Publishing netflow data with Sensors
[Ref: OpenBSD 4.8 amd64, 4.9 amd64 & i386]
Sensors on Edge Devices publish netflow data as a directed UDP broadcast.
On switching appliances, such as Cisco and Juniper, the sensor is normally installed or configurable on the device. Various software tools exist for Unix, including softflowd which is available in the OpenBSD Package Collection.
OpenBSD supports the netflow sensor framework in the default base install configuration through a pseudo network device pflow(4) and the Firewall Packet Filter pf.conf(5). Enabling netflow sensor publication is through configuration.
Our sample sensor configuration will use the below interpretation of the above sample network layout.
|Sensor IP-Address||10.0.0.1||The IP-Address from where **sensor will broadcast** netflow packets. The IP-Address will also be used by the **collector to identify** traffic origination (which sensor broadcast which netflow packet.)|
|Collector IP-Address||10.0.0.2||The Collector IP-Address where the netflow packets will be captured. This IP-Address is used by the **sensor to direct** the UDP packet.|
|UDP Port||12345||The UDP port number on which netflow packets are sent. By using different UDP ports for different sensors, a collector can alternatively differentiate multiple sensors.|
We do not concern ourselves with other sensor devices, and this documentation is singularly focused on OpenBSD sensors using:
- pflow(4) pseudo-device, and
- Packet Filter
Network analysis is a time sensitive venture, make sure that the clocks on your sensors and collectors are synchronised or you will confuse everyone with the timelines of your logs, analysis, reports.
From the manpage:
The pflow interface is a pseudo-device which exports pflow accounting data from the kernel using udp(4) packets. ... Only states created by a rule marked with the pflow keyword are exported by the pflow interface.
To configure the pflow pseudo-interface to export netflow data from the current machine (10.0.0.1) to an external collector at host 10.0.0.2 at port 12345, use a command-line such as the following:
$ sudo ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:12345
To ensure the above command-line is set during each host restart set in the interface start up configuration file.
flowsrc 10.0.0.1 flowdst 10.0.0.2:12345
2. Packet Filter pf.conf(5).
From the manpage, the pflow keyword:
pflow States created by this rule are exported on the pflow(4) interface.
For example, to specify 'pflow' for a specific rule: /etc/pf.conf
pass in on $myinf keep state pflow
To set 'pflow' as the default for all state actions in the ruleset: /etc/pf.conf
set state-defaults pflow
Of course, after changing any of the above (whether the interface configuration or the Packet Filter flow) we must restart the Packet Filter.
$ sudo pfctl -nf /etc/pf.conf && sudo pfctl -f /etc/pf.conf <!--(end)-->