adulau/yaf-notes.MD

## yaf-notes.MD

      
    Raw
  

              yaf-notes.MD
            
          
    Configuration

Before compiling Yaf, you need to compile and install the IPFIX library called
libfixbuf is required (https://tools.netsa.cert.org/fixbuf/download.html). You will
need libglib2.0-dev to compile libfixbuf.
./configure
make
sudo make install
sudo ldconfig

Then you can (download)[https://tools.netsa.cert.org/yaf/download.html], compile and install Yaf. You will need
libpcap-dev.
./configure --enable-plugins --enable-applabel --enable-entropy
make
sudo make install
sudo ldconfig

Running yaf

sudo yaf --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --live=pcap --in=eth0 --max-payload=512 --applabel --out=../../data/yaf

Passive DNS capture
yaf --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --rotate 300 --live=pcap --in=eth0 --plugin-opts="53 80 443 110 21" --max-payload=2048 --udp-uniflow=53 --applabel --out=../../data/yaf

Passive DNS capture (live yaf -> super_mediator
yaf --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --live=pcap --in=wlp4s0 --plugin-opts="53 80 443 110 21" --max-payload=2048 --udp-uniflow=53 --applabel --out=/dev/stdout | super_mediator --print-headers -i - -o - -m JSON  | jq .

Dumping IPFIX

yafscii --in yaf --out - --tabular

Dumping all

super_mediator -i yaffile -o - -m TEXT

super_mediator -i yaf-20151206175818-00536.yaf -f 0,1,29,73 -o - -m TEXT

super_mediator -i yaf-20160328121250-00002.yaf -o - -m JSON