flowviewer_centos7
Table of Contents
FlowViewer on CentOS 7
This page describes the installation of FlowViewer on CentOS 7 for NetFlow reporting.
Quote FlowViewer wiki: “FlowViewer has been developed for NASA’s Earth Sciences Data and Information System (ESDIS) networks, and credit goes to NASA for their usual outstanding support of innovation.”
Prerequisites
- Install development tools:
yum groupinstall development tools yum install glib2-devel
- Install libraries and source code:
yum install zlib zlib-devel lzo lzo-devel libpcap libpcap-devel gnutls gnutls-devel python-devel c-ares c-ares-devel openssl-devel
- Install webserver and dependencies:
yum install httpd gd perl-GD perl-GDGraph perl-GDTextUtil rrdtool systemctl enable httpd systemctl start httpd
- Download, compile and install libxbuf from http://tools.netsa.cert.org/fixbuf/:
tar zxvf libfixbuf-1.6.2.tar.gz ./configure && make && make install
- Download, compile and install netsa from http://tools.netsa.cert.org/netsa-python/index.html:
tar zxvf netsa-python-1.4.3.tar.gz python setup.py build python setup.py install
- Download, compile and install libipa from http://tools.netsa.cert.org/ipa/download.html:
tar zxvf ipa-0.5.2.tar.gz ./configure && make && make install
- Add /usr/local/lib to library path.
echo /usr/local/lib >>/etc/ld.so.conf.d/local.conf ldconfig -v
Install SiLK
- Download SiLK from: http://tools.netsa.cert.org/
- Extract tar.gz file:
tar zxvf silk-3.10.1.tar.gz
- Configure and compile:
mkdir -p /opt/silk/data ./configure \ --enable-data-rootdir=/opt/silk/data \ --prefix=/opt/silk \ --enable-output-compression \ --with-libipa=/usr/local/lib/pkgconfig \ --with-libfixbuf=/usr/local/lib/pkgconfig make make install ************************************************************ Example site configuration files have been installed in /opt/silk/share/silk/*-silk.conf Choose the file that matches your packing logic plug-in and/or installation, rename it to silk.conf, customize it, and copy it to the root of the data directory: /opt/silk/data/silk.conf ************************************************************
Configure SiLK
- Create /opt/data/silk.conf:
cp /opt/silk/share/silk/twoway-silk.conf /opt/silk/data/silk.conf
- Edit silk.conf for example:
sensor 0 uplink "Uplink" class all sensors uplink end class
- Specify local address space:
cd /opt/silk/share/silk cp addrtype-templ.txt addresses.txt vi addresses.txt # My IP space (CMU) 128.2.0.0/16 internal /opt/silk/bin/rwpmapbuild --input addresses.txt --output address_types.pmap
- Install Country Code mapping (legacy format). Download CSV from http://dev.maxmind.com/geoip/legacy/geolite/:
unzip -p GeoIPCountryCSV.zip | \ /opt/silk/bin/rwgeoip2ccmap --csv-input > country_codes.pmap cp country_codes.pmap /opt/silk/share/silk/country_codes.pmap
- Create /opt/silk/data/sensor.conf:
probe uplink netflow-v9 listen-on-port 9901 protocol udp accept-from-host 1.2.3.1 end probe sensor uplink netflow-v9-probes uplink internal-ipblock 1.2.3.0/24 external-ipblock remainder end sensor
- Create /opt/silk/etc/rwflowpack.conf:
ENABLED=yes BIN_DIR=/opt/silk/sbin DATA_ROOTDIR=/opt/silk/data PID_DIR=/var/run SENSOR_CONFIG=/opt/silk/data/sensor.conf SITE_CONFIG=/opt/silk/data/silk.conf INPUT_MODE=stream OUTPUT_MODE=local-storage LOG_TYPE=legacy LOG_DIR=/opt/silk/log LOG_LEVEL=info CREATE_DIRECTORIES=yes
- Enable (legacy) service:
cp /root/silk-3.10.1/src/rwflowpack/rwflowpack.init.d /etc/init.d/rwflowpack chkconfig rwflowpack on service rwflowpack start
Configure NetFlow v9 for RouterOS
- Put source in trusted zone, add udp port:
firewall-cmd --permanent --zone=trusted --add-source=1.2.3.1 firewall-cmd --permanent --zone=trusted --add-port=9901/udp firewall-cmd --reload firewall-cmd --zone=trusted --list-all
- On RouterOS add flow config:
/ip traffic-flow target add version=9 address=1.2.3.4:9901 /ip traffic-flow set enabled=yes interfaces=bridge1-uplink /ip firewall filter chain=output action=accept protocol=udp dst-address=1.2.3.6 dst-port=9901
Test query
- Test SiLK with a query:
/opt/silk/bin/rwfilter --sensor=uplink --proto=0-255 --pass=stdout --type=all | /opt/silk/bin/rwcut | tail
Install FlowViewer
- Download FlowViewer: http://sourceforge.net/projects/flowviewer/files
- Open port to webserver:
firewall-cmd --permanent --zone=trusted --add-service=http firewall-cmd --reload firewall-cmd --zone=trusted --list-all
- Untar into /var/www/cgi-bin subdirectory:
cd /var/www/cgi-bin tar xvf /root/FlowViewer_4.6.tar
- Configure FlowViewer_Configuration.pm variables as necessary.
- Allow write access for FlowViewer:
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowGrapher(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowMonitor(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Dashboard(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Saves(/.*)?" restorecon -Rv /var/www/html
- Create all necessary directories with proper permissions.
- Copy FlowViewer.css, FlowViewer.png to $reports_directory.
- Start FlowMonitor_Collector, FlowMonitor_Grapher in background.
- Point browser to FV.cgi
flowviewer_centos7.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1