At the SEI, we research software engineering, cybersecurity, and AI engineering problems; create innovative technologies; and put solutions into practice.
Find us at:
- Blog - blog posts from our experts in Software Engineering.
- Youtube - vidoes from our experts in Software Engineering.
- Podcasts - podcasts from our experts in Software Engineering.
- GitHub - view the source for all of our repositories.
- Flow Tools - documentation and source for all our flow collection and analysis tools.
super_mediator is an IPFIX mediator for use with the yaf and SiLK tools. What is an IPFIX mediator? An IPFIX mediator is an intermediate entity between IPFIX Exporters and Collectors that can potentially provide aggregation, filtering, and modification of IPFIX records. It may provide conversion to or from IPFIX or a conversion of IPFIX transport protocols. super_mediator collects and processes yaf output (IPFIX files or via TCP, UDP, or Spread) and exports that data in IPFIX, JSON, or CSV text format to one or more IPFIX collectors such as rwflowpack, flowcap, or to text files that may be bulk uploaded to a database. MySQL support is provided for automatic import.
super_mediator can provide simple filtering upon collection or at export time. Any traditional flow field can be used in a filter, including IP address or IPset (requires SiLK IPset library).
super_mediator can be configured to pull the Deep Packet Inspection (DPI) data from yaf and export that information to another IPFIX collector, or simply export the data to a CSV file or JSON file for bulk upload into a database of your choice. Given MySQL credentials, super_mediator will import the files into the given database.
super_mediator can also be configured to perform de-duplication of DNS resource records, DPI data, and SSL/TLS certificate data exported by YAF. It will export the de-duplicated records in IPFIX, CSV, or JSON format. See the man pages and tutorials for more information.
More information here.
Create a user network:
docker network create --driver bridge isolated_nw
Run the super_mediator container and pass in the desired options:
docker run --network=isolated_nw --name=super_mediator --rm -i -t certcc/super_mediator -c /usr/local/etc/super_mediator.conf
The above command attaches the container to the user defined network and names the container super_mediator. By default, the included config file super_mediator.conf is based on the following file.
If you'd like to overwrite the configuration, run the following with your custom configuration file:
docker run --network=isolated_nw --name=super_mediator --rm -v $PWD/super_mediator.conf:/usr/local/etc/super_mediator.conf -it certcc/super_mediator
Attaching a container to a user defined network allows you to take advantage of automatic service discovery. In other words, if you want containers to be able to resolve IP addresses by container name, you should use user-defined networks.