-
Notifications
You must be signed in to change notification settings - Fork 24
Configuration
Quick link to Module Configuration Description.
Vermont is heavily modularized. Different functions are realized in separate modules which usually have one input stream and one output stream. A stream either consists of packets, records, or IDMEF messages:
-
Packet stream:
Carries raw packet captured from a network interface or read from a PCAP file. The corresponding ''class Packet'' provides pointers to available headers, such as IP header and transport header, and the included payload. Since the snap length is usually restricted, longer packets are not available in full length. If packets are captured at an interface, the snap length can be configured in configuration of module Observer. Note that maximum configurable snap length is limited by a constant which can be adapted at compile time if necessary. -
Record stream:
Carries data records and template records. Each record corresponds to an object of the ''class IpfixRecord''. Every data record contains a pointer to the corresponding template which enables its decoding. -
IDMEF message stream:
Carries IDMEF messages in XML format. IDMEF messages are created by analyzer modules and contain information about a detected event.
Modules can be concatenated by linking the the output stream of one module to the input stream of another. Two modules may be only be connected if the output stream type matches the input stream type.
A module may pass its output to multiple modules. In this case, only pointers to the outgoing stream objects are copied but not the objects themselves. Hence, if one module modifies certain parts of the objects, the input of modules which are located in a parallel concatenation may be influenced as well. This aspect must be regarded when setting up the configuration and module structure.
Modules are not able to process multiple input streams. For this purpose, queues can be prepended to a module in order to perform synchronization tasks between multiple input streams. If no such queue is specified in front of a module that is configured to process multiple input streams, a queue of length of 1 is automatically inserted.
To specify the concatenation between modules, each module is identified by a unique ID number. <next> tags in the module configuration specify the modules which receive and process the output stream.
Roughly, Vermont’s modules can be classified into the following groups:
- Modules which have no input stream:
Modules | External Input | Output Stream |
IpfixCollector | IPFIX/UDP, IPFIX/SCTP | records |
IpfixDbReader | MySQL, PostgreSQL, Oracle DB | records |
IpfixReceiverFile | file | records |
Observer | interface, PCAP file | records |
- Modules which have input and output stream:
Modules | Input Stream | Output Stream |
IpfixAggregator | records | records |
IpfixQueue | records | records |
IpfixSampler | records | records |
PacketAggregator | packets | records |
PacketFilter | packets | packets |
PacketIdmefReporter | packets | IDMEF messages |
PacketQueue | packets | packets |
P2PDetector | records | IDMEF messages |
RecordAnonymizer | records | records |
TrwPortscanDetector | records | IDMEF messages |
AutoFocus | records | IDMEF messages |
- Modules with no output stream:
Modules | Input Stream | External Output |
FrontPayloadSigMatcher | records | standard out |
HostStatistics | records | log file |
IpfixExporter | records | IPFIX/UDP, IPFIX/SCTP |
IpfixFileWriter | records | file |
IpfixDbWriter | records | MySQL, PostgreSQL, Oracle DB |
IpfixPayloadWriter | records | files |
IpfixPrinter | records | standard out |
IdmefExporter | IDMEF messages | files/socket |
PcapExporter | packets | PCAP file |
PsampExporter | packets | IPFIX/UDP, IPFIX/SCTP |
The module configuration parameters are explained in detail here.