This Tooltip will show you how to install SiLK and YAF on a single machine for standalone Flow collection and Analysis.
You do not need to have multiple network interface cards for flow collection to work properly. Although multiple NICs will work fine,
this tool tip describes installation with a single NIC.
As of YAF v1.0 the libairframe libraries come packaged with YAF and you do not need to perform a separate install of the library.
You should have a fully functional copy of Ubuntu 12.04 installed. (We have no reason to believe these instructions will not work on other Ubuntu releases, but we have not tested the instructions on those systems directly. See SiLK on a Box - Standalone Flow Collection & Analysis for instructions that install on a Fedora system.)
We assume the system has been fully updated.
If you are behind a proxy, set the system wide proxy via System Settings->Network->Network Proxy.
Open a terminal window and type the following commands to install the necessary prerequisite packages.
You will need gcc , gcc-c++, glib2, glib2-dev, libpcap, libpcap-dev, python and python-dev.
Download NetSA Software
Downloads of NetSA software can be found on our website: http://tools.netsa.cert.org/. (The versions shown here are current as of this writing.)
We will use /data as the place to store our data; let's make this first:
Build and install SiLK. You may leave off the
--enable-ipv6 switch from the
./configure command if you do not plan to capture IPv6 data.
Instead of exporting LD_LIBRARY_PATH each time you use SiLK it is easier to add the following paths to ld.so.conf:
And run ldconfig
Configure the firewall
Let's allow YAF to talk to rwflowpack by allowing port 18001 in.
Use the default silk.conf file. Edit sensor descriptions if desired.
Next create the sensors.conf file. Add the following lines.
IMPORTANT: Make sure the ipblocks below match your "internal" network blocks.
if all your records show up as type ext2ext it means you did not configure your internal netblocks correctly.
We will configure rwflowpack to listen for flows from YAF. We copy the default rwflowpack.conf, changing some values.
Next copy the start up script into /etc/init.d and set it to start on boot.
IMPORTANT: Make sure the interface (eth0 below) matches the interface on which you want to capture.
Generate some traffic and wait records to be flushed
Generate some traffic
You may have to wait 10 or 15 minutes for the first records to be flushed. You can check the status of YAF, rwflowpack watch the logs with the following commands
Run a test query
You now have a standalone flow collection and analysis machine.
See the SiLK Installation Handbook for more information on installing SiLK. The Analysts' Handbook: Using SiLK for Network Traffic Analysis contains more examples of the use of SiLK for analysis.