October 2017 • Software
CERT super_mediator is an IPFIX mediator for use with the yaf and SiLK tools.
Software Engineering Institute
CERT super_mediator is an intermediate entity between IPFIX Exporters and Collectors that can provide aggregation, filtering, and modification of IPFIX records. It may provide conversion to or from IPFIX or a conversion of IPFIX transport protocols.
CERT super_mediator collects and processes yaf output (IPFIX files or via TCP, UDP, or Spread) and exports that data in IPFIX, JSON, or CSV text format to one or more IPFIX collectors, such as rwflowpack, flowcap, or to text files that may be bulk uploaded to a database. MySQL support is provided for automatic import. It also can provide simple filtering upon collection or at export time. Any traditional flow field can be used in a filter, including IP address or IPset (requires SiLK IPset library).
CERT super_mediator can be configured to pull the Deep Packet Inspection (DPI) data from yaf and export that information to another IPFIX collector, or simply export the data to a CSV file or JSON file for bulk upload into a database of your choice. Given MySQL credentials, super_mediator will import the files into the given database. It can also be configured to perform de-duplication of DNS resource records, DPI data, and SSL/TLS certificate data exported by YAF. It will export the de-duplicated records in IPFIX, CSV, or JSON format.