpdump –––I–II I <<<<interfaceinterfaceinterfaceinterface> > ‘> > ‘‘‘port <port <port <port <netflow portnetflow portnetflow portnetflow port>>>>’’’ ’

If packets are being received from the netflow source, you should see output similar to the following

(17)

Validate that Netflow

Validate that Netflow packet

packet

packets are

s are

s are accepted by the Server Firewall

accepted by the Server Firewall

Log in to the physical console of the Alienvault Server.

Acquire commandline access via the ‘jailbreak this appliance’ option

Validate that the firewall configuration has an exception to allow incoming netflow packets over the appropriate UDP port

# iptables –L –n –v |grep <configured port>

The output should resemble the following:

Netflow Collection with AlienVault Alienvault 2013