本文讨论安装配置SiLK和yaf。

1. SiLk

SiLK(the System for Internet-Level Knowledge),是由卡内基.梅隆大学CERT组开发的一套大规模网络分析工具。

本文讨论如何配置安装SiLK,这里只考虑把SiLK一套工具都安装在同一台机器内。

1.1 下载

SiLK是开源软件,可以直接从silk/download下载最新源代码。

1.2 配置

由于SiLK包含了一套工具,在这里列举一些重要的配置1

SILK_DATA_ROOTDIR:存储收集的flow data的文件

The root of the directory tree where the SiLK Flow files are permanently stored. Use the –enable-data-rootdir=dir switch to give the value to configure. If you do not specify a location, /data is the name of the directory.

SILK_PATH:SiLK安装的路径

The root of the directory tree where SiLK will be installed. Pass this value to configure in the –prefix switch. If not specified, the default is /usr/local.

Supporting PySiLK: SiLK in Python

SiLK provides support for accessing SiLK flow records from within Python and for using Python code as part of an rwfilter invocation. You may also use Python code to create arbitrary fields to use in rwcut, rwgroup, rwsort, rwstats, and rwuniq. This support is called PySiLK and it requires Python 2.4 or later. Python 2.6 or later is highly recommended, and PySiLK is known to work with Python 3.x.
To include PySiLK support, you must provide the –with-python switch to configure.

Using automatic file compression

To reduce the size of the data files, the rwflowpack daemon and many analysis tools have the ability to use an external library to automatically compress their binary output when writing and uncompress their input when reading. You can specify whether a particular tool uses this external compression via a switch on the tool’s command line.
The default setting for this behavior is determined by the –enable-output-compression=type switch to configure. SiLK supports the following parameters to the switch:

  • none
    use no compression; this is the default
  • zlib
    use the widely available zlib general compression library
  • snappy
    use the Snappy data compression library
  • lzo1x
    use the lzo1x algorithm from the LZO real-time data compression library

Building support for MaxMind GeoIP2 binary database files

When SiLK is compiled with libmaxminddb support, the rwgeoip2ccmap tool is able to build the country-code prefix map file (cf. Section 3.3) by reading a MaxMind GeoIP2 or GeoLite2 binary database file (e.g., GeoIP2-Country.mmdb).

Collecting IPFIX, NetFlow v9, or sFlow records

When SiLK is compiled with libfixbuf support, the SiLK packer can read NetFlow v9 flow records, sFlow records (as of SiLK-3.9.0), and flow data generated by an IPFIX (Internet Protocol Flow Information eXport) compliant flow generator such as the YAF flow sensor technology (https://tools.netsa.cert.org/yaf/).
libfixbuf is a separate library; it does not come as part of SiLK. You must download it from https://tools.netsa.cert.org/fixbuf/ and install it prior to installing SiLK. For IPFIX, NetFlow v9, and sFlow support, SiLK requires libfixbuf-1.7.0 or later (starting with the SiLK-3.11.0 release).

Supporting conversion of packet capture tcpdump data

The configure script will attempt to locate the pcap library and header files. If they are not found or if they do not have the required functions, SiLK will be built without support for the packet-flow conversion tools rwptoflow and rwpmatch.

Supporting the IP Association library (libipa)

If SiLK is compiled with libipa support, the rwipaimport and rwipaexport programs will be compiled. These tools interact with an IPA (IP Association) database, which stores information about IP addresses. rwipaimport takes an existing SiLK IPset, Bag, or Prefix Map and stores it in the database; rwipaexport reads data from the IPA database to create a SiLK IPset, Bag, or Prefix Map. libipa is a separate library available from https://tools.netsa.cert.org/ipa/. SiLK requires libipa-0.5.0 or greater.

1.3 编译安装

配置好以后,编译安装使用命令:

make
make install

2. YAF

YAF(Yet Another Flowmeter)是一个可以和SiLK配合使用的流量采集工具,可以把包文件(pcap)或者live采集的数据包直接转换为双向的flow,为进一步的流分析所用。2

2.1 下载

和SiLK一样,yaf也是开源软件,可以从yaf/download直接下载。

2.2 配置

和SiLK类似,yaf也有一些配置选项:

application labeling

requires giving the –enable-applabel option to ./configure.

p0f

requires giving the –enable-p0fprinter and –enable-applabel options to ./configure.

Deep Packet Inspection (DPI)

requires plugin support. Use the –enable-plugins option to ./configure.

2.3 编译安装

同样和SiLK一样的命令安装。

(update: 03/25/2019)