What Configuration Options Should I Include in a Cisco ISR Configuration?

May 14, 2020 Comments Off on What Configuration Options Should I Include in a Cisco ISR Configuration?

The following are the lines relevant to enabling Netflow in a Cisco ISR:

What to Collect

flow record MyNetflow
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect counter bytes long
collect counter packets long
collect timestamp absolute last
collect flow end-reason
collect timestamp absolute first
!

Where to Send the Data

flow exporter MyNetflow
destination destination.ip.goes.here
source GigabitEthernet0/0/0
transport udp 2055
template data timeout 60
!

Tie Them Together

flow monitor MyNetflow
exporter MyNetflow
cache timeout active 60
record MyNetflow
!

The “ip flow monitor” lines associate this interface with sending Netflow records:

interface GigabitEthernet0/0/1
ip flow monitor MyNetflow input
ip flow monitor MyNetflow output
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat inside
!

For more information about configuring Cisco routers, see:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-16/fnf-xe-16-book/fnf-ipv4-uni.html

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2726

Read More

Can I Feed Netflow Records From More Than One Router/Device to an Active-Flow Instance?

May 14, 2020 Comments Off on Can I Feed Netflow Records From More Than One Router/Device to an Active-Flow Instance?

Yes, as many as you want! All records will show up in a single AC-Hunter database. If you need to separate them into individual databases, you’ll need two Active-flow docker instances (which must be on separate physical systems.)

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2725

Read More

Can I Run Active-Flow and Import Standard Zeek Logs on a Single AC-Hunter System?

May 14, 2020 Comments Off on Can I Run Active-Flow and Import Standard Zeek Logs on a Single AC-Hunter System?

Yes. You can have one or more Active-Flow systems and one or more Zeek systems feeding a single AC-Hunter instance. Each one feeds a different database whose name is: “hostname__ipaddress-rolling” so you can distinguish between them.

Note: you can’t have Zeek and the Active-Flow module running on the same system, they both use /opt/zeek/logs/ for their output.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2724

Read More

Troubleshooting Active-Flow

May 14, 2020 Comments Off on Troubleshooting Active-Flow

Is the Active-Flow docker instance running?

On the Active-Flow system run:

sudo docker ps

The output should include one line that ends in “active-flow”, indicating that the instance is currently up and forwarding udp port 2055. Example:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
237ae0c61325 ac-hunter/flow "/home/flow/active-f…" 6 weeks ago Up 6 weeks 0.0.0.0:2055->2055/udp active-flow

 

Are inbound UDP port 2055 packets allowed by the firewall?

On the Active-Flow system get a firewall listing with:

sudo iptables -L INPUT -nxv

If the INPUT chain has no rules and a policy of ACCEPT (like the following):

Chain INPUT (policy ACCEPT 3130808 packets, 1218284392 bytes)
pkts bytes target prot opt in out source destination
$

that means all incoming traffic is allowed. If you do have rules in this chain and need help interpreting if that port is open or not, please send the above output to [email protected]

 

Are Netflow packets arriving on UDP port 2055 on the Active-Flow system?

The tcpdump program can show a single line output for each received packet. Here’s a sample command to report on received netflow packets, assuming that the primary network interface to the Internet is eth0:

sudo tcpdump -i eth0 -qtnp -c 10 'udp port 2055'

If Netflow records are arriving on that port, you’ll see output similar to:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 264
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 120
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 120
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 312
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 120
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 312
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 76
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 1080
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 1032
IP a.b.c.d.57001 > e.f.g.h.2055: UDP, length 456
10 packets captured
10 packets received by filter
0 packets dropped by kernel

This shows that the router at a.b.c.d is sending netflow records to the Active-Flow system at e.f.g.h .

If the tcpdump command prints “listening on eth0……” and stops, producing no more output, you may want to check your router configuration to make sure it’s feeding Netflow records to the right address and port. Please see the end of this document for a suggested configuration for Cisco ISR routers.

 

Are records making it out to log files?

Active-Flow saves its output to the “/opt/zeek/logs/’ directory tree. In particular, the currently generated logs are in “/opt/zeek/logs/flow-spool”.

To confirm that Active-Flow is saving records to disk, run the following on the Active-Flow system:

cd /opt/zeek/logs/flow-spool/
ls -al
tail -f conn.log

Within 60 seconds you should see new lines being added to this file. (Note: in the first 10 minutes after rebooting Active-Flow’s system or restarting Active-Flow, you may not see entries being added until the router sends the first template. Either wait for 15 minutes to pass, or run “sudo docker logs -f active-flow –tail=20” and look for lines like:

time="2020-03-03T21:47:37Z" level=error msg="Could not decode incoming data" error="No info template 2615 found for and domain id 256" fatal=false

to confirm that this is why you’re not yet getting logs. This issue should definitely disappear by the time the system has been up for 15 minutes.)

 

Are the compressed logs getting sent to /opt/zeek/logs/yyyy-mm-dd each hour?

At the end of each hour the active logs are compressed and moved to a directory for today’s date. To see them, run:

ls -al /opt/zeek/logs/`date +%Y-%m-%d`/

With the exception of the hour right after midnight you should see multiple files with the extension “.log.gz”. If you don’t, check with [email protected]

 

Are ssh connections allowed from Active-Flow to AC-Hunter?

Can you ssh from Active-Flow to dataimport@AC-Hunter without supplying a password?

Can you run zeek_log_transport.sh and push logs to AI-Hunter?

Is the cron job set up to automatically transfer logs?

Are the logs showing up on the AC-Hunter system in /opt/zeek/remotelogs/sensor-name/yyyy-mm-dd ?

The above 5 questions are covered in the FAQ at https://portal.activecountermeasures.com/support/faq/?Display_FAQ=861

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2722

Read More