Ben's notes

This page describes the installation of FlowViewer on CentOS 7 for NetFlow reporting.

Quote FlowViewer wiki: “FlowViewer has been developed for NASA’s Earth Sciences Data and Information System (ESDIS) networks, and credit goes to NASA for their usual outstanding support of innovation.”

• Install development tools:

  yum groupinstall development tools
  yum install glib2-devel

• Install libraries and source code:

  yum install zlib zlib-devel lzo lzo-devel libpcap libpcap-devel gnutls gnutls-devel python-devel c-ares c-ares-devel openssl-devel 

• Install webserver and dependencies:

  yum install httpd gd perl-GD perl-GDGraph perl-GDTextUtil rrdtool
  systemctl enable httpd
  systemctl start httpd

• Download, compile and install libxbuf from http://tools.netsa.cert.org/fixbuf/:

  tar zxvf libfixbuf-1.6.2.tar.gz
  ./configure && make && make install

• Download, compile and install netsa from http://tools.netsa.cert.org/netsa-python/index.html:

  tar zxvf netsa-python-1.4.3.tar.gz
  python setup.py build
  python setup.py install

• Download, compile and install libipa from http://tools.netsa.cert.org/ipa/download.html:

  tar zxvf ipa-0.5.2.tar.gz
  ./configure && make && make install

• Add /usr/local/lib to library path.

  echo /usr/local/lib >>/etc/ld.so.conf.d/local.conf
  ldconfig -v

• Download SiLK from: http://tools.netsa.cert.org/
• Extract tar.gz file:

  tar zxvf silk-3.10.1.tar.gz

• Configure and compile:

  mkdir -p /opt/silk/data
  ./configure \
            --enable-data-rootdir=/opt/silk/data \
            --prefix=/opt/silk \
            --enable-output-compression \
            --with-libipa=/usr/local/lib/pkgconfig \
            --with-libfixbuf=/usr/local/lib/pkgconfig
  
  make
  make install
  
  ************************************************************
  Example site configuration files have been installed in
      /opt/silk/share/silk/*-silk.conf
  Choose the file that matches your packing logic plug-in
  and/or installation, rename it to silk.conf, customize it,
  and copy it to the root of the data directory:
      /opt/silk/data/silk.conf
  ************************************************************

• Create /opt/data/silk.conf:

  cp /opt/silk/share/silk/twoway-silk.conf /opt/silk/data/silk.conf

• Edit silk.conf for example:

  sensor 0 uplink    "Uplink"
  
  class all
      sensors uplink
  end class

• Specify local address space:

  cd /opt/silk/share/silk
  cp addrtype-templ.txt addresses.txt
  vi addresses.txt
    # My IP space (CMU)
    128.2.0.0/16        internal
  
  /opt/silk/bin/rwpmapbuild --input addresses.txt --output address_types.pmap

• Install Country Code mapping (legacy format). Download CSV from http://dev.maxmind.com/geoip/legacy/geolite/:

  unzip -p GeoIPCountryCSV.zip | \
            /opt/silk/bin/rwgeoip2ccmap --csv-input > country_codes.pmap
  
  cp country_codes.pmap /opt/silk/share/silk/country_codes.pmap

• Create /opt/silk/data/sensor.conf:

  probe uplink netflow-v9
       listen-on-port 9901
       protocol udp
       accept-from-host 1.2.3.1
  end probe
  sensor uplink
       netflow-v9-probes uplink
       internal-ipblock 1.2.3.0/24
       external-ipblock remainder
  end sensor

• Create /opt/silk/etc/rwflowpack.conf:

  ENABLED=yes
  BIN_DIR=/opt/silk/sbin
  DATA_ROOTDIR=/opt/silk/data
  PID_DIR=/var/run
  SENSOR_CONFIG=/opt/silk/data/sensor.conf
  SITE_CONFIG=/opt/silk/data/silk.conf
  INPUT_MODE=stream
  OUTPUT_MODE=local-storage
  LOG_TYPE=legacy
  LOG_DIR=/opt/silk/log
  LOG_LEVEL=info
  CREATE_DIRECTORIES=yes

• Enable (legacy) service:

  cp /root/silk-3.10.1/src/rwflowpack/rwflowpack.init.d /etc/init.d/rwflowpack
  chkconfig rwflowpack on
  service rwflowpack start

• Put source in trusted zone, add udp port:

  firewall-cmd --permanent --zone=trusted --add-source=1.2.3.1
  firewall-cmd --permanent --zone=trusted --add-port=9901/udp
  firewall-cmd --reload
  firewall-cmd --zone=trusted --list-all

• On RouterOS add flow config:

  /ip traffic-flow target add version=9 address=1.2.3.4:9901
  /ip traffic-flow set enabled=yes interfaces=bridge1-uplink
  /ip firewall filter chain=output action=accept protocol=udp dst-address=1.2.3.6 dst-port=9901

• Test SiLK with a query:

  /opt/silk/bin/rwfilter --sensor=uplink --proto=0-255 --pass=stdout --type=all | /opt/silk/bin/rwcut | tail

• Download FlowViewer: http://sourceforge.net/projects/flowviewer/files
• Open port to webserver:

  firewall-cmd --permanent --zone=trusted --add-service=http
  firewall-cmd --reload
  firewall-cmd --zone=trusted --list-all

• Untar into /var/www/cgi-bin subdirectory:

  cd /var/www/cgi-bin
  tar xvf /root/FlowViewer_4.6.tar

• Configure FlowViewer_Configuration.pm variables as necessary.
• Allow write access for FlowViewer:

  semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowGrapher(/.*)?"
  semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowMonitor(/.*)?"
  semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer(/.*)?"
  semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Dashboard(/.*)?"
  semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Saves(/.*)?"
  
  restorecon -Rv /var/www/html

• Create all necessary directories with proper permissions.
• Copy FlowViewer.css, FlowViewer.png to $reports_directory.
• Start FlowMonitor_Collector, FlowMonitor_Grapher in background.
• Point browser to FV.cgi