We have deployed an NTA sensor on a physical Linux server and successfully configured a mirror port for SPAN traffic. We are licensed to receive network traffic via Netflow and were wondering how to go about setting that up. Are other folks sending mirror traffic and Netflow to their NTA sensor? We’re new to Netflow but we understand that you need to send it to an IP address, but of course the mirror port has none. That means we think we need to send that to the LAN port of the server? We’re reading the documentation but we’re still trying to figure out the setup. Also, the port configuration of the sensor inside InsightIDR shows we can only select one of the two NICs in the server. Which makes us wonder how to send the Netflow traffic if the only NIC available is the SPAN port. Thanks!
Hi,
the Rapid7 Network sensor only expects data in the form of mirrored traffic, it does not support Netflow as an input mechanism, rather it generates its own flows based on the input.
David
Thank you, David! We don’t currently own Enhanced Network Traffic Analysis, just using the basic product. Am I to understand then that if we purchase the ENTA license, then the sensor will begin adding the full packet analysis based on what it sees from the mirror port? That would make sense to me, as we couldn’t figure out where to send Netflow from our upstream device, since Netflow is expecting an IP address as a sensor destination.
Yes having ENTA would add the Network Flow logs into the product at a per flow level (packets in flows out)
Netflow unfortunately isn’t supported regardless of the license however
David
Hi David. A quick follow-up: We have a quote to purchase ENTA, and I’m wondering what your thoughts are about the added visibility to gives the SOC and the value of the additional rules it allows Rapid7 to enable. Trying to see if the added value is worth the extra cost. Thanks!