Hflow2 website

This page contains information about hflow 2 and friends. Hflow2 is under under GPL version2/3.
Caveat Emptor. Again as everyone I do not make any guarantees of the code

This website is divided into four sections:

1. FAQ
2. Getting Hflow2
3. Installing hflow2
4. Building hflow2

FAQ

1. What is hflow2?

   Hflow2 is a data coalesing tool for honeynet/network analysis. It allows to coalesce data from snort, p0f, sebekd into a unified cross related data structure stored in a relational database. There is a paper with a more detailed description here.

2. Do I need a honeywall?

   No. One of the objectives of the development of hflow2 was the decoupling of the data analysis from the honeywall. Neither hflow2 of the related walleye packages require the honeywall, but we need some other supporing libraries/packages (such as MySQL, apache and libdbi).

3. Can I use hflow2 on saved pcap data?

   Yes. One of the objectives of the development og hflow2 to be able to reprocess pcap data.Use option '-r filename'.

4. Why do you require a 'special' snort?

   In order to simplify the IPC beween hflow2 and snort, A single fifo is used to transfer the unified log from snort into hflow. However the base code of snort cannot make an infinite size output file not even with options. Hflow2 contains snort patches snort to that this infite size log file is generated. Pre-patched binaries for our special snort are included, as well as the patches if you want to build your special snort own from the snort source packages.

5. What about walleye?

   Hflow2 has a different database schema from hflow1 (GENIII honeynets) walleye is just one possible GUI for the hflow2 data. You are welcomed to build your own. (Let me know if there is one)

6. Is it 64bit capable?

   Hflow2 has been tested on a REHL5 x86_64 and seems to work fine. But no thourough long duration tests have been done.

7. Known bugs/ limitations?

   Yes many! among them

   • The current version of hflow can only run one instance per machine at a time when using snort.
   • There is no man page!
   • There are some assumptions on the location of certain files

Getting Hflow2

You can get hflow binaries/source from:

• First public release(alpha) Tarball of binary build of hflow2 and friends.(RPMS for fedora core 6 (roo-1.2))

• Repository Binary and source packages for hflow2 and friends

Installing Hflow2

• From rpm packages:
  1. Install dependant libraries:' mysql-server' and 'libdbi-dbd-mysql'
  2. Install the patched snort (as root): 'rpm -Uv snort-2.6.1.5-7.hflow2.i386'
  3. Install hflow2 :'rpm -Uv hflow-1.99.X-Y.ARCH.rpm'. (replace X,Y and arch for the appropiate values)
  4. Install the walleye modules: 'rpm -Uv perl-Walleye-Util-1.2-Z.noarch.rpm'
  6. Install walleye: 'rpm -Uv walleye-Util-1.2-Z.noarch.rpm'
  7. (if on roo-1.2) Run the roo updater script: '/etc/hflow/misc/roo1_2_hflow2update.pl'
• From src.rpm packages (rhel, centos, fedora):
  1. Follow the instrucitons on 'building from .src.rpm'
  2. Follow the instructions on installing from rpm packages
• From source:
  1. Make sure you have dependency libraries and development packages (libdbi, pcre, libdbi-dbd-mysql,pcap, a c++ compiler )
  2. Uncompress the hflow2 tarball
  3. Go to the source directory and confiugure './configure'
  4. Make and make install 'make && make install'

Building Hflow2

• From .src.rpm
  1. Build as any source rpm: 'rpmbuild --rebuild hflow-x.y.src.rpm'

Hflow2 has been tested on RHEL4, RHEL5 and FC6 in i386 architectures. It has also been tested on RHEL5 x86_64. However it should compile correctly in other linux systems.

Home

Open Source Home