Ntop with Netflow v 5

I need sometools to monitor my LAN. At first, i used Ntop with port span. Bad thing about this, my ntop server's cpu, seemed like in the middle of processing/cracking 2048 RSA/3DES/Blowjobfish encryption. SO decided to enable netflow plugins in ntop. It's only need 3 steps to enable netflow on cisco router.

1) Select which interface to enable netflow
2) point netflow to listener ip
3) define version of netflow. walla..

(config)#conf t
(config)#int fa 0/0
(config-if)# ip route-cache flow
(config-if)#exit
(config)#ip flow-export destination 1.1.1.1 9995
(config)#ip flow-export version 5
(config)#exit

To test netflow configuration #show ip flow export

Theb run the ntop.

#ntop -d -s -b -w 1.1.1.1:68532

Since i have multiple router/switches, i need to listen for multiple netflow traffic. I need to config netflow plugin to listen on multiple port.So, defining another port in netflow configuration for different switch will do the tricks.

By the way, ntop is a very nice tool written by Luca Deri. If you're looking for netflow solution and happen to have extra money, go and buy this tool => nbox

The attack of the Worms??

Over the weekend, i decided to open port 80 on the firewall. I thought there will be no connection to my IP, but to my surprise, there is alot of attempt. Is it worm? Or some preak who just got to know what port scanner is all about. Here's the snapshot.

Monitoring system in 3 hours?

yeah .. i just managed to install a new monitoring system in 3 hours, using FreeBSD 6.0, PHP4.x, Mysql 4.x, Apache 1.3.x, BASE, SNORT2.3.x,Cacti 0.8x.

Here's are the step taken.

1) Install FreeBSD 6.0 with minimum packages
2) After configuring the new installed FreeBSD 6.0, update ports using cvsup.
here's the cvs-supfile

*default host=cvsup.jp.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_6_0_0_RELEASE
*default release=cvs delete use-rel-suffix compress
# src-all //i dont want to update the source so i comment it out
ports-all tag=.
#doc-all tag=. //same goes to doc

3) since my network is firewalled, i need to tunnel cvsup through ssh.

ssh -L 5999:cvsup.jp.freebsd.org:5999 admin@p0rn.org
cvsup -g -L2 -h localhost

4)after a while (depend on your internet connection speed), updating will finish.
5) then i install mysql41-client and server using ports. Before perform mysql installation, makesure your hostname is localhost. After finished installing;

mysql_install_db
chown -R mysql /var/db/mysql/
chgrp -R mysql /var/db/mysql/
mysqld_safe & #now mysql running in the background.

6) Then change the password for the root

mysqladmin -u root password new-password

7)Installing apache1.3.x using ports also. Then configure it.
You just need to change entry with ServerName in httpd.conf before fire up your apache.
8)Installing php4.x using port.
9)Installing snort 2.3.x using port. Then configure snort.conf
define HOMENET and log type.

snort -T /usr/local/etc/snort.conf -i fxp0 #to test snort config -> off course not working

10) Import snort data schema into mysql

mysqladmin -u root -p create snort
mysql -u root -p snort <>GRANT ALL ON snort.* TO snortman@localhost IDENTIFIED BY 'shithead';
mysql>flush privileges;
mysql>quit

12) Install BASE also using port. Then browse to http://my-ip/base/; do some configurtion there and that.
13) Run snort as daemon and monitor from BASE.

snort -D -i fxp0

14)Time for cacti. It's very straight forward, no thinking needed, only balls required! Install everything using port.
15) Configure database for cacti

mysqladmin -u root -p create cacti
mysql -u root -p
mysql> GRANT ALL ON cacti.* TO www@localhost IDENTIFIED BY 'shitagain';
mysql>flush privileges;
mysql>quit

16) Configure /cacti_path/cacti/include/config.php
17) Browse to cacti http://my-ip/cacti/
18) Done.


Let teh system running over the weekend to see how's it going to perform. Before this, i used OBSD 3.7 and i have a lot of trouble keeping mysqld running. Let see how my new FreeBSD system perform..?