Security Onion netflow receiving port

1,224 views
Skip to first unread message

Ben Stroba

unread,
Jun 13, 2017, 3:13:43 PM6/13/17
to security-onion
Hello everyone

I just got Security Onion configured ith SQUIL/ELSA/Kibana/SQUERT
I have netflow being pointed to it over port 7734
but im not seeing anything in SQUIL

What are the recommended ports for Security Onion?

Thanks
Ben

Wes Lambert

unread,
Jun 13, 2017, 10:53:55 PM6/13/17
to securit...@googlegroups.com
Ben,

You won't see anything in Sguil, as it will not ingest this data.

Try pointing syslog to port 514 of your Security Onion box after running so-allow.  Then try looking in ELSA/Kibana.

Thanks,
Wes


Ben

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Ben Stroba

unread,
Jun 14, 2017, 12:10:41 AM6/14/17
to security-onion
On Tuesday, June 13, 2017 at 7:53:55 PM UTC-7, Wes wrote:
> Ben,
>
>
> You won't see anything in Sguil, as it will not ingest this data.
>
>
> Try pointing syslog to port 514 of your Security Onion box after running so-allow.  Then try looking in ELSA/Kibana.
>
>
> Thanks,
> Wes
>
>
>
> On Jun 13, 2017 3:13 PM, "Ben Stroba" <bst...@gmail.com> wrote:
> Hello everyone
>
>
>
> I just got Security Onion configured ith SQUIL/ELSA/Kibana/SQUERT
>
> I have netflow being pointed to it over port 7734
>
> but im not seeing anything in SQUIL
>
>
>
> What are the recommended ports for Security Onion?
>
>
>
> Thanks
>
> Ben
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Like Always Wes thank-you
IS there any other port that needs to be open for Netflow to point to Sec Onion or is it just syslog?

I also wanted to ask your opinion of OSSIM? have you ever used?

thanks
Ben

KennyWap

unread,
Jun 14, 2017, 12:28:33 PM6/14/17
to security-onion
Ben,

If you are truly trying to capture NetFlow (like cisco's NetFlow, IPFIX, JFlow or something of the like) an opensource way to do this would be to set up an nfcapd listener to accept flow records.

I have attached a SANS paper as a reference to do this using Splunk but if you like the ELK stack I would look into Phin Hagan's SOF-ELK VM found here:

https://github.com/philhagen/sof-elk/blob/master/VM_README.md

netflow-collection-analysis-nfcapd-python-splunk-35747.pdf

Ben Stroba

unread,
Jun 14, 2017, 1:30:08 PM6/14/17
to security-onion

Thanks Kenny
I have Implemented the following so far:
* Security Onion with the following: Kibana/SQUERT/ELSA
* OSSIM
* Inplace pior was Cisco Source Fire IPS/IDS/SIEM (I pointed Syslog from it to the items above)

Just trying to layout the foot print better for evaluating threats and enhance visibility

Thank you
I will look into your suggestion

Ben

Reply all
Reply to author
Forward
0 new messages