Added: dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/opentaxii/index.html ============================================================================== --- dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/opentaxii/index.html (added) +++ dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/opentaxii/index.html Fri Apr 28 03:53:51 2017 @@ -0,0 +1,430 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-04-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170427" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – OpenTAXII</title> + <link rel="stylesheet" href="../../../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../../../css/site.css" /> + <link rel="stylesheet" href="../../../css/print.css" media="print" /> + + + <script type="text/javascript" src="../../../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/" id="bannerLeft"> + <img src="../../../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org" class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/" class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../../../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">OpenTAXII</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-04-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../../../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../../../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../../../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-down"></i> + Deployment</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/Kerberos-manual-setup.html" title="Kerberos-manual-setup"> + <i class="none"></i> + Kerberos-manual-setup</a> + </li> + + <li> + + <a href="../../../metron-deployment/amazon-ec2/index.html" title="Amazon-ec2"> + <i class="none"></i> + Amazon-ec2</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/ansible-docker/index.html" title="Ansible-docker"> + <i class="none"></i> + Ansible-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/rpm-docker/index.html" title="Rpm-docker"> + <i class="none"></i> + Rpm-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/packer-build/index.html" title="Packer-build"> + <i class="none"></i> + Packer-build</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/index.html" title="Roles"> + <i class="icon-chevron-down"></i> + Roles</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/roles/monit/index.html" title="Monit"> + <i class="none"></i> + Monit</a> + </li> + + <li class="active"> + + <a href="#"><i class="none"></i>Opentaxii</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/pcap_replay/index.html" title="Pcap_replay"> + <i class="none"></i> + Pcap_replay</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/sensor-stubs/index.html" title="Sensor-stubs"> + <i class="none"></i> + Sensor-stubs</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/sensor-test-mode/index.html" title="Sensor-test-mode"> + <i class="none"></i> + Sensor-test-mode</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-deployment/vagrant/index.html" title="Vagrant"> + <i class="icon-chevron-right"></i> + Vagrant</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../../../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li> + + <a href="../../../metron-sensors/index.html" title="Sensors"> + <i class="icon-chevron-right"></i> + Sensors</a> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../../../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <h1>OpenTAXII</h1> +<p><a name="OpenTAXII"></a></p> +<p>Installs <a class="externalLink" href="https://github.com/EclecticIQ/OpenTAXII">OpenTAXII</a> as a deamon that can be launched via a SysV service script. The complementary client implementation, <a class="externalLink" href="https://github.com/EclecticIQ/cabby">Cabby</a> is also installed.</p> +<p>OpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and friendly pythonic API. <a class="externalLink" href="https://stixproject.github.io/">TAXII</a> (Trusted Automated eXchange of Indicator Information) is a collection of specifications defining a set of services and message exchanges used for sharing cyber threat intelligence information between parties.</p> +<div class="section"> +<h2><a name="Getting_Started"></a>Getting Started</h2> +<p>After deployment completes the OpenTAXII service is installed and running. A set of <a class="externalLink" href="http://hailataxii.com/">Hail a TAXII</a> threat intel collections have been defined and configured. Use the <tt>status</tt> option to view the collections that have been defined.</p> + +<div class="source"> +<div class="source"> +<pre>$ service opentaxii status +Checking opentaxii... Running +guest.phishtank_com 0 +guest.Abuse_ch 0 +guest.CyberCrime_Tracker 0 +guest.EmergingThreats_rules 0 +guest.Lehigh_edu 0 +guest.MalwareDomainList_Hostlist 0 +guest.blutmagie_de_torExits 0 +guest.dataForLast_7daysOnly 0 +guest.dshield_BlockList 0 +</pre></div></div> +<p>Notice that each collections contain zero records. None of the data is automatically synced during deployment. To sync the data manually use the <tt>sync</tt> option as defined below. The following example does not provide a begin and end time so the data will be fetched for the current day only.</p> + +<div class="source"> +<div class="source"> +<pre># service opentaxii sync guest.blutmagie_de_torExits +2016-04-21 20:34:42,511 INFO: Starting new HTTP connection (1): localhost +2016-04-21 20:34:42,540 INFO: Response received for Inbox_Message from http://localhost:9000/services/inbox +2016-04-21 20:34:42,542 INFO: Sending Inbox_Message to http://localhost:9000/services/inbox +... +2016-04-21 20:34:42,719 INFO: Response received for Poll_Request from http://localhost:9000/services/poll +2016-04-21 20:34:42,719 INFO: Content blocks count: 1618, is partial: False +</pre></div></div> +<p>The OpenTAXII service now contains 1,618 threat intel records indicating Tor Exit nodes.</p> + +<div class="source"> +<div class="source"> +<pre>[root@source ~]# service opentaxii status +Checking opentaxii... Running +guest.phishtank_com 0 +guest.Abuse_ch 0 +guest.CyberCrime_Tracker 0 +guest.EmergingThreats_rules 0 +guest.Lehigh_edu 0 +guest.MalwareDomainList_Hostlist 0 +guest.blutmagie_de_torExits 1618 +guest.dataForLast_7daysOnly 0 +guest.dshield_BlockList 0 +</pre></div></div></div> +<div class="section"> +<h2><a name="Usage"></a>Usage</h2> +<p>A standard SysV script has been installed to manage OpenTAXII. The following functions are available.</p> +<p><tt>start</tt> <tt>stop</tt> <tt>restart</tt> the OpenTAXII service</p> +<p><tt>status</tt> of the OpenTAXII service. The command displays the collections that have been defined and the number of records in each.</p> + +<div class="source"> +<div class="source"> +<pre>$ service opentaxii status +Checking opentaxii... Running +guest.phishtank_com 984 +guest.Abuse_ch 45 +guest.CyberCrime_Tracker 482 +guest.EmergingThreats_rules 0 +guest.Lehigh_edu 1030 +guest.MalwareDomainList_Hostlist 84 +guest.blutmagie_de_torExits 3236 +guest.dataForLast_7daysOnly 3377 +guest.dshield_BlockList 0 +</pre></div></div> +<p><tt>setup</tt> Initializes the services and collections required to operate the OpenTAXII service. This will destroy all existing data. The user is prompted to continue before any data is destroyed.</p> + +<div class="source"> +<div class="source"> +<pre># service opentaxii setup +WARNING: force reset and destroy all opentaxii data? [Ny]: y +Stopping opentaxii ..Ok +2016-04-21T19:56:01.886157Z [opentaxii.server] info: api.persistence.loaded {timestamp=2016-04-21T19:56:01.886157Z, logger=opentaxii.server, api_class=SQLDatabaseAPI, event=api.persistence.loaded, level=info} +2016-04-21T19:56:01.896503Z [opentaxii.server] info: api.auth.loaded {timestamp=2016-04-21T19:56:01.896503Z, logger=opentaxii.server, api_class=SQLDatabaseAPI, event=api.auth.loaded, level=info} +2016-04-21T19:56:01.896655Z [opentaxii.server] info: taxiiserver.configured {timestamp=2016-04-21T19:56:01.896655Z, logger=opentaxii.server, event=taxiiserver.configured, level=info} +... +Ok +</pre></div></div> +<p><tt>sync [collection] [begin-at] [end-at]</tt> Syncs the threat intel data available at <a class="externalLink" href="http://hailataxii.com/">Hail a TAXII</a>. If no begin and end date is provided then data is synced over the current day only.</p> + +<ul> + +<li><tt>collection</tt> Name of the collection to sync.</li> + +<li><tt>begin-at</tt> Exclusive begin of time window; ISO8601</li> + +<li><tt>end-at</tt> Inclusive end of time window; ISO8601</li> +</ul> + +<div class="source"> +<div class="source"> +<pre>$ service opentaxii sync guest.phishtank_com ++ /usr/local/opentaxii/opentaxii-venv/bin/taxii-proxy --poll-path http://hailataxii.com/taxii-data --poll-collection guest.phishtank_com --inbox-path http://localhost:9000/services/guest.phishtank_com-inbox --inbox-collection guest.phishtank_com --binding urn:stix.mitre.org:xml:1.1.1 --begin 2016-04-21 --end 2016-04-22 +2016-04-21 17:36:23,778 INFO: Sending Poll_Request to http://hailataxii.com/taxii-data +2016-04-21 17:36:23,784 INFO: Starting new HTTP connection (1): hailataxii.com +2016-04-21 17:36:24,175 INFO: Response received for Poll_Request from http://hailataxii.com/taxii-data +2016-04-21 17:36:24,274 INFO: Sending Inbox_Message to http://localhost:9000/services/guest.phishtank_com-inbox +... +2016-04-21 17:36:34,867 INFO: Response received for Poll_Request from http://localhost:9000/services/guest.phishtank_com-poll +2016-04-21 17:36:34,868 INFO: Content blocks count: 6993, is partial: False +</pre></div></div> +<div class="section"> +<h3><a name="Troubleshooting"></a>Troubleshooting</h3> +<p>Should you need to explore the installation, here are instructions on doing so.</p> +<p>OpenTAXII is installed in a virtual environment. Before exploring the environment run the following commands to perform the necessary setup. The specific paths may change depending on your Ansible settings.</p> + +<div class="source"> +<div class="source"> +<pre>export LD_LIBRARY_PATH=/opt/rh/python27/root/usr/lib64 +export OPENTAXII_CONFIG=/usr/local/opentaxii/etc/opentaxii-conf.yml +cd /usr/local/opentaxii +. opentaxii-venv/bin/activate +</pre></div></div> +<p>Discover available services.</p> + +<div class="source"> +<div class="source"> +<pre>taxii-discovery --discovery http://localhost:9000/services/discovery +taxii-discovery --discovery http://hailataxii.com/taxii-data +</pre></div></div> +<p>Explore available collections.</p> + +<div class="source"> +<div class="source"> +<pre>taxii-collections --discovery http://localhost:9000/services/discovery +taxii-collections --discovery http://hailataxii.com/taxii-data +</pre></div></div> +<p>Read data from a collection.</p> + +<div class="source"> +<div class="source"> +<pre>taxii-poll --discovery http://localhost:9000/services/discovery -c guest.phishtank_com +taxii-poll --discovery http://hailataxii.com/taxii-data -c guest.phishtank_com --begin 2016-04-20 +</pre></div></div> +<p>Manually load data into a collection.</p> + +<div class="source"> +<div class="source"> +<pre>taxii-push \ + --discovery http://localhost:9000/services/discovery \ + --dest phishtank \ + --content-file data.xml \ + --username guest \ + --password guest +</pre></div></div> +<p>Fetch data from a remote service and mirror it locally.</p> + +<div class="source"> +<div class="source"> +<pre>taxii-proxy --poll-path http://hailataxii.com/taxii-data \ + --poll-collection guest.phishtank_com \ + --inbox-path http://localhost:9000/services/guest.phishtank_com-inbox \ + --inbox-collection guest.phishtank_com \ + --binding urn:stix.mitre.org:xml:1.1.1 \ + --inbox-username guest \ + --inbox-password guest \ + --begin 2016-04-20 +</pre></div></div></div></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html>
Added: dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/pcap_replay/index.html ============================================================================== --- dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/pcap_replay/index.html (added) +++ dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/pcap_replay/index.html Fri Apr 28 03:53:51 2017 @@ -0,0 +1,305 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-04-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170427" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – Pcap Replay</title> + <link rel="stylesheet" href="../../../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../../../css/site.css" /> + <link rel="stylesheet" href="../../../css/print.css" media="print" /> + + + <script type="text/javascript" src="../../../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/" id="bannerLeft"> + <img src="../../../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org" class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/" class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../../../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">Pcap Replay</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-04-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../../../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../../../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../../../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-down"></i> + Deployment</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/Kerberos-manual-setup.html" title="Kerberos-manual-setup"> + <i class="none"></i> + Kerberos-manual-setup</a> + </li> + + <li> + + <a href="../../../metron-deployment/amazon-ec2/index.html" title="Amazon-ec2"> + <i class="none"></i> + Amazon-ec2</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/ansible-docker/index.html" title="Ansible-docker"> + <i class="none"></i> + Ansible-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/rpm-docker/index.html" title="Rpm-docker"> + <i class="none"></i> + Rpm-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/packer-build/index.html" title="Packer-build"> + <i class="none"></i> + Packer-build</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/index.html" title="Roles"> + <i class="icon-chevron-down"></i> + Roles</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/roles/monit/index.html" title="Monit"> + <i class="none"></i> + Monit</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/opentaxii/index.html" title="Opentaxii"> + <i class="none"></i> + Opentaxii</a> + </li> + + <li class="active"> + + <a href="#"><i class="none"></i>Pcap_replay</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/sensor-stubs/index.html" title="Sensor-stubs"> + <i class="none"></i> + Sensor-stubs</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/sensor-test-mode/index.html" title="Sensor-test-mode"> + <i class="none"></i> + Sensor-test-mode</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-deployment/vagrant/index.html" title="Vagrant"> + <i class="icon-chevron-right"></i> + Vagrant</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../../../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li> + + <a href="../../../metron-sensors/index.html" title="Sensors"> + <i class="icon-chevron-right"></i> + Sensors</a> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../../../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <h1>Pcap Replay</h1> +<p>This project enables packet capture data to be replayed through a network interface to simulate live network traffic. This can be used to support functional, performance, and load testing of Apache Metron.</p> +<div class="section"> +<h2><a name="Getting_Started"></a>Getting Started</h2> +<p>To replay packet capture data, simply start the <tt>pcap-replay</tt> SysV service. To do this run the following command.</p> + +<div class="source"> +<div class="source"> +<pre>service pcap-replay start +</pre></div></div> +<p>All additional options accepted by <tt>tcpreplay</tt> can be passed to the service script to modify how the network data is replayed. For example, this makes it simple to control the amount and rate of data replayed during functional, performance and load testing.</p> +<p>Example: Replay data at a rate of 10 mbps.</p> + +<div class="source"> +<div class="source"> +<pre>service pcap-replay start --mbps 10 +</pre></div></div> +<p>Example: Replay data at a rate of 10 packets per second.</p> + +<div class="source"> +<div class="source"> +<pre>service pcap-replay start --pps 10 +</pre></div></div> +<p>All nodes on the same subnet with their network interface set to promiscuous mode will then be able to capture the network traffic being replayed. To validate, simply run something like the following.</p> + +<div class="source"> +<div class="source"> +<pre>tcpdump -i eth1 +</pre></div></div></div> +<div class="section"> +<h2><a name="Data"></a>Data</h2> +<p>An example packet capture file has been installed at <tt>/opt/pcap-replay/example.pcap</tt>. By default, the network traffic contained within this file is continually replayed. </p> +<p>To replay your own packet capture data, simply add any number of files containing <tt>libpcap</tt> formatted packet capture data to <tt>/opt/pcap-replay</tt>. The files must end with the <tt>.pcap</tt> extension. To pick up newly installed files, simply restart the service.</p> + +<div class="source"> +<div class="source"> +<pre>service pcap-replay restart +</pre></div></div></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html> Added: dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/sensor-stubs/index.html ============================================================================== --- dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/sensor-stubs/index.html (added) +++ dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/sensor-stubs/index.html Fri Apr 28 03:53:51 2017 @@ -0,0 +1,351 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-04-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170427" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – Sensor Stubs</title> + <link rel="stylesheet" href="../../../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../../../css/site.css" /> + <link rel="stylesheet" href="../../../css/print.css" media="print" /> + + + <script type="text/javascript" src="../../../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/" id="bannerLeft"> + <img src="../../../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org" class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/" class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../../../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">Sensor Stubs</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-04-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../../../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../../../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../../../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-down"></i> + Deployment</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/Kerberos-manual-setup.html" title="Kerberos-manual-setup"> + <i class="none"></i> + Kerberos-manual-setup</a> + </li> + + <li> + + <a href="../../../metron-deployment/amazon-ec2/index.html" title="Amazon-ec2"> + <i class="none"></i> + Amazon-ec2</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/ansible-docker/index.html" title="Ansible-docker"> + <i class="none"></i> + Ansible-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/rpm-docker/index.html" title="Rpm-docker"> + <i class="none"></i> + Rpm-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/packer-build/index.html" title="Packer-build"> + <i class="none"></i> + Packer-build</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/index.html" title="Roles"> + <i class="icon-chevron-down"></i> + Roles</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/roles/monit/index.html" title="Monit"> + <i class="none"></i> + Monit</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/opentaxii/index.html" title="Opentaxii"> + <i class="none"></i> + Opentaxii</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/pcap_replay/index.html" title="Pcap_replay"> + <i class="none"></i> + Pcap_replay</a> + </li> + + <li class="active"> + + <a href="#"><i class="none"></i>Sensor-stubs</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/sensor-test-mode/index.html" title="Sensor-test-mode"> + <i class="none"></i> + Sensor-test-mode</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-deployment/vagrant/index.html" title="Vagrant"> + <i class="icon-chevron-right"></i> + Vagrant</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../../../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li> + + <a href="../../../metron-sensors/index.html" title="Sensors"> + <i class="icon-chevron-right"></i> + Sensors</a> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../../../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <h1>Sensor Stubs</h1> +<p><a name="Sensor_Stubs"></a></p> +<p>A service has been created to simulate the behavior of a sensor by sending canned telemetry data to a Kafka topic. These “Sensor Stubs” consume fewer resources than the actual sensor that they replace.</p> +<div class="section"> +<div class="section"> +<h3><a name="aQ_How_do_the_sensor_stubs_work"></a>(Q) How do the sensor stubs work?</h3> +<p>The stubs are installed with a set of canned data for each sensor type; Bro, Snort and YAF. A subset of this canned data is randomly selected and sent to the Kafka topic in batches. The timestamp of each message is updated to match current system time. </p></div> +<div class="section"> +<h3><a name="aQ_How_do_I_configure_the_message_rate"></a>(Q) How do I configure the message rate?</h3> +<p>The number of telemetry messages sent in each batch, along with the time delay between batches is configurable. Before installation, these values can be configured by redefining <tt>sensor_stubs_delay</tt> and <tt>sensor_stubs_count</tt>. The values can also be configured by altering the deployed system service script at <tt>/etc/init.d/sensor-stubs</tt>.</p></div> +<div class="section"> +<h3><a name="aQ_How_do_I_install_the_sensor_stubs"></a>(Q) How do I install the sensor stubs?</h3> +<p>Using the default playbooks, this role can be installed by using the Ansible tag <tt>sensor-stubs</tt>. This service is installed on the same hosts where the sensors would be; defined by the <tt>sensors</tt> host group.</p> +<p>The defaults for the “Quick Dev” and “Full Dev” environments have been changed so that the Sensor Stubs are installed by default, rather than the sensors themselves. The Amazon EC2 environment continues to install the original sensors by default.</p></div> +<div class="section"> +<h3><a name="aQ_How_do_I_use_the_sensor_stubs"></a>(Q) How do I use the sensor stubs?</h3> +<p>Start all sensor stubs. The output includes the PID for each running sensor stub.</p> + +<div class="source"> +<div class="source"> +<pre>$ service sensor-stubs start +Starting sensor-stubs... + bro: Ok [26505] + yaf: Ok [26507] + snort: Ok [26509] +</pre></div></div> +<p>Check the status of each sensor stub.</p> + +<div class="source"> +<div class="source"> +<pre>$ service sensor-stubs status +Checking sensor-stubs... + bro: Running [26505] + yaf: Running [26507] + snort: Running [26509] +</pre></div></div> +<p>Stop all sensor stubs.</p> + +<div class="source"> +<div class="source"> +<pre>$ service sensor-stubs stop +Stopping sensor-stubs... +.. bro: Ok [26505] +.. yaf: Ok [26507] +.. snort: Ok [26509] +</pre></div></div> +<p>Check the status. All sensor stubs should be stopped.</p> + +<div class="source"> +<div class="source"> +<pre>$ service sensor-stubs status +Checking sensor-stubs... + bro: Not running + yaf: Not running + snort: Not running +</pre></div></div> +<p>Start only the Bro sensor stub.</p> + +<div class="source"> +<div class="source"> +<pre>$ service sensor-stubs start bro +Starting sensor-stubs... + bro: OK [11616] +</pre></div></div> +<p>Stop the Bro sensor stub.</p> + +<div class="source"> +<div class="source"> +<pre>$ service sensor-stubs stop bro +Stopping sensor-stubs... +.. bro: Ok [11616] +</pre></div></div></div> +<div class="section"> +<h3><a name="aQ_How_do_I_install_the_original_sensors"></a>(Q) How do I install the original sensors?</h3> +<p>The default behavior can be changed by skipping the <tt>sensor-stubs</tt> flag and including the <tt>sensors</tt> flag. For example, to deploy “Quick Dev” with the original sensors run the following command.</p> + +<div class="source"> +<div class="source"> +<pre>cd metron-deployment/vagrant/quick-dev-platform +vagrant --ansible-skip-tags="sensor-stubs,solr" up +</pre></div></div></div> +<div class="section"> +<h3><a name="aQ_Where_does_the_mock_data_come_from"></a>(Q) Where does the mock data come from?</h3> +<p>The data produced by the sensor stubs was generated by running the sensors against the example pcap file that is distributed with Metron. This ensures that the data produced by the sensor stubs is similar to the data produced when using the actual sensors.</p></div></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html> Added: dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/sensor-test-mode/index.html ============================================================================== --- dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/sensor-test-mode/index.html (added) +++ dev/incubator/metron/0.4.0-RC2/book-site/metron-deployment/roles/sensor-test-mode/index.html Fri Apr 28 03:53:51 2017 @@ -0,0 +1,295 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-04-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170427" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – Sensor Test Mode</title> + <link rel="stylesheet" href="../../../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../../../css/site.css" /> + <link rel="stylesheet" href="../../../css/print.css" media="print" /> + + + <script type="text/javascript" src="../../../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/" id="bannerLeft"> + <img src="../../../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org" class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/" class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../../../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">Sensor Test Mode</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-04-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../../../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../../../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../../../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-down"></i> + Deployment</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/Kerberos-manual-setup.html" title="Kerberos-manual-setup"> + <i class="none"></i> + Kerberos-manual-setup</a> + </li> + + <li> + + <a href="../../../metron-deployment/amazon-ec2/index.html" title="Amazon-ec2"> + <i class="none"></i> + Amazon-ec2</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/ansible-docker/index.html" title="Ansible-docker"> + <i class="none"></i> + Ansible-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/docker/rpm-docker/index.html" title="Rpm-docker"> + <i class="none"></i> + Rpm-docker</a> + </li> + + <li> + + <a href="../../../metron-deployment/packaging/packer-build/index.html" title="Packer-build"> + <i class="none"></i> + Packer-build</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/index.html" title="Roles"> + <i class="icon-chevron-down"></i> + Roles</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../../metron-deployment/roles/monit/index.html" title="Monit"> + <i class="none"></i> + Monit</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/opentaxii/index.html" title="Opentaxii"> + <i class="none"></i> + Opentaxii</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/pcap_replay/index.html" title="Pcap_replay"> + <i class="none"></i> + Pcap_replay</a> + </li> + + <li> + + <a href="../../../metron-deployment/roles/sensor-stubs/index.html" title="Sensor-stubs"> + <i class="none"></i> + Sensor-stubs</a> + </li> + + <li class="active"> + + <a href="#"><i class="none"></i>Sensor-test-mode</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-deployment/vagrant/index.html" title="Vagrant"> + <i class="icon-chevron-right"></i> + Vagrant</a> + </li> + </ul> + </li> + + <li> + + <a href="../../../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../../../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../../../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li> + + <a href="../../../metron-sensors/index.html" title="Sensors"> + <i class="icon-chevron-right"></i> + Sensors</a> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../../../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <h1>Sensor Test Mode</h1> +<p>A role that configures each of the sensors to produce the maximum amount of telemetry data. This role is useful only for testing. It can be useful to support functional, performance, and load testing of Apache Metron.</p> +<p>The role does the following to maximize the amount of telemetry data produced by each Metron sensor.</p> + +<ul> + +<li>Plays a packet capture file through a network interface to simulate live network traffic.</li> + +<li>Configures <a class="externalLink" href="https://tools.netsa.cert.org/yaf/yaf.html">YAF</a> with <tt>idle-timeout=0</tt>. This causes a flow record to be produced for every network packet received.</li> + +<li>Configures <a class="externalLink" href="https://www.snort.org/">Snort</a> to produce an alert for every network packet received.</li> +</ul> +<div class="section"> +<h2><a name="Getting_Started"></a>Getting Started</h2> +<p>To enable the <tt>sensor-test-mode</tt> role apply the role to the <tt>sensors</tt> host group in your Ansible playbook.</p> + +<div class="source"> +<div class="source"> +<pre>- hosts: sensors + roles: + - role: sensor-test-mode +</pre></div></div> +<p>The role has also been added to the default <tt>metron_install.yml</tt> playbook so that it can be turned on/off with a property in both the local Virtualbox and the remote EC2 deployments.</p> + +<div class="source"> +<div class="source"> +<pre>sensor_test_mode: True +</pre></div></div></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html>