SiLK on a Box - Ubuntu 12.04 - Standalone Flow Collection & Analysis

Introduction

This Tooltip will show you how to install SiLK and YAF on a single machine for standalone Flow collection and Analysis.

You do not need to have multiple network interface cards for flow collection to work properly. Although multiple NICs will work fine,
this tool tip describes installation with a single NIC.

As of YAF v1.0 the libairframe libraries come packaged with YAF and you do not need to perform a separate install of the library.

Prerequisites

You should have a fully functional copy of  Ubuntu 12.04 installed.  We assume the system has been fully updated.

If you are behind a proxy, set the system wide proxy via System Settings->Network->Network Proxy.

Open a terminal window and type the following commands.

You will need gcc , gcc-c++, glib2, glib2-devel, libpcap, libpcap-devel, python and python-devel.

sudo apt-get -y install libglib2.0-dev
sudo apt-get -y install libpcap-dev
sudo apt-get -y install python-dev

Download NetSA Software

Downloads of NetSA software can be fount on our website: http://tools.netsa.cert.org/

Install fixbuf

cd ~/tmp
tar -zxvf libfixbuf-1.2.0.tar.gz
cd libfixbuf-1.2.0
./configure && make
sudo make install

Install YAF

cd ~/tmp
tar -zxvf yaf-2.3.2.tar.gz
cd yaf-2.3.2
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
./configure --enable-applabel
make
sudo make install

Install SiLK

We will use /data as the place to store our data, lets make this first:

sudo mkdir /data

Build and install SiLK 

cd ~/tmp
tar -xvzf silk-2.5.0.tar.gz
cd silk-2.5.0
./configure \
 --with-libfixbuf=/usr/local/lib/pkgconfig/ \
 --with-python
make
sudo make install

Instead of exporting LD_LIBRARY_PATH each time you use SiLK it is easier to add the following paths to ld.so.conf:

And run ldconfig

sudo ldconfig

Configure the firewall 

Lets allow YAF to talk to rwflowpack by allowing port 18001 in. 

# on Ubuntu using ufw localhost is not generally blocked.

Configure Silk

Use the default silk.conf file. Edit sensor descriptions if desired.

Next create the sensors.conf file. Add the following lines.

IMPORTANT: Make sure the ipblocks below match your "internal" network blocks.

cat <<EOF >sensors.conf
probe S0 ipfix
 listen-on-port 18001
 protocol tcp
 listen-as-host 127.0.0.1
end probe

group my-network
 ipblocks 192.168.1.0/24 # address of eth0. CHANGE THIS.
 ipblocks 10.0.0.0/8 # other blocks you consider internal
end group

sensor S0
 ipfix-probes S0
 internal-ipblocks @my-network
 external-ipblocks remainder
end sensor
EOF

sudo mv sensors.conf /data

if all your records show up as type ext2ext it means you did not configure your internal netblocks correctly.

Configure rwflowpack

 We will configure rwflowpack to listen for flows from YAF. We copy the default flowpack, changing some values.

Next copy the start up script into /etc/init.d and set it to start on boot. 

sudo cp /usr/local/share/silk/etc/init.d/rwflowpack /etc/init.d
sudo sudo update-rc.d rwflowpack start 20 3 4 5 .
sudo service rwflowpack start

Start YAF

IMPORTANT: Make sure the interface (eth0 below) matches the interface on which you want to capture.

sudo nohup /usr/local/bin/yaf --silk --ipfix=tcp --live=pcap  --out=127.0.0.1 \

  --ipfix-port=18001 --in=eth0 --applabel --max-payload=384 &

Generate some traffic and wait records to be flushed

Generate some traffic

You may have to wait 10 or 15 minutes for the first records to be flushed.  You can check the status of YAF, rwflowpack watch the logs with the following commands

sudo ps -auxww | grep yaf
sh /etc/init.d/rwflowpack status
cat /var/log/rwflowpack-*.log

Run a test query 

You now have a standalone flow collection and analysis machine.

See the  SiLK Installation Handbook for more information on installing SiLK.   The Analysts' Handbook: Using SiLK for Network Traffic Analysis contains more examples of the use of SiLK for analysis.