I have started to use OSSIM, to monitor network issues and security.
http://www.ossim.net/wiki/doku.php?id=installation
My first steps with OSSIM have been with Netflow module (nfsen).
This is a mini Howto, to configure Nfsen in OSSIM server, to monitor Cisco Routers.
Configure netflow in Cisco Router
config t
interface FastEthernet 0/0 (or whatever you want)
ip route cache-flow
exit
ip flow-export destination “dst ip” “dst port”
ip flow-export source “src interface”
ip flow-export version 5
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
exit
write mem
Whit this, We already configured our device
Configure Nfsen
Then We have to add this device in nfsen.conf:
%sources = (
‘Router’ => { ‘port’ => ‘9567’, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’}
,
);
Afther this we have to reconfig nfsen:
/usr/nfsen/bin/nfsen reconfig
Now, I have started to configure OSSEC and Snort modules. When I have a good results I will post another howto with this modules.