Mailing List Archive

Loïc
I have just tested and it seems to work for me. What nprobe version are you using? I have tested the latest 7.3 release.

Please add a “ “ between the blacklist parameter to make sure the shell does not mess-up. If still not working, please file a bug at https://github.com/ntop/nProbe/issues

Regards Luca


> On 23 May 2016, at 10:10, Loic CRUCHADE <loic.cruchade@consuel.com> wrote:
>
> Hello,
>
> I recently bought Nprobe pro. I collect Netflow V9 and then sent it back in V5 to a server.
> I need to blacklist some networks, so i used the « --black-list » argument, but it does not seems to works.
>
> Here is the command i use :
> nprobe -n udp://10.11.1.140:2055 <udp://10.11.1.140:2055> -i none -t 20 -d 20 -a 0 -e 1 -b 2 -w 128000 -z 0 -S 1:1 -u 1 -Q 1 -3 9995 --zmq tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556> -V5 -G --black-list 10.7.0.0/16,10.1.0.0/16,10.11.0.0/16,192.168.0.0/16
>
> And here is somes logs of networks that i dont want to send back to my server :
> 23/May/2016 09:55:43 [engine.c:2541] Emitting Flow: [->][icmp] 10.1.1.104:2048 -> 10.2.1.41:0 [1 pkt/60 bytes][ifIdx 22273->111][0.0 sec][ECHO REPLY][init Unknown][AS: 0 -> 0]
> 23/May/2016 09:55:46 [engine.c:2568] Emitting Flow: [<-][icmp] 10.2.1.42:0 -> 10.1.1.48:2048 [2 pkt/120 bytes][ifIdx 111->22273][0.0 sec][AS: 0 -> 0]
> 23/May/2016 09:55:42 [engine.c:2361] New Flow: [icmp] 10.1.1.104:2048 -> 10.2.1.1:0 [00:00:00:00:00:00 -> 00:00:00:00:00:00][vlan 65535][tos 0][ifIdx: 22273 -> 111][subflowId: 0/0x0000][idx=69225]
>
> What did i do wrong ?
>
> Thanks for you help !
>
> CRUCHADE Loïc
> 05.82.52.22.02
> Service Exploitation Informatique
> Direction des Systèmes d’information
> <image001.png>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>

Hello,

Thanks for the reply.
I reached the same goal with the « collection-filter » argument.
But i had some problems too. The « ! » was returning a shell fuction i think. Whan use it put some « yum install… » instead of the « ! ».
I solved this by using a configuration file for nprobe.
Now, the last thing i have to do is to filter only Office365 flows, but it’s tricky because of there is almost 1000 IP to filter.
If anybody have an idea.
Thanks again.

CRUCHADE Loïc
05.82.52.22.02
Service Exploitation Informatique
Direction des Systèmes d’information
[logo]

De : ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-bounces@listgateway.unipi.it] De la part de Luca Deri
Envoyé : mardi 24 mai 2016 09:02
À : ntop-misc@listgateway.unipi.it
Objet : Re: [Ntop-misc] Nprobe black list network

Loïc
I have just tested and it seems to work for me. What nprobe version are you using? I have tested the latest 7.3 release.

Please add a “ “ between the blacklist parameter to make sure the shell does not mess-up. If still not working, please file a bug at https://github.com/ntop/nProbe/issues

Regards Luca


On 23 May 2016, at 10:10, Loic CRUCHADE <loic.cruchade@consuel.com<mailto:loic.cruchade@consuel.com>> wrote:

Hello,

I recently bought Nprobe pro. I collect Netflow V9 and then sent it back in V5 to a server.
I need to blacklist some networks, so i used the « --black-list » argument, but it does not seems to works.

Here is the command i use :
nprobe -n udp://10.11.1.140:2055 -i none -t 20 -d 20 -a 0 -e 1 -b 2 -w 128000 -z 0 -S 1:1 -u 1 -Q 1 -3 9995 --zmq tcp://127.0.0.1:5556 -V5 -G --black-list 10.7.0.0/16,10.1.0.0/16,10.11.0.0/16,192.168.0.0/16

And here is somes logs of networks that i dont want to send back to my server :
23/May/2016 09:55:43 [engine.c:2541] Emitting Flow: [->][icmp] 10.1.1.104:2048 -> 10.2.1.41:0 [1 pkt/60 bytes][ifIdx 22273->111][0.0 sec][ECHO REPLY][init Unknown][AS: 0 -> 0]
23/May/2016 09:55:46 [engine.c:2568] Emitting Flow: [<-][icmp] 10.2.1.42:0 -> 10.1.1.48:2048 [2 pkt/120 bytes][ifIdx 111->22273][0.0 sec][AS: 0 -> 0]
23/May/2016 09:55:42 [engine.c:2361] New Flow: [icmp] 10.1.1.104:2048 -> 10.2.1.1:0 [00:00:00:00:00:00 -> 00:00:00:00:00:00][vlan 65535][tos 0][ifIdx: 22273 -> 111][subflowId: 0/0x0000][idx=69225]

What did i do wrong ?

Thanks for you help !

CRUCHADE Loïc
05.82.52.22.02
Service Exploitation Informatique
Direction des Systèmes d’information
<image001.png>

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it<mailto:Ntop-misc@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Loic
please file an enhhancement issue for Office365: in essence you don't
want to emit flows for protocol X,Y,Z that in your case is Office365?
Luca




On 05/24/2016 09:24 AM, Loic CRUCHADE wrote:
>
> Hello,
>
>
>
> Thanks for the reply.
>
> I reached the same goal with the « collection-filter » argument.
>
> But i had some problems too. The « ! » was returning a shell fuction i
> think. Whan use it put some « yum install… » instead of the « ! ».
>
> I solved this by using a configuration file for nprobe.
>
> Now, the last thing i have to do is to filter only Office365 flows,
> but it’s tricky because of there is almost 1000 IP to filter.
>
> If anybody have an idea.
>
> Thanks again.
>
>
>
> CRUCHADE Loïc
>
> 05.82.52.22.02
>
> Service Exploitation Informatique
>
> Direction des Systèmes d’information
>
> logo
>
>
>
> *De :*ntop-misc-bounces@listgateway.unipi.it
> [mailto:ntop-misc-bounces@listgateway.unipi.it] *De la part de* Luca Deri
> *Envoyé :* mardi 24 mai 2016 09:02
> *À :* ntop-misc@listgateway.unipi.it
> *Objet :* Re: [Ntop-misc] Nprobe black list network
>
>
>
> Loïc
>
> I have just tested and it seems to work for me. What nprobe version
> are you using? I have tested the latest 7.3 release.
>
>
>
> Please add a “ “ between the blacklist parameter to make sure the
> shell does not mess-up. If still not working, please file a bug
> at https://github.com/ntop/nProbe/issues
>
>
>
> Regards Luca
>
>
>
>
>
> On 23 May 2016, at 10:10, Loic CRUCHADE <loic.cruchade@consuel.com
> <mailto:loic.cruchade@consuel.com>> wrote:
>
>
>
> Hello,
>
>
>
> I recently bought Nprobe pro. I collect Netflow V9 and then sent
> it back in V5 to a server.
>
> I need to blacklist some networks, so i used the « --black-list »
> argument, but it does not seems to works.
>
>
>
> Here is the command i use :
>
> nprobe -n udp://10.11.1.140:2055 -i none -t 20 -d 20 -a 0 -e 1 -b
> 2 -w 128000 -z 0 -S 1:1 -u 1 -Q 1 -3 9995
> --zmq tcp://127.0.0.1:5556 -V5 -G --black-list
> 10.7.0.0/16,10.1.0.0/16,10.11.0.0/16,192.168.0.0/16
>
>
>
> And here is somes logs of networks that i dont want to send back
> to my server :
>
> 23/May/2016 09:55:43 [engine.c:2541] Emitting Flow:
> [->][icmp] *10.1.1.104:2048 -> 10.2.1.41:0 *[1 pkt/60 bytes][ifIdx
> 22273->111][0.0 sec][ECHO REPLY][init Unknown][AS: 0 -> 0]
>
> 23/May/2016 09:55:46 [engine.c:2568] Emitting Flow:
> [<-][icmp] *10.2.1.42:0 -> 10.1.1.48:2048* [2 pkt/120 bytes][ifIdx
> 111->22273][0.0 sec][AS: 0 -> 0]
>
> 23/May/2016 09:55:42 [engine.c:2361] New Flow:
> [icmp] *10.1.1.104:2048 -> 10.2.1.1:0* [00:00:00:00:00:00 ->
> 00:00:00:00:00:00][vlan 65535][tos 0][ifIdx: 22273 ->
> 111][subflowId: 0/0x0000][idx=69225]
>
>
>
> What did i do wrong ?
>
>
>
> Thanks for you help !
>
>
>
> CRUCHADE Loïc
>
> 05.82.52.22.02
>
> Service Exploitation Informatique
>
> Direction des Systèmes d’information
>
> <image001.png>
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Luca,

Sorry but my english is not that great.
What do you mean by « please file an enhhancement issue for Office365 » ?
About Office365, it use http port 80 and public adresses. Those adresses are provided by microsoft, but there is a LOT of IP (almost 1000 IPv4).
So i'm not sure about putting around 1000 « collection-filter » in the nprobe configuration file.
Is it possible to provide a file for the « collection-filter » argument instead of setting it in the nprobe configuration file ?


CRUCHADE Loïc
05.82.52.22.02
Service Exploitation Informatique
Direction des Systèmes d'information
[logo]

De : ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-bounces@listgateway.unipi.it] De la part de Luca Deri
Envoyé : mardi 24 mai 2016 10:52
À : ntop-misc@listgateway.unipi.it
Objet : Re: [Ntop-misc] Nprobe black list network

Loic
please file an enhhancement issue for Office365: in essence you don't want to emit flows for protocol X,Y,Z that in your case is Office365?
Luca




On 05/24/2016 09:24 AM, Loic CRUCHADE wrote:
Hello,

Thanks for the reply.
I reached the same goal with the « collection-filter » argument.
But i had some problems too. The « ! » was returning a shell fuction i think. Whan use it put some « yum install... » instead of the « ! ».
I solved this by using a configuration file for nprobe.
Now, the last thing i have to do is to filter only Office365 flows, but it's tricky because of there is almost 1000 IP to filter.
If anybody have an idea.
Thanks again.

CRUCHADE Loïc
05.82.52.22.02
Service Exploitation Informatique
Direction des Systèmes d'information
[logo]

De : ntop-misc-bounces@listgateway.unipi.it<mailto:ntop-misc-bounces@listgateway.unipi.it> [mailto:ntop-misc-bounces@listgateway.unipi.it] De la part de Luca Deri
Envoyé : mardi 24 mai 2016 09:02
À : ntop-misc@listgateway.unipi.it<mailto:ntop-misc@listgateway.unipi.it>
Objet : Re: [Ntop-misc] Nprobe black list network

Loïc
I have just tested and it seems to work for me. What nprobe version are you using? I have tested the latest 7.3 release.

Please add a " " between the blacklist parameter to make sure the shell does not mess-up. If still not working, please file a bug at https://github.com/ntop/nProbe/issues

Regards Luca


On 23 May 2016, at 10:10, Loic CRUCHADE <loic.cruchade@consuel.com<mailto:loic.cruchade@consuel.com>> wrote:

Hello,

I recently bought Nprobe pro. I collect Netflow V9 and then sent it back in V5 to a server.
I need to blacklist some networks, so i used the « --black-list » argument, but it does not seems to works.

Here is the command i use :
nprobe -n udp://10.11.1.140:2055 -i none -t 20 -d 20 -a 0 -e 1 -b 2 -w 128000 -z 0 -S 1:1 -u 1 -Q 1 -3 9995 --zmq tcp://127.0.0.1:5556 -V5 -G --black-list 10.7.0.0/16,10.1.0.0/16,10.11.0.0/16,192.168.0.0/16

And here is somes logs of networks that i dont want to send back to my server :
23/May/2016 09:55:43 [engine.c:2541] Emitting Flow: [->][icmp] 10.1.1.104:2048 -> 10.2.1.41:0 [1 pkt/60 bytes][ifIdx 22273->111][0.0 sec][ECHO REPLY][init Unknown][AS: 0 -> 0]
23/May/2016 09:55:46 [engine.c:2568] Emitting Flow: [<-][icmp] 10.2.1.42:0 -> 10.1.1.48:2048 [2 pkt/120 bytes][ifIdx 111->22273][0.0 sec][AS: 0 -> 0]
23/May/2016 09:55:42 [engine.c:2361] New Flow: [icmp] 10.1.1.104:2048 -> 10.2.1.1:0 [00:00:00:00:00:00 -> 00:00:00:00:00:00][vlan 65535][tos 0][ifIdx: 22273 -> 111][subflowId: 0/0x0000][idx=69225]

What did i do wrong ?

Thanks for you help !

CRUCHADE Loïc
05.82.52.22.02
Service Exploitation Informatique
Direction des Systèmes d'information
<image001.png>

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it<mailto:Ntop-misc@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop-misc





_______________________________________________

Ntop-misc mailing list

Ntop-misc@listgateway.unipi.it<mailto:Ntop-misc@listgateway.unipi.it>

http://listgateway.unipi.it/mailman/listinfo/ntop-misc