The Network Situational Awareness group at CERT (CERT/NetSA) has developed and maintains a suite of open source tools for monitoring large-scale networks using flow data. These tools have grown out of the work of the AirCERT project, the SiLK project and the effort to integrate this work into a unified, standards-compliant flow collection and analysis platform.

YAF - Yet Another Flow Sensor (YAF) processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process. YAF’s output can be used with the NetSA Aggregated Flow (NAF) toolchain and the SiLK tools.

NAF - The NetSA Aggregated Flow (NAF) tools create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis.

fixbuf - The fixbuf library provides a set of functions for processing the IPFIX protocol message format. Using fixbuf, developers can build IPFIX Collecting and Exporting Processes.

AirDBC - AirDBC is the AirCERT Database Connectivity abstraction layer for access to multiple RDBMS backends in C. It provides the database API used by CERT NetSA applications.

SiLK - The System for Internet Level Knowledge (SiLK) is an efficient network flow collection and storage infrastructure that will accept flow data from a variety of sensors. SiLK also provides a suite of efficient command-line tools for analysis.

RAVE - The Retrospective Analysis and Visualization Engine (RAVE) is an extensible analysis middleware platform based on Python that simplifies the task of building analysis environments on top of a network monitoring and collection infrastructure.

IPA - The IP Address Association library provides efficient data structures for manipulating labelings of IP addresses and IP address ranges.

Airframe - Airframe is an application utility library built on glib designed to ease the creation of command-line network data processing applications written in C. It is the mechanism by which the NAF tools have a common interface.

The whole suite is GPL licensed and don’t worry, there is full documentation on how to put all these modules together to work

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!