[j-nsp] AppSecure AppTrack

Wood, Peter (ISS) p.wood at lancaster.ac.uk
Wed Oct 16 12:00:00 EDT 2013


> 1. Anyone used to setup NFSEN for this ?

Nfsen doesn't know how to interpret the syslog data sent by the SRX, in either format (syslog or sd-syslog). Additionally Nfsen doesn't have fields to store the more interesting data on disk (L7 app/nested app).

>2. Anyway to see that FW is sending the collected data to server ?

monitor traffic will probably show it as it's sourced by the RE, failing that tcpdump on the receiving server.

I've been working on a project on and off for about six months which takes this data (well actually the sd-syslog format variant), rebuilds the firewalls flow table and then exports NetFlow v9 from it (though still throws away the AppTrack info). It actually uses RT_FLOW as well as APPTRACK_ messages, and needs logging init/close on all policies it to work well.  

We're having good success on a SRX 3600 cluster with sd-syslog in stream mode from the SPU's directly, though currently we're waiting for PR#924941 to be fixed due to a session-id-32 inconsistency between the message types. 250k concurrent flows with 15k updates/second in a 2Gb java process. I do intend to release it OSS, but the project internals are in a state of flux as I rework ideas and as such I wouldn't curse anyone with it.

If you're really keen on nfsen for now jflow would give you the basic IP info, failing that Splunk/greylog might do in the short term?

P.
-- 
Peter Wood
Network Security Specialist
Information Systems Services
Lancaster University



More information about the juniper-nsp mailing list