Netflow & AppID

Started by johnrip, September 15, 2019, 05:54:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 15, 2019, 05:54:48 PM
Hello,

I installed Ntopng and it looks like it can detect AppIDs such as Netflix, Youtube, Office 365, etc.

I'm wondering if the native OPNsense netflow app could export flows with an the additional field "application_id" so that Netflow Collectors can report on web apps being used by clients.

My netflow collector is Elastic Stack's Elastiflow, and take a look at what it says here: https://github.com/robcowart/elastiflow/blob/master/INSTALL.md (please see the "9. Configure Application ID enrichment" section).

I think what's missing that others such as Fortinet and Sophos have is the extra AppID field in the netflow record and a local database (just a file) that resolve the ID to an App name like Netflix, Dropbox, etc. I think we could use the same as Ntopng or OpenAppID, something like that.

Any idea how we could make this work?

Thanks!
September 15, 2019, 06:00:46 PM #1
No, flowd doesnt support appid, wont work.
September 15, 2019, 06:27:55 PM #2
Quote from: mimugmail on September 15, 2019, 06:00:46 PM
No, flowd doesnt support appid, wont work.

Thanks for the quick reply!

Do you know of an alternative Netflow application I could install on OPNsense for exporting flows with the AppID into an external collector?

Ntopng as it is in OPNsense doesn't seem able to forward the flows it collects... So any other alternatives?
September 15, 2019, 06:43:00 PM #3
If you know any Open source Software we could try to integrate it
Print
Go Up Pages1
User actions