I have started to use OSSIM, to monitor network issues and security.
http://www.ossim.net/wiki/doku.php?id=installation
My first steps with OSSIM have been with Netflow module (nfsen).
This is a mini Howto, to configure Nfsen in OSSIM server, to monitor Cisco Routers.
Configure netflow in Cisco Router
config t
interface FastEthernet 0/0 (or whatever you want)
ip route cache-flow
exit
ip flow-export destination “dst ip” “dst port”
ip flow-export source “src interface”
ip flow-export version 5
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
exit
write mem
Whit this, We already configured our device
Configure Nfsen
Then We have to add this device in nfsen.conf:
%sources = (
‘Router’ => { ‘port’ => ’9567′, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’}
,
);
Afther this we have to reconfig nfsen:
/usr/nfsen/bin/nfsen reconfig
Now, I have started to configure OSSEC and Snort modules. When I have a good results I will post another howto with this modules.
March 25th, 2010 at 14:28
Thanks for the informative post. Personally, I’ve been using Scrutinizer (www.plixer.com) for monitoring NetFlow on my Cisco routers, it does a great job but it is good to hear about what other tools are out there.
March 25th, 2010 at 14:47
Thanks for your comment.
I’ d heard about Scrutinizer but it is different. I use OSSIM because apart of this I can monitoring Firewalls, Servers, NIDS, HIDS, Nessus, etc, and them correlate the logs between them to detect security issues.
January 2nd, 2011 at 14:05
[...] Ossim & Netflow March 2010 2 comments 5 [...]