Recently I was asked to see if I could create some Maltego transforms to provide a quick analysis of Netflow data. Always up for a challenge (and to feed my Maltego addiction) I created gotFlow, which is based on the Canari Framework (for rapid Maltego transform generation).
gotFlow is designed to support (currently) nfdump and should still be classed as an “early release” (meaning more to come). It’s a nice simple transform set with only 3 transforms, 3 entities and 1 Maltego machine.
The transforms process works as follows:
nfdump file -> source ip -> destination ip -> destination port
The source and destination IP’s are the Maltego IPv4 Address entities allowing you to run additional transforms against them.
To get started you can either add a single nfdump file or import nfdump files from a directory.
From here you can run the ‘[NF] – Import Files’ tranforms that will import all the nfdump files from the chosen directory.
Once that’s run you should (depending on the number of nfdump files) get something that looks like this.
You can now either run the Maltego machine against the files or run the transforms seperately. For the purpose of this blog post I’ve cheated and used the machine.
The Machine runs the following transforms, feeding off the return entities generated by the transform before it.
[NF] – Get Source IP
[NF] – Get Destination IP
[NF] – Get Destination Port
What you end up is something like this:
Now I’ve tried to make this a easy to determine traffic type and size by the art of colour coding (very high tech).
TCP Traffic – Red lines
UDP Traffic – Blue lines
ICMP Traffic – Green lines
The thickness of the line between the source IP and destination IP is the size of the flow. The returned value is in bytes which I convert to kilobytes (bytes / 1000). If the line is thin (the default) it means its below 1 kilobyte.
The only configuration change you need to make before you run gotFlow is to define the location of the nfdump executable which needs to be added to:
You can find the transforms here:
Any questions, queries or suggestions let me know (email or raise an Issue on GitHub)