Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
YAF.INIT(1)		     Yet Another Flowmeter		   YAF.INIT(1)

NAME
       yaf.init	- YAF configuration file

DESCRIPTION
       The yaf configuration file is an	alternative to running yaf with
       command line options. The YAF configuration file	is written in the Lua
       language	(<http://www.lua.org/>), and this file can be specified	on the
       yaf command line. An example file is provided with the yaf distribution
       in etc/yaf.init.

CONFIGURATION FILE
       The syntax of the configuration file is explained by examples.

   Annotated configuration file
	-- This	is a comment.
	-- Anything not	marked as Required is optional.

	-- The only required variables are "input" and "output".
	-- All other variables are optional.

	-- A variable named "input" is required; its value must	be a table.
	-- It specifies	the input to yaf.

       This example has	yaf read PCAP data from	an interface.

	input =	{

	   -- The input	table must have	a key named "type". The	default
	   -- input "type" is "file".  Valid values are	"pcap",	"dag",
	   -- "napatech", "netronome", "pfring", "zc", "file", and "caplist".

	   type="pcap",

	   -- In "pcap", "dag",	"napatech", "netronome", "pfring", and "zc",
	   -- a	"inf" field is required.  Its value is the name	of the interface
	   -- that yaf will read. In the "zc" case, it is the cluster ID
	   -- that yaf should listen to.
	   inf="en0",

	   -- Optional parameters for all input	types
	   -- are "export_interface" and "force_read_all".
	   -- Both options expect boolean values "true"	and "false".

	   export_interface=true}

       This example has	yaf read PCAP data from	a file.

	 input = {

	   type	= "file",

	   -- If type is "file", a "file" is expected with the
	   -- full path	to the PCAP file.
	   file="/pcaps/mypcap.pcap"}

       This example has	yaf read PCAP data from	a list of files.

	 input = {
	   type	= "caplist",

	  -- If	type is	"caplist", a "file" is expected	which is
	  -- the full path to a	text file that contains	a list
	  -- of	PCAP files in the order	that they will be processed.
	   file	= "/data/pcapfile.txt",

	  -- An	optional parameter to "caplist"	types, is "noerror"
	  -- which expects a boolean value (true/false). If true,
	  -- yaf will continue to process the list if it encounters
	  -- an	error in a PCAP	file.
	  noerror = true}

	-- A variable named "output" is	required; its value must be a table.
	-- It specifies	the output of yaf.

       This example has	yaf write to a TCP socket.

	 output	= {
	   host	= "localhost",

	   -- The value	to "port" must be in quotation marks.

	   port	= "18000",

	   -- Acceptable protocol types	are "tcp", "udp", "sctp", and "spread".
	   -- If protocol is "udp", the	optional "udp_temp_timeout" key	is
	   -- also available.
	   protocol = "tcp"}

       This example has	yaf write to an	IPFIX file that	rotates	every 200
       seconds.	 The output file will be locked	until yaf has closed the file.

	 output	= {
	   file	= "/data/yaffile.yaf",

	   rotate = 200,

	   lock	= true}

       The following example has yaf write to three Spread groups.  Group 1
       will receive all	the DNS	flows (application label = 53).	Group 2	will
       receive all the HTTP flows (application label = 80). Group 3 will
       receive all of the flows.

	  -- To	make configuration easier, specify Lua variables that hold
	  -- the Spread	group names that yaf will export to.

	  GROUP1 = {name="SPREAD_DNS", value=53}
	  GROUP2 = {name="SPREAD_HTTP",	value=80}
	  GROUP3 = {name="SPREAD_CATCHALL"}
	  SPREAD_GROUPS	= {GROUP1, GROUP2, GROUP3}

	 output	= {

	    protocol = "spread",

	  -- The "daemon" key expects the name of the Spread daemon running.
	    daemon = "4804",

	  -- The "groups" key expects a	table of group names with optional
	  -- values if the "groupby" key is also present.
	    groups = SPREAD_GROUPS,

	  -- The "groupby" key accepts the following values: "applabel", "port",
	  -- "vlan", "protocol", and "version".
	    groupby = "applabel"}

	 -- The	"decode" variable is optional. Its value must be a table.
	 -- All	keywords within	the "decode" variable expect a boolean response	(true/false).
	 decode	= {
	   -- If the "gre" variable is set to "true", gre decoding will	be enabled.
	   gre = false,

	   -- If the "ip4_only"	variable is set	to "true", yaf will only
	   -- process IPv4 flows.
	  ip4_only = false,

	   -- If the "ip6_only"	variable is set	to "true", yaf will only
	   -- process Ipv6 flows.
	  ip6_only = false,

	   -- If the "nofrag" variable is set to "true", yaf will not
	   -- process fragmented packets.
	   nofrag = false}

	 -- The	"export" variable is optional. Its value must be a table.
	 -- All	keywords within	the "export" variable
	 -- expect a boolean response (true/false).

	 export	= {
	   -- See the related options in the yaf man page.
	   silk	= true,
	   uniflow = true,
	   force_ip6 = false,
	   flow_stats =	true,
	   delta = false,
	   mac = true }

	 -- The	"log" variable is optional. Its	value must be a	table.
	 log = {
	   -- The "spec" keyword may be	set to a syslog	facility name,
	   -- stderr, or the absolute path to a	file for file logging.
	   -- Default is stderr.
	   spec	= "/var/log/yaf/yaf.log",

	   -- The "level" keyword specifies how	much to	log. The accepted
	   -- values are "quiet", "error", "critical", "warning", "message",
	   -- and "debug". Default is "warning".
	   level = "debug"}

	 -- The	plugin variable	is optional. Its value must be a table of tables.
	 -- See	the yafdpi and yafdhcp man pages for the plugins that
	 -- are	provided with yaf.

	 -- To make configuration easier, specify Lua variables	that hold
	 -- the	information for	each plugin.
	 DPI_PLUGIN = {
	     --	The "name" keyword specifies the full path to the plugin
	     --	library	name to	load.
	     name = "/usr/local/lib/yaf/dpacketplugin.la",

	     --	The "options" keyword specifies	the arguments given to the
	     --	plugin.
	     options = "53",

	     --	The "conf" keyword specifies the path to a configuration
	     --	file to	be given to the	plugin.
	     conf = "/usr/local/etc/yafDPIRules.conf"}

	 DHCP_PLUGIN = {name = "/usr/local/lib/yaf/dhcp_fp_plugin.la"}

	 plugin	= {DPI_PLUGIN, DHCP_PLUGIN}

	 -- The	pcap variable is optional.  Its	value must be a	table.
	 -- See	the yaf	man page for more information on yaf's PCAP capabilities.

	 pcap =	{
	   -- The "path" keyword specifies where yaf will write	PCAP files.
	   path	= "/data/pcap/yafpcap",

	   -- The "maxpcap" keyword specifies the maximum file size of a yaf PCAP file.
	   maxpcap = 100,

	   -- The "pcap_timer" keyword specifies how often the PCAP file
	   -- should be	rotated.
	   pcap_timer =	300,

	   -- The "meta" keyword specifies where to write PCAP meta information.
	   meta	= "/data/meta/yafmeta"}

       The following keywords are optional variables.  See the yaf man page
       for more	information.

	-- idle_timeout	= IDLE_TIMEOUT (integer)
	-- Set flow idle timeout in seconds.  Default is 300 seconds (5	min)
	-- Setting IDLE_TIMEOUT	to 0 creates a flow for	each packet.

	  idle_timeout = 300

	-- active_timeout = ACTIVE_TIMEOUT (integer)
	-- Set flow active timeout in seconds.	Default	is 1800	seconds	(30 min)

	  active_timeout = 1800

	-- filter = BPF_FILTER
	-- Set Berkeley	Packet Filtering (BPF) in YAF with BPF_FILTER.

	  filter = "port 53"

	-- APPLICATION LABELING	OPTIONS
	-- Turn	on application labeling	by setting applabel = true
	-- Read	the application	labeler	rules file from	applabel_rules=

	  applabel = true

	  applabel_rules = "/usr/local/etc/yafApplabelRules.conf"

	-- maxpayload =	PAYLOAD_OCTETS (integer)
	-- Capture at most PAYLOAD_OCTETS octets from the start	of each	direction
	-- of each flow.  Default is 0.

	  maxpayload = 1024

	-- maxexport = MAX_PAY_OCTETS (integer)
	-- Export at most MAX_PAY_OCTETS octets	from the start of each direction
	-- of each flow	from the PAYLOAD_OCTETS	given to maxpayload.
	-- Default is PAYLOAD_OCTETS if	export_payload=true

	  maxexport = 1024

	-- export_payload = true/false
	-- If true, export at most PAYLOAD_OCTETS or MAX_PAY_OCTETS given to
	-- maxpayload or maxexport for each direction of the flow. Default is false.

	  export_payload = false

	-- udp_payload = true/false
	-- If true, capture at most PAYLOAD_OCTETS octets from the start of
	-- each	UDP flow, where	PAYLOAD_OCTETS is set using the	maxpayload option

	  udp_payload =	true

	-- stats = INTERVAL (integer)
	-- If present, yaf will	export process statistics every	INTERVAL seconds.
	-- If stats is set to 0, no stats records will be exported.
	-- default is 300

	  stats	= 300

	-- ingress = ingressInterface (integer)
	-- egress = egressInterface (integer)
	-- use the above options to manually set the ingressInterface or
	-- egressInterface in the exported flow	record.	Default	is 0.

	  ingress = 0

	  egress = 0

	-- obdomain = DOMAIN_ID	(integer)
	-- Set the othe	observationDomainID on each exported IPFIX message to
	-- DOMAIN_ID.  Default is 0.

	  obdomain = 0

	-- maxflows = FLOW_TABLE_MAX (integer)
	-- Limit the number of open flows to FLOW_TABLE_MAX. Default is	no limit.

	-- maxflows =

	-- maxfrags = FRAG_TABLE_MAX (integer)
	-- Limit the number of fragments to FRAG_TABLE_MAX. Default is no limit.

	-- maxfrags =

	-- udp_uniflow = PORT (integer)
	-- If set, export each UDP packet on the given PORT (or	1 for all ports)
	-- as a	single flow. Default is	0 (off).

	   udp-uniflow = 0

	-- Turn	on entropy output by setting entropy = true

	   entropy = true

	The following options configure	the passive OS fingerprinting capabilities
	in B<yaf>.

	 -- p0fprint = true/false
	 -- p0f-fingerprints = "/usr/local/etc/p0f.fp"
	 -- fpexport = true/false
	 -- See	the yaf	man page for more information. YAF must	be configured
	 -- appropriately to use the following options.

	 -- p0fprint = true
	 -- fpexport = true
	 -- p0f_fingerprints = "/usr/local/etc/p0f.fp"

AUTHORS
       Emily Sarneso and the CERT Engineering Team.

SEE ALSO
       yaf(1), yafdpi(1), yafdhcp(1), applabel(1)

2.11.0				  29-Aug-2020			   YAF.INIT(1)

NAME | DESCRIPTION | CONFIGURATION FILE | AUTHORS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=yaf.init&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help