-
Notifications
You must be signed in to change notification settings - Fork 24
Moduleconfiguration
This module is a submodule for the RecordAnonymizer mentioned above. It implements a modified version of the CryptoPan anonymization method. The following only applies if the IP address passing through the module matches a subnet configured in the configuration file - elsewise the address is skipped: The IP address is split into a network and host identifier according to the specified CIDR, i.e. the CIDR represents the number of bits belonging to the network part. After this splitting is done, only the host part of the IP address is anonymized with the basic CryptoPan algorithm. In a second step, the network part is replaced with the preconfigured subnet given in the configuration file in the to field. As seen below, multiple mappings are possible.
- Input type: IpfixRecord
- Output type: IpfixRecord
Example configuration
<anonRecord id="3">
<anonField>
<anonMethod>CryptoPanPrefix</anonMethod>
<anonIE>
<ieName>destinationIPv4Address</ieName>
</anonIE>
<anonParam>12345678901234567890123456789013</anonParam>
<mappingList>
<subnet cidr="24">
<from>192.44.88.0</from>
<to>222.222.222.0</to>
</subnet>
<subnet cidr="16">
<from>119.152.0.0</from>
<to>111.111.0.0</to>
</subnet>
</mappingList>
</anonField>
<copyMode>false</copyMode>
<next>5</next>
</anonRecord>
Parameters:
Element name | Default value | Description |
subnet | none | The element subnet must include the attribute cidr |
from | none | Subnet to be anonymized |
to | none | Assigned Subnet ID |
Expects IPFIX data records with FPA (Front Payload Aggregation, field IPFIX_ETYPE_frontPayload) or DPA (Dialog-based Payload Aggregation) data elements. This module then creates one/two packet per flow (unidirectional/bidirectional flow) and writes the packets into a PCAP file.
- Input type: IpfixRecord
- Output type: none
Example configuration: pcap.dump 2048
Parameters:
Element name | Default value | Description |
filename | none | Filename of PCAP file that is to be created. |
snaplen | PCAP_MAX_CAPTURE_LENGTH | Maximum packet size in PCAP file. Default value is specified at compile time. |
Expects IPFIX data records with FPA (Front Payload Aggregation, field IPFIX_ETYPE_frontPayload) or DPA (Dialog-based Payload Aggregation) data elements. This module then creates one/two packet per flow (unidirectional/bidirectional flow) and forwards raw packets to the next module.
- Input type: IpfixRecord
- Output type: Packet
Example configuration: 6
Parameters: There are no parameters available!
Matches flow records containing a front payload field (IPFIX_ETYPE_frontPayload) to signature files in the specified directory. Each signature file includes the tokens (or signature substrings) the payload is searched for. Each token is associated with a support value. The support values of all matching tokens are summed up and the result is compared against a threshold. The module reports a matching signature if the sum of the support values is equal or larger than the threshold.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<frontPayloadSigMatcher id="9">
<signaturedir>./signatures</signaturedir>
</frontPayloadSigMatcher>
Parameters:
Element name | Default value | Description |
signaturedir | none | Directory that contains signature rule files. |
Example signature file matching FTP traffic
SIGNATUREID
FTP
TOKEN
FTP
SUPPORT
0.50000
TOKEN
220
SUPPORT
0.50000
THRESHOLD
1.0
Signature file keywords:
Keyword | The line(s) following this keyword are interpreted as... |
SIGNATUREID | string which identifies the signature. If omitted, the name of the signature file is used as identifier. |
TOKEN | signature substring to be matched. The substring may span multiple lines. Lines must not start with any keyword. |
SUPPORT | decimal support value of the preceding token. |
THRESHOLD | decimal threshold value of the signature. |
Receives flow records and counts all bytes that were transferred by all hosts in the specified subnet. On reconfiguration, the byte sums and corresponding IP addresses are written to the file specified in element 'logPath'. Attention: This code is alpha status and may be quite slow.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<hostStatistics id="9">
<subnet>192.168.0.0/16</subnet>
<addrFilter>src</addrFilter>
<logPath>hoststats.log</logPath>
<logInterval>10</logInterval>
</frontPayloadSigMatcher>
Parameters:
Element name | Default value | Description |
subnet | none | IP subnet with all hosts that need to be analyzed. IP 4-tuple notation with subnet mask specified in bits. |
addrFilter | none | Specifies which IP address fields are used for the IP filter (specified in element 'subnet'). 'src' for the source IP, 'dst' for the destination IP, 'both' for both IP addresses. |
logPath | none | File, where statistics are saved. |
logInterval | 10 | Interval in seconds, when statistics are exported. ATTENTION: currently not in use. |
Exports incoming IDMEF messages to the external perl script idmefsender.pl which sends it over the network to a specified URL.
- Input type: IdmefMessage
- Output type: none
Example configuration:
<idmefExporter id="9">
<sendurl>http://localhost</sendurl>
<destdir>idmef_work</destdir>
</idmefExporter>
Parameters:
Element name | Default value | Description |
sendurl | none | Destination URL where IDMEF messages must sent to. |
destdir | idmef_work | Directory, where IDMEF messages are temporary stored. There they are picked up by the external perl script ''idmefsender.pl'' in directory ''/tools''. |
Aggregates incoming IPFIX flows according to specified parameters. Configuration is similar to module PacketAggregator.
- Input type: IpfixRecord
- Output type: IpfixRecord
Example configuration:
<ipfixAggregator id="6">
<rule>
<templateId>998</templateId>
<biflowAggregation>1</biflowAggregation>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>tcpControlBits</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revoctetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revpacketDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revtcpControlBits</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">1</inactiveTimeout>
<activeTimeout unit="sec">1</activeTimeout>
</expiration>
<pollInterval unit="msec">1000</pollInterval>
<next>4</next>
</ipfixAggregator>
Parameters:
Element name | Default value | Description | |
rule | none | Specifies a rule according to which is aggregated. More than one rule may be specified per aggregator. | |
biflowAggregation | 0 | Specifies if biflow aggregation is to be performed (0=no biflow, 1=biflow). Only valid in IpfixAggregator. To accomodate biflow information elements, Vermont-specific enterprise type ids were specified: revFlowStartMilliSeconds, revFlowEndMilliSeconds, revFlowStartSeconds, revFlowEndSeconds, revOctetDeltaCount, revPacketDeltaCount and revTcpControlBits. | |
templateId | none | Template ID (optional). | |
flowKey | none | Flow key information element - flows are aggregated according to those keys. | |
nonFlowKey | none | Non-flow key information element - those IEs are aggregated. | |
ieName | none | name of the IE. | |
modifier | none | Optional field modifier for flow key IEs ("discard", "mask/X"). | |
match | 0 | Optional flow key filter for protocol identifier ("TCP", "UDP", "ICMP", or IANA number), IP addresses ("A.B.C.D/M"), port numbers (separated by ",", port range "A:B"), TCP control bits ("FIN", "SYN", "RST", "PSH", "ACK", "URG", separated by ","). | |
inactiveTimeout | 0 | Expiration timeout for idle/inactive flows. | |
activeTimeout | 0 | Periodic expiration timeout for long-lasting flows (typically larger than inactiveTimeout). | |
pollInterval | 10s | Length of interval when flows should be exported to next module. | |
hashtableBits | 17 | Length of hashtable used for aggregation in bits. The resulting hashtable will have a size of ''2^hashtableBits''. |
Receives IPFIX records from the network and imports them into Vermont.
- Input type: none
- Output type: IpfixRecord
Example configuration:
<ipfixCollector>
<cert>configs/example_certs/collector_cert.pem</cert>
<key>configs/example_certs/collector_key.pem</key>
<CAfile>configs/example_certs/vermontCA.pem</CAfile>
<CApath>/etc/ssl/certs</CApath>
<listener>
<ipAddress>0.0.0.0</ipAddress>
<transportProtocol>DTLS_OVER_UDP</transportProtocol>
<port>4740</port>
<peerFqdn>exporter.example.com</peerFqdn>
</listener>
<udpTemplateLifetime>300</udpTemplateLifetime>
</ipfixCollector>
**Parameters: **
Element name | Default value | Description |
listener | none | Specifies a port on which to listen on for IPFIX data. |
ipAddress | none | IP address at which collector receives IPFIX Messages. If not given, collector receives at all local addresses. |
transportProtocol | none | SCTP, UDP, DTLS_OVER_SCTP or DTLS_OVER_UDP |
port | 4739 for insecure, 4740 for secure connections i.e. DTLS | Port on which Vermont listenes for incoming IPFIX flows. |
UDP specific | ||
udpTemplateLifetime | 70 | Seconds after which templates received from UDP exporters are expired. A value of 0 means that templates never expire. |
DTLS specific | ||
cert | (none) | See IpfixExporter for details. |
key | (none) | See IpfixExporter for details. |
CAfile | (none) | See IpfixExporter for details. |
CApath | (none) | See IpfixExporter for details. |
peerFqdn | (none) | See IpfixExporter for details. |
Writes IPFIX data records to a local disk using the CarmentiS file format. The module recieves Ipfix packets, caches them and writes them as a chunk to disk.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixCsExporter id="27">
<filenamePrefix>carmentis_</filenamePrefix>
<destinationPath>/tmp/carmentis</destinationPath>
<maxFileSize>20480</maxFileSize>
<maxChunkBufferTime>300</maxChunkBufferTime>
<maxChunkBufferRecords>50000</maxChunkBufferRecords>
<maxFileCreationInterval>1500</maxFileCreationInterval>
<exportMode>1</exportMode>
</ipfixCsExporter>
Parameters:
Element name | Default value | Description |
filenamePrefix | none | Prefix to each file. |
destinationPath | none | Output directory for data files. |
maxFileSize | none | Maximum size of one exported file. |
maxChunkBufferTime | none | Maximum time in seconds until a chunk will be written. |
maxChunkBufferRecords | none | Maximum records per chunk. |
maxFileCreationInterval | none | Maximum time in seconds until the currently opened file will be written and a new one opened. |
exportMode | none | Sets a flag inside the exported data which privacy level the packets have. 0=plain; 1=anonymized; 2=pseudonymized |
Exports internal IPFIX records to the network. The transport protocols UDP and SCTP including their secure counterparts i.e. DTLS over UDP and DTLS over SCTP are supported. The OpenSSL library is required for DTLS. At the time of writing, DTLS over SCTP is only available on the FreeBSD platform. To make DTLS over SCTP work, you have to apply the patches from http://sctp.fh-muenster.de/ to OpenSSL.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixExporter id="7">
<templateRefreshInterval>10</templateRefreshInterval>
<maxRecordRate>5000</maxRecordRate>
<sctpDataLifetime unit="msec">10000</sctpDataLifetime>
<sctpReconnectInterval unit="sec">30</sctpReconnectInterval>
<cert>configs/example_certs/exporter_cert.pem</cert>
<key>configs/example_certs/exporter_key.pem</key>
<CAfile>configs/example_certs/vermontCA.pem</CAfile>
<CApath>/etc/ssl/certs</CApath>
<dtlsMaxConnectionLifetime unit="sec">10</dtlsMaxConnectionLifetime>
<collector>
<ipAddressType>4</ipAddressType>
<ipAddress>127.0.0.1</ipAddress>
<port>1500</port>
<transportProtocol>DTLS_OVER_UDP</transportProtocol>
<peerFqdn>collector.example.com</peerFqdn>
<mtu>1492</mtu>
</collector>
</ipfixExporter>
Parameters:
Element name | Default value | Description |
observationDomainId | 0 | Observation Domain ID of the exporter. |
templateRefreshInteval | 20s | Interval for periodic sending of templates. Applies only to UDP. |
ipAddressType | 4 | Currently, only IPv4 is supported. |
ipAddress | none | The collector's IP address in Dot-decimal notation. Host names i.e. FQDNs are not accepted. |
transportProtocol | none | SCTP, UDP, DTLS_OVER_SCTP or DTLS_OVER_UDP |
port | 4739 for insecure, 4740 for secure connections i.e. DTLS | Port number of the collector. |
maxRecordRate | 5000 | Maximum number of flow records per second sent to collector. |
UDP specific | ||
mtu | 0 (PMTU discovery) | The Path Maximum Transmission Unit (PMTU) that should be assumed when creating IPFIX Messages. If set to 0, PMTU discovery will be used to determine a PMTU estimate. This works currently only on Linux. In case the platform does not provide comprehensive PMTU discovery support (e.g., FreeBSD), a conservative default value (1400) is used, which might lead to suboptimal performance. You should, therefore, manually set the PMTU if you are using a platform other than Linux. |
SCTP specific | ||
sctpDataLifetime | 10000ms | Lifetime of SCTP messages carrying Data Records. SCTP's partial reliablity (i.e. PR-SCTP) policy "timed reliability" as defined in RFC3758 is always turned on. |
sctpReconnectInterval | 30s | Time that the Exporter waits before reestablishing a lost connection. |
DTLS specific | ||
cert | (none) | File containing the certificate chain used for authentication. Quote from OpenSSL manpage: "The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA." |
key | (none) | File containing the private key in PEM format corresponding to the certificate. If left empty, the file specified by the ''cert'' option will be searched for the private key. This allows for the private key to be stored in the same file as the certificate. |
CAfile | (none) | A file containing one or more certificates of trusted CAs. This file has to be in PEM format. |
CApath | (none) | A directory containing certificates of trusted CAs in PEM format. Quote from OpenSSL man page: "The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available." |
peerFqdn | (none) | The expected Fully Qualified Domain Name (FQDN) of the Collector. If set, the Collector must present a certificate of which either the subject's Common Name (CN) or one of the subject alternative names matches this FQDN. There is no support for wildcard matching. For the certificate verification to work, ''CAfile'' or ''CApath'' or both must be set in order to specify the locations of the root CA certificates. If ''peerFqdn'' is not set, anonymous cipher suites will be added to the list of permissible cipher suites. The identity of the peer will not be verified then. Note, that no DNS queries will be performed. Technically, the FQDN specified by ''peerFqdn'' does not need to resolve to an IP address. |
dtlsMaxConnectionLifetime | 1 hour | Lifetime of a DTLS over UDP connection. A new DTLS connection is initiated as soon as the lifetime is up. The old connection is replaced by the new one when the handshake is completed. This mechanism aims to overcome the dead peer problem. |
Imports IPFIX flows from a MYSQL database table.
- Input type: none
- Output type: IpfixRecord
Example configuration:
<ipfixDbReader id="10">
<host>127.0.0.1</host>
<port>3306</port>
<dbname>flows</dbname>
<username>vermont</username>
<password>v_password</password>
<timeshift>true</timeshift>
<next>12</next>
</ipfixDbReader>
Parameters:
Element name | Default value | Description |
host | none | Host of MySQL database. |
port | 3306 | Port number of database. |
dbname | none | Database name. |
username | none | Username for database access. |
password | none | Password for database access. |
timeshift | false | Shift time stamps to current time. |
fullspeed | false | If true, tables are read at full speed. Timeshifts are disabled. Otherwise, records are read from table approximately at the same speed as they were originally exported. |
observationDomainId | 0 | Observation Domain Id assigned to the records. |
Exports IPFIX flows to a database table in a MySQL database.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixDbWriter id="10">
<host>127.0.0.1</host>
<port>3306</port>
<dbname>flows</dbname>
<username>vermont</username>
<password>v_password</password>
<bufferrecords>30</bufferrecords>
<columns>
<name>firstSwitched</name>
<name>bytes</name>
</columns>
</ipfixDbWriter>
Parameters:
Element name | Default value | Description |
host | none | Host of MySQL database. |
port | 3306 | Port number of database. |
dbname | none | Database name. |
username | none | Username for database access. |
password | none | Password for database access. |
bufferrecords | 30 | Amount of flow records to buffer until they are written to the database. |
observationDomainId | none | Observation Domain Id overriding the value to the records. |
name | none | Column name (see IpfixDbCommon.hpp, currently one of "srcIP", "dstIP", "srcPort", "dstPort", "proto", "dstTos", "bytes", "pkts", "firstSwitched", "lastSwitched", "firstSwitchedMillis", "lastSwitchedMillis", "exporterID", "tcpControlBits", "revbytes", "revpkts", "revFirstSwitched", "revLastSwitched", "revFirstSwitchedMillis", "revLastSwitchedMillis", "revTcpControlBits", "maxPacketGap") |
Exports IPFIX flows to a database table in a PostgreSQL database.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixDbWriterPg id="10">
<host>127.0.0.1</host>
<port>3306</port>
<dbname>flows</dbname>
<username>vermont</username>
<password>v_password</password>
<bufferrecords>30</bufferrecords>
</ipfixDbWriterPg>
Parameters:
Element name | Default value | Description |
host | none | Host of MySQL database. |
port | 3306 | Port number of database. |
dbname | none | Database name. |
username | none | Username for database access. |
password | none | Password for database access. |
bufferrecords | 30 | Amount of flow records to buffer until they are written to the database. To achieve high performance, a value from 1000 to 10000 is recommended. |
Dumps ipfix messages into data files.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixFileWriter id="11">
<observationDomainId>99</observationDomainId>
<maximumFilesize>64 </maximumFilesize>
<destinationPath>/home/test</destinationPath>
<filenamePrefix>my_dump</filenamePrefix>
</ipfixFileWriter>
Parameters:
Element name | Default value | Description |
observationDomainId | 0 | Observation Domain Id assigned to the records. |
maximumFilesize | 2097152 | maximum size for the date files in KiB (maximumFilesize*1024 == maxmimum filesize in bytes) |
destinationPath | ./ | Output directory for the data files. |
filenamePrefix | ipfix.dump | Basename of the generated filenames. Please note that every filename will be suffixed with a consecutive 10-digit number starting at 0. |
Exports flows as Netflow.v5 records, filling non-existent fields with 0. Attention: do not send Biflows to this module, as Netflow.v5 only supports undirectional flows. The reverse direction will be ignored!
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixNetflowExporter id="11">
<host>localhost</host>
<port>9995</port>
<maxRecordRate>500</maxRecordRate>
</ipfixFileWriter>
Parameters:
Element name | Default value | Description |
host | none | Destination host name where Netflow packets should be sent to. |
port | none | Destination port. |
maxRecordRate | 500 | Maximum number of data/flow records to be sent to the receiving side. Higher flow rates will block the exporter, so maybe a buffer is required in front of the module. |
filenamePrefix | ipfix.dump | Basename of the generated filenames. Please note that every filename will be suffixed with a consecutive 10-digit number starting at 0. |
Reads ipfix message from data files generated with IpfixFileWriter.
- Input type: none
- Output type: IpfixRecord
Example configuration:
<ipfixReceiverFile id="1">
<packetFileDirectory>/home/test/</packetFileDirectory>
<packetFileBasename>my_dump</packetFileBasename>
<ignoreTimestamps>false</ignoreTimestamps>
<offlineSpeed>2.0</offlineSpeed>
<from>0</from>
<to>5</to>
<next>5</next>
</ipfixReceiverFile>
Parameters:
Element name | Default value | Description |
packetFileDirectory | ./ | Standard directory to read files from. |
packetFileBasename | ipfix.dump | Basename of the filenames, i.e. the filename without the suffixed number. |
form | 0 | Suffix of the first file to read from. |
to | end | Suffix of the last file to read from. If not specified, the suffix of the last file available will be used. |
ignoreTimestamps | true | If set to false, the ipfix messages will be processed with the same delay as they were originally recorded by IpfixFileWriter |
offlineSpeed | 1.0 | Sets the speed multiplier for file reading. A value %%<=%% 0 is equivalent to ignoreTimestamp=true. This value has no effect unless ignoreTimestamps is set to false. |
Writes IPFIX records including front payload into files. Only the first N (to be set in parameters) flows in chronological order are regarded. It is expected, that incoming flows are biflows and include front payload. For each biflow, three files are generated: .info contains header information of the flow, two .payload files contain front payload in both directions.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixPayloadWriter id="5">
<destPath>payload_work</destPath>
<filenamePrefix>vfp</filenamePrefix>
<connNumber>10</connNumber>
<ignoreEmptyPayload>1</ignoreEmptyPayload>
</ipfixPayloadWriter>
Parameters:
Element name | Default value | Description |
destPath | none | Relative path where output files are stored. |
filenamePrefix | none | Prefix for generated filenames. |
connNumber | none | Amount of connections that are recorded. If this parameter is set to 0, no sorting will be performed and all incoming flows will be directly written to filesystem. |
ignoreEmptyPayload | false | Set to true if all connections/biflows with empty payload shoud be ignored. |
ignoreIncompleteTCP | false | Set to true if all TCP biflows without SYN flags in both directions should be ignored. |
password | none | Password for database access. |
bufferrecords | 30 | Amount of flow records to buffer until they are written to the database. |
startIndex | 0 | Start index of first flow written to disk. Useful if already partially written dump on disk needs to be completed. |
Prints incoming Ipfix flows to stdout for debugging purposes.
- Input type: IpfixRecord
- Output type: none
Example configuration:
<ipfixPrinter id="8">
<outputType>tree</outputType>
<filename>output.log</filename>
</ipfixPrinter>
Parameters:
Element name | Default value | Description |
outputType | tree | Determines the output format of IpfixPrinter. 'tree' constructs a tree of each incoming DataRecord with all values, 'table' constructs a table-like output format, 'line' produces one line of output per DataRecord, and 'none' does not output anything. |
filename | none | Sets the name of the output file. If nothing is specified (which is the default), data is printed on STDOUT. |
Caches IPFIX records in a queue until next module is ready to process them.
- Input type: IpfixRecord
- Output type: IpfixRecord
Example configuration:
<ipfixQueue id="3">
<maxSize>10</maxSize>
<next>6</next>
</ipfixQueue>
Parameters:
Element name | Default value | Description |
maxSize | 1 | Maximum number of items in queue. If queue is full, no new packets are accepted and preceding modules are paused. |
Samples IPFIX records using a simple sampler based on modulo.
- Input type: IpfixRecord
- Output type: IpfixRecord
Example configuration:
<ipfixSampler id="3">
<flowRate>0.1</flowRate>
<next>6</next>
</ipfixSampler>
Parameters:
Element name | Default value | Description |
flowRate | 1 | Ratio of flows that should pass sampler. When set to 0.1, 10% of all flows pass the module. Attention: internally, after calculating the inverse, this value is converted to an integer for the modulo operation. So values close to 1 may not be reflected properly by the sampler. Values above 1 are not allowed. |
Captures raw packets using the PCAP interface.
- Input type: none
- Output type: Packet
Example configuration:
<observer id="1">
<interface>eth1</interface>
<pcap_filter>ip</pcap_filter>
<next>2</next>
</observer>
Parameters:
Element name | Default value | Description |
interface | none | Interface PCAP listens to. Do not use in combination with parameter filename. |
captureLength | 128 | Sets the capture length of each packet. Packets bigger than that size are truncated. ATTENTION: if payload is analyzed in later modules, this parameter needs to be large enough! |
filename | none | Must be specified if Vermont needs to read from file and contains its filename. Do not use in combination with parameter interface. |
pcap_filter | none | Filter specification which is passed to PCAP (usually `ip' to only capture IP packets). |
replaceTimestamps | false | If true, PCAP packet timestamps are replaced with current time. This parameter only applies to PCAP file reading. |
offlineSpeed | 1.0 | Only applies to PCAP file reading. Sets the speed multiplier for offline PCAP file reading. A negative value means read as fast as you can. |
offlineAutoExit | true | Only applies to PCAP file reading. Sets if Vermont should be shut down automatically after reading all PCAP file data. |
maxPackets | 0 | Specifies a maximum number of packets to be processed by the Observer. After this number is reached, the Observer stops reading packets and may trigger the shutdown, if parameter 'offlineAutoExit' was specified. If this parameter is set to 0, the Observer may read an infinite amount of packets. |
Detects Peer-to-Peer Clients in a subnet. Attention: IPFIX flows must be aggregated to biflows.
- Input type: IpfixRecord
- Output type: IdmefMessage
Example configuration:
<p2pDetector id="5">
<analyzerid>P2PDetector</analyzerid>
<interval>300</interval>
<subnet>192.168.1.0/24</subnet>
<udpRateThreshold>0.013</udpRateThreshold>
<udpHostRateThreshold>0.0007</udpHostRateThreshold>
<tcpRateThreshold>0.082</tcpRateThreshold>
<coexistentTCPConsThreshold>2.9</coexistentTCPConsThreshold>
<rateLongTCPConsThreshold>0.018</rateLongTCPConsThreshold>
<tcpVarianceThreshold>0.068</tcpVarianceThreshold>
<failedConsPercentThreshold>4.8</failedConsPercentThreshold>
<tcpFailedRateThreshold>0.01</tcpFailedRateThreshold>
<tcpFailedVarianceThreshold>0.3</tcpFailedVarianceThreshold>
<next>6</next>
</p2pDetector>
Parameters:
Element name | Default value | Description |
analyzerid | none | Analyzer ID which is inserted into the generated IDMEF message. |
interval | 300 | Interval in seconds for repeated computing of the criteria |
subnet | 0.0.0.0 | Subnet to be researched |
udpRateThreshold | 0.013 | Threshold for udp rate. Calculated criteria must be above this value to be detected as a peer |
udpHostRateThreshold | 0.0007 | Threshold for udp host rate. Calculated criteria must be above this value to be detected as a peer |
tcpRateThreshold | 0.082 | Threshold for tcp rate. Calculated criteria must be above this value to be detected as a peer |
coexistentTCPConsThreshold | 2.9 | Threshold for coexistent TCP connections. Calculated criteria must be above this value to be detected as a peer |
rateLongTCPConsThreshold | 0.018 | Threshold for rate of long TCP conncetions. Calculated criteria must be above this value to be detected as a peer |
tcpVarianceThreshold | 0.068 | Threshold for variance of new TCP connections. Calculated criteria must be below this value to be detected as a peer |
failedConsPercentThreshold | 4.8 | Threshold for percentage of failed TCP connections. Calculated criteria must be above this value to be detected as a peer |
tcpFailedRateThreshold | 0.01 | Threshold for rate of failed TCP connections. Calculated criteria must be above this value to be detected as a peer |
tcpFailedVarianceThreshold | 0.3 | Threshold for variance of failed TCP connections. Calculated criteria must be below this value to be detected as a peer |
Forwards packets which match specified filter configuration and drops non-matching packets.
- Input type: Packet
- Output type: Packet
Example configuration:
<filter id="2">
<countBased>
<interval>4</interval>
<spacing>2</spacing>
<countBased>
<timeBased>
<interval>100</interval>
<spacing>50</spacing>
</timeBased>
<stringBased>
<is>bla</is>
<isnot>blub</isnot>
<is type="HEX">0xFF024F</is>
</stringBased>
<regexBased>
<matchPattern>is\s*not</matchPattern>
</regexBased>
<hostBased>
<addrFilter>src</addrFilter>
<ip>1.2.3.4</ip>
<ip>1.2.3.6</ip>
</hostBased>
<next>3</next>
</filter>
Parameters:
Element name | Default value | Description |
countBased | none | Creates a count-based filter. Spacing defines the number of packets accepted at the beginning of the period, interval specifies the length of the period |
timeBased | none | Creates a time-based filter. Spacing defines the number of milliseconds during which time all incoming packets are accepted at the beginning of the period, interval specifies the length of the period in milliseconds. |
interval | none | Belongs to either countBased or timeBased filter. Specifies length of period. |
spacing | none | Belongs to either countBased or timeBased filter. Specifies amount of time or number of packets accepted. |
stringBased | none | Creates a string-based filter which scans for specified strings inside the packet payload. If more than one search element is specified, only packets will be forwarded which match **all** specifications. |
is | none | Accepts packets which contain included ASCII string. If attribute "type" is set to "HEX", the tag's content MUST include a hexstring which specifies the binary data to be searched for. |
isnot | none | Drops packets which contain included ASCII string. If attribute "type" is set to "HEX", the tag's content MUST include a hexstring which specifies the binary data to be searched for. |
regexBased | none | Creates a regex-based filter which scans for specified regexes inside the packet payload. If more than one regex is specified, only packets will be forwarded which match *all* specifications. |
matchPattern | none | Specifies a regular expression used by the regex-based filter. |
stateConnectionBased | none | Creates a filter which searches for TCP connections and matches all packets that contain the first N payload bytes. It uses a determinstic algorithm that will consume all the memory necessary to store all seen TCP connections. |
connectionBased | none | Same as stateConnectionBased filter, but uses a different algorithm for TCP connection tracking. The algorithm is probabilistic and uses a fixed amount of memory to store the TCP connections. |
timeout | 3 | Belongs to either stateConnectionBased or connectionBased filter. Specifies the time in seconds a seen TCP connection request is valid, before it will time out. |
bytes | 100 | Belongs to either stateConnectionBased or connectionBased filter. Specifies how much Payload should be exported in bytes. |
hashFunctions | 3 | Belongs to connectionBased filter. Specifies the number of hash functions that are used to index the bloom filters. |
filterSize | 1000 | Belongs to connectionBased filter. Specifies the size of the bloom filters that are used by the connection based filter. |
exportControlPackets | true | Controls wether TCP control packets (SYN/FIN/RST) are exported by stateConnectionBased and connectionBased filter. |
anonFilter | none | Specifies a filter that performs anonymization on captured network packets. Contains one or more anonFields. This tag can have several subtags. The subtags are the same ones that can be used in the RecordAnonymizer module |
payloadFilter | none | Payload is dropped, when this filter is specified. |
hostBased | none | Hostbased filter, which filters packets not belonging to any IPs listed in configuration. |
addrFilter | none | Specifies if source IP address ('src'), destination IP address ('dst') or both IP addresses ('both') are used in the filter. |
ip | none | IP address that is accepted by the filter. May appear multiple times. |
Caches packets in a queue until next module is ready to process them.
- Input type: Packet
- Output type: Packet
Example configuration:
<packetQueue id="3">
<maxSize>10</maxSize>
<next>6</next>
</packetQueue>
Parameters:
Element name | Default value | Description |
maxSize | 0 | Maximum number of items in queue. If queue is full, no new packets are accepted and preceding modules are paused. |
Aggregates incoming raw packets to flows according to specified parameters.
- Input type: Packet
- Output type: IpfixRecord
Example configuration:
<packetAggregator id="6">
<rule>
<templateId>998</templateId>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>tcpControlBits</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">1</inactiveTimeout>
<activeTimeout unit="sec">1</activeTimeout>
</expiration>
<pollInterval unit="msec">1000</pollInterval>
<next>4</next>
</packetAggregator>
Parameters:
Element name | Default value | Description |
templateId | none | Template ID (optional). |
flowKey | none | Flow key information element - flows are aggregated according to those keys. |
nonFlowKey | none | Non-flow key information element - those IEs are aggregated. |
ieName | none | name of the IE. |
modifier | none | Optional field modifier for flow key IEs ("discard", "mask/X"). |
match | 0 | Optional flow key filter for protocol identifier ("TCP", "UDP", "ICMP", or IANA number), IP addresses ("A.B.C.D/M"), port numbers (separated by ",", port range "A:B"), TCP control bits ("FIN", "SYN", "RST", "PSH", "ACK", "URG", separated by ","). |
inactiveTimeout | 0 | Expiration timeout for idle/inactive flows. |
activeTimeout | 0 | Periodic expiration timeout for long-lasting flows (typically larger than inactiveTimeout). |
pollInterval | 10s | Length of interval when flows should be exported to next module. |
hashtableBits | 17 | Length of hashtable used for aggregation in bits. The resulting hashtable will have a size of 2%%^%%{hashtableBits}. |
For each incoming packet an IDMEF message is generated. An extract of the packet payload called snapshot may be included in the IDMEF message.
- Input type: Packet
- Output type: IdmefMessage
Example configuration:
<packetIdmefReporter>
<snapshotoffset>12</snapshotoffset>
<snapshotlength>20</snapshotlength>
<analyzerid>idmefreporter</analyzerid>
<idmeftemplate>idmef/templates/idmefreporter_template.xml</idmeftemplate>
</packetIdmefReporter>
Parameters:
Element name | Default value | Description |
snapshotoffset | 0 | Byte offset from start of packet payload. |
snapshotlength | 0 | Byte length of snapshot. If it exceeds packet length, snapshot will be truncated. |
analyzerid | none | Analyzer ID that will be included in IDMEF message. |
idmeftemplate | none | Path to template file for IDMEF message. |
Exports incoming packets into a file in PCAP format.
- Input type: Packet
- Output type: none
Example configuration:
<pcapExporterFile>
<filename>output.pcap</filename>
</pcapExporterFile>
Parameters:
Element name | Default value | Description |
filename | none | Name of the output pcap file. |
linkType | EN10MB | Data link type of the output file. Names are DLT_ names form the pcap man page with the DLT_ removed (see `man pcap') |
snaplen | PCAP_MAX_CAPTURE_LENGTH | Snaplen for the pcap file |
Writes packets in PCAP format into a pipe, allowing another process to read these packets via STDIN.
- Input type: Packet
- Output type: none
Example configuration:
<pcapExporterPipe>
<logfilebasename>/tmp/pcap_exporter_fifo</logfilebasename>
<snaplen>1512</snaplen>
<sigkilltimeout>4</sigkilltimeout>
<command>tcpdump -nr -</command>
<workingpath>/tmp</workingpath>
</pcapExporterPipe>
Parameters:
Element name | Default value | Description |
logfilebasename | none | If specified, STDOUT and STDERR of fiforeadercmd will be redircted into this file. |
command | none | A single (i.e. no shell) command, which must read PCAP files via STDIN. |
workingpath | none | Working directory for the command to be executed. |
sigkilltimeout | 1 | Maximum additional waiting time in seconds, until a SIGKILL is sent to the reader process on module shutdown. |
appenddate | false | If set to true, the logfilename given as logfilebasename will be suffixed with the current time and date |
restartonsignal | false | If set to true, the command specified as fiforedercmd will be restarted, when a SIGUSR2 is sent to vermont |
linkType | EN10MB | Data link type of the output file. Names are DLT_ names form the pcap man page with the DLT_ removed (see `man pcap') |
snaplen | PCAP_MAX_CAPTURE_LEN | Snaplen for the pcap file |
restartInterval | 0 | If > 0, the process is restarted regularly every restartIntervall seconds, whereby the incoming packets' capture timestamp is used. |
Exports incoming packets as PSAMP records over the network.
- Input type: Packet
- Output type: none
Example configuration:
<psampExporter id="1">
<observationDomainId>123</observationDomainId>
<ipfixPacketRestrictions>
<maxPacketSize>200</maxPacketSize>
<maxExportDelay unit="msec">500</maxExportDelay>
</ipfixPacketRestrictions>
<packetReporting>
<templateId>888</templateId>
<reportedIE>
<ieName>sourceIPv4Address</ieName>
</reportedIE>
<reportedIE>
<ieName>destinationIPv4Address</ieName>
</reportedIE>
<reportedIE>
<ieName>ipPayloadPacketSection</ieName>
<ieLength>65535</ieLength>
</reportedIE>
</packetReporting>
<collector>
<ipAddress>127.0.0.1</ipAddress>
<transportProtocol>UDP</transportProtocol>
<port>4739</port>
</collector>
</psampExporter>
Parameters:
Element name | Default value | Description |
observationDomainId | 0 | Observation Domain ID of the exporter. |
ipfixPacketRestrictions | none | Restrictions for IPFIX packets. |
maxPacketSize | none | Maximum size of IPFIX packets. |
maxExportDelay | none | Maximum delay until IPFIX packet is sent to destination. |
packetReporting | none | Specifies elements to be exported for one template. |
templateId | 0 | Specifies template ID. |
reportedIE | none | Specifies one information element to be reported. |
ieName | none | IPFIX type id of element to be exported. |
ieLength | none | Optional specification of element length (usually only used by "ipPayloadPacketSection". |
collector | none | Contains specification of one destination for PSAMP records. |
idAddress | none | IP address of destination. |
transportProtocol | none | Transport protocol to be used. Currently only "UDP" is supported. |
port | 4739 | Port of destination. |
templateRefreshRate | 5000 | Number of records, until template is resent. |
templateRefreshInterval | 30s | Time, until template is resent. |
This module is capable of anonymizing arbitary fields within IPFIX-Records using different anonymization methods.
- Input type: IpfixRecord
- Output type: IpfixRecord
Example configuration:
<anonRecord id="3">
<anonField>
<anonIE>
<ieName>sourceIPv4Address</ieName>
</anonIE>
<anonMethod>CryptoPan</anonMethod>
<anonParam>insert key here</anonParam>
</anonField>
<anonField>
<anonIE>
<ieName>destinationIPv4Address</ieName>
<ieLength>4</ieLength>
</anonIE>
<anonMethod>CryptoPan</anonMethod>
<anonParam>insert key here</anonParam>
</anonField>
<copyMode>false</copyMode>
<next>6</next>
</anonRecord>
Parameters:
Element name | Default value | Description |
anonField | none | Specifies one field and an anonymization method for that field. Contains one anonIE, one anonMethod and an optional anonParam tag. |
anonIE | none | Specifies the information element that needs to be anonymized. Belongs to anonField. |
ieName | none | Specifies the name of the field that needs to be anonymized. Belongs to anonIE. |
anonMethod | none | Specifies the anonymization method that is used to anonymize a given header field. Belongs to anonField. Possible values are: BytewiseHashHmacSha1, BytewiseHashSha1, ConstOverwrite, ContinuousChar, HashHmacSha1, HashSha1, Randomize, Shuffle, Whitenoise, CryptoPan |
anonParam | none | Specifies an optional parameter to the anonymization method. Different methods need different params. ByteWiseHashHmacSha1, HashHmacSha1 need an variable sized key. ConstOverwrite needs one character as parameter. CryptoPan needs an 32 bytes long parameter (16 bytes key, 16 bytes pad). For CryptoPan and ConstOverwrite, keys can be specified as normal text, or as hexadecimal string starting with '0x'. |
copyMode | false | If true, the Record Anonymizer creates a copy of the incoming record and leaves the original record unchanged. Copy mode should be turned on if the original records are processed by other moduls as well. |
Module which controls all sensors ("`Messfühler"') inside Vermont. It does not have any in- or output types and must not be connected to any other module. It is recommended to set its ID to 99 to express its special role. If this module is specified in the configuration, available sensors are activated and polled regularly. It may only be specified once.
- Input type: none
- Output type: none
Example configuration:
<sensorManager id="99">
<checkinterval>2</checkinterval>
<outputfile>sensor_output.xml</outputfile>
</sensorManager>
Parameters:
Element name | Default value | Description |
checkinterval | 2 | Interval in seconds, when all sensors are polled and the output file is written to. |
outputfile | ''sensor_output.xml'' | Path to file, where sensor data is stored. |
append | 0 | Set to 1 if output file should be appended to, and not overwritten. |
Detects horizontal portscans in incoming IPFIX flows. Attention: IPFIX flows must be aggregated to biflows. To achieve best results, flows should contain the following IEs:
sourceIPv4Address
destinationIPv4Address
sourceTransportPort
destinationTransportPort
protocolIdentifier
flowStartMilliSeconds
flowEndMilliSeconds
revFlowStartMilliSeconds
revFlowEndMilliSeconds
octetDeltaCount
revOctetDeltaCount
packetDeltaCount
revPacketDeltaCount
tcpControlBits
revTcpControlBits
- Input type: IpfixRecord
- Output type: IdmefMessage
Example configuration:
<trwPortscanDetector id="8">
<analyzerid>trwportscandetector</analyzerid>
<idmeftemplate>idmef/templates/trwportscan_template.xml</idmeftemplate>
<hashbits>20</hashbits>
<timeexpirepending>86400</timeexpirepending>
<timeexpirescanner>1800</timeexpirescanner>
<timeexpirebenign>1800</timeexpirebenign>
<timecleanupinterval>10</timecleanupinterval>
<next>9</next>
</trwPortscanDetector>
Parameters:
Element name | Default value | Description |
analyzerid | none | Analyzer ID which is inserted into the generated IDMEF message. |
idmeftemplate | none | Path to IDMEF template which is used to generate the IDMEF message. |
hashbits | 20 | Amount of bits used for hashtable to contain watched IP addresses. |
timeexpirepending | 86400 | Seconds, until non-classified inactive IP addresses are purged from table. |
timeexpirescanner | 1800 | Seconds, until as portscanner classified IP addresses are purged from table. |
timeexpirebenign | 1800 | Seconds, until as benign classified IP addresses are purged from table. |
timecleanupinterval | 10 | Interval length in seconds, when IP address table is scanned for entries to be purged. |