December 20, 2012

Reporting on URLs with NetFlow

Are you looking to gain details on URLs from NetFlow or IPFIX?  Here’s a possible solution for some of you.  If you have a Squid logs, Bluecoat logs or other type of device that can export any type of log (e.g. syslog) you can send them to the Flow Replicator which will convert logs to IPFIX.  Tying the NetFlow to the URLs in the log is a simple two-step process in our NetFlow reporting solution.
Once the converted logs are sent to the IPFIX collector, they are available for reporting.  More importantly, they are ready to be tied to any NetFlow, sFlow or IPFIX export from any switch, router or server on the network.  The process is actually very simple.

Below I ran an Enterasys NetFlow report.  I narrowed in on the data that I wanted to focus on by filtering for Mike K’s host which you will see in the screen capture below on the bottom left.
NetFlow Reporting
Displayed above is just the host to host communications Mike K is participating in for the time frame selected. Now let’s look at the URLs he is visiting.

  • First, we add the device exporting the logs to the filter.  You will notice it as in the bottom left of the screen capture below. This could be a converted Bluecoat log, squid log, etc.
  • Second, I changed the report to URLs to see what is being visited from Mike K’s machine.

proxy log reporting
The Enterasys switch isn’t directly exporting URLs in NetFlow but, if you consider exporting any type of log information as IPFIX, it opens up a world of report correlation opportunity between NetFlow and syslogs or even Microsoft event logs.  Using the above two steps, we can correlate flow data with logs or even databases.

A bit more on the Flow Replicator
It also allows companies who need to meet the needs of regulatory compliance to ensure a backup of all system messages and notifications should an audit become necessary. The above NetFlow reporting solution provides:

  • Detection of a wide range of network threats including APTs, employee misuse, DoS attacks, Bots and even data leakage.
  • Security Audit trails of all network traffic and behaviors, enabling rapid reaction to network incidents
  • Detailed network utilization reports that provide insight into users, applications, and network devices

Ultimately the Flow Replicator syslog to IPFIX gateway can turn any type of stored information into meta data available for cross reporting.  We can extract contextual information from Mobile IAM like usernames or OS type. We can also export the Dragon IPS logs as IPFIX.


About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts