This guide assumes you’ve got a running ELK stack, and is tailored for a docker installation based on docker-elk. See my ELK on docker guide here
Also, the Netflow source configuration specifcs are for a Ubiquity EdgeRouter – you’ll need to get the specifics for your device if different.
Ubiquity EdgeRouter Config
configure
set system flow-accounting interface eth0
set system flow-accounting netflow version 9
set system flow-accounting netflow server <ip> port 2055
set system flow-accounting netflow enable-egress
commit
save
Logstash configure
cd ~/docker-elk
Open ./logstash/pipeline/logstash.conf in your editor
input {
udp {
port => 2055
codec => netflow {
versions => [5, 9]
}
type => netflow
}
}
output {
}
if [type] == "netflow" {
elasticsearch {
index => "logstash_nf-%{+YYYY.MM.dd}"
hosts => "elasticsearch:9200"
}
} else {
elasticsearch {
hosts => "elasticsearch:9200"
}
}
}
Open docker-compose.yml in your editor, and add the following to the logstash service to ensure the NetFlow port 2055 is routed to the logstash container
ports:
- "2055:2055/udp"
Restart ELK
sudo docker-compose up -d
sudo docker-compose restart
Kibana configuration
- Browse to Kibana
- Goto Management, Index Pattern, and create a few pattern based on
`logstash-nf*and selectnetflow.last_switched
Test
If it’s working you should see the flows in the Kibana discover tab (make sure to select logstash-nf*)
Now you can go ahead an do some data mining, visualizations and dashboards
Some filter and visualization ideas
Purpose: See what outsiders (bots/worms etc) are attempting to
connection in via your WAN interface on low ports < 1024
Chart Style: Pie
Search: netflow.l4_dst_port:<1024 AND netflow.direction:0
Buckets: Split by netflow.l4_dst_port
Add Sub-Bucket: Split by netflow.ipv4_src_addr.keyword
Purpose: Look at 23/TCP Telnet based Botnet activity over time
Chart Style: Area
Search: netflow.l4_dst_port:23 AND netflow.direction:0
Y-Axis: Count
X-Axis: Date Histogram with netflow.last_switched
Purpose: Look into what a specific LAN side IoT device is connecting too
Chart Style: Pie
Search: netflow.ipv4_src_addr:<device ip> AND netflow.direction:1
Buckets: Split by netflow.l4_dst_port
Add Sub-Bucket: Split by netflow.ipv4_src_addr.keyword
What’s next?
I’ll look to enrich the NetFlow data with:
- Reverse DNS resolution on destination hosts, using the dns logstash plug-in
- Do Geo-IP location to determine the country/city of the destination hosts, using the geoip logstash plugin
Darran Boyd 