Tuesday, 15 March 2016

Setting up NTOPNG with the Cisco ASA on CentOS 7

Firstly refer to the installation instructions provided below (I would recommend installing from the repository):
Add a new repo:

sudo vi /etc/yum.repos.d/ntop.repo

and add:


[ntop]
name=ntop packages
baseurl=http://packages.ntop.org/centos/\$releasever/\$basearch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
[ntop-noarch]
name=ntop packages
baseurl=http://packages.ntop.org/centos/\$releasever/noarch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
EOT

and then run a update yum:

yum update

and install the relevent packages:

yum install ntopng ntopng-data hiredis-devel nprobe

and start the redis service:

service start redis

We should firstly setup nprobe to start collecting the flows from our ASA - so we should run something like:

/usr/local/bin/nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055  

We can also run ntopng directly initially to test it:

/usr/bin/ntopng -i "tcp://10.0.0.184:5556" --local-networks="10.0.0.0/8" --http-port=3000 -G var/tmp/ntopng.pid --disable-login --dns-mode=1 -U ntopng -w 3050 -W 3051

* Note: '-zmq' refers to the interface that ntopng will tap into to get the flow data when we set it up. *

Remember to add an exception in the firewall (with firewalld) e.g.

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload 


We should then create a configuration file for NTOP:

sudo vi /etc/ntopng/ntopng.conf

and enter something like:

--local-networks="192.168.0.0/16,10.0.0.0/8"
--interface="tcp://10.0.0.184:5556"
--dns-mode=1
--disable-login
--packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.1.100"
--daemon
--http-port=3000
-G=/var/tmp/ntopng.pid
-c 9hoAtewwpC2tXRMJBfifrY24B
--sticky-hosts=local
-U=<run-as-this-user>

* Note: Refer to the stdout for any warnings! *

And then proceed by running ntopng:

sudo service ntopg start

And login with the default credentails - admin/admin.

Point your netflow device at the NTOP server (UDP/2055 by default.)

To enable the services to start on boot we can issue:

systemctl enable redis.service
systemctl enable ntopng.service

systemctl enable nprobe.service 

0 comments:

Post a comment