1. home [forensics.cert.org] · you will need to have yaf start on boot. a sample script is here,...
TRANSCRIPT
1. Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1 Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Configure DINO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.2 Configure GeoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.3 Configure SiLK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.4 Configure SNORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.4 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.5 Screenshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
HomeUpdate: DINO version 1.5 was released on 2011/10/05 to add Google Maps Functionality
Project:DINO is a lightweight front end for network visualization. Project:DINO, short for Drop In Network Observer utilizes the open sourcenetwork monitoring tools SiLK and SNORT to create an easy to use dashboard for situational awareness.
It is built on PHP and Open Flash Chart, it is designed to be run on linux systems and has been tested on Fedora, Redhat and Ubuntu.
DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly traffic/top ports and snortalerts with the related flows records.
Recently UpdatedAs you and your team create contentthis area will fill up and display the latestupdates.
Navigate space
DownloadsDINO is a single rpm install, but some of the prereqs can be tricky to install.
Current
DINO 1.5 - Release 2011/10/05
RPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.5-0.noarch.rpm
SRPM:https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.5-0.src.rpm
Source: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.5.tar.gz
Past Releases
DINO 1.3.3 - Release 2011/09/01
RPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-3.noarch.rpm
SRPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-3.src.rpm
Source: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3.tar.gz
DINO 1.3.1 - Released 2011/08/31
RPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-1.noarch.rpm
SRPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-1.src.rpm
Source: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3.tar.gz
DINO 1.3.0 - Updated 2011/08/25
RPM: dino-1.3-0.noarch.rpm https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-0.src.rpm
SRPM: dino-1-3-0.src.rpm https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-0.src.rpm
Source: dino-1.3.tar.gz https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3.tar.gz
DINO LiveCD
Fedora 14 and Dino 1.3 https://forensics.cert.org/confluence/download/attachments/1671180/SiLK+Drop+In+Network+Observer+LiveCD.iso
Dependencies
libfixbuf https://forensics.cert.org/confluence/download/attachments/1671180/libfixbuf-0.8.0-1.i386.rpm
silk-common https://forensics.cert.org/confluence/download/attachments/1671180/silk-common-2.4.0-1.i386.rpm
silk-analysis https://forensics.cert.org/confluence/download/attachments/1671180/silk-analysis-2.4.0-1.i386.rpm
silk-rwflowpack https://forensics.cert.org/confluence/download/attachments/1671180/silk-rwflowpack-2.4.0-1.i386.rpm
yaf https://forensics.cert.org/confluence/download/attachments/1671180/yaf-1.3.1-1.i386.rpm
InstallationDINO uses the SiLK toolsuite, created and maintained by the team at CERT for flow collection and analysis functionality and the pNetSA SNORTackage as for IDS functionality. You will have to sign up for and download snort rules from their website. Consider using to keep yourOinkMasterrules current.
You will need to install the following packages:
libfixbufsilk-commonsilk-analysissilk-rwflowpackyaf
These packages can be found at the CERT repo: as well as this site.http://www.cert.org/forensics/tools/
dino
Found on the download page https://forensics.cert.org/confluence/display/dino/Downloads
After the installation is complete you will need to configure SiLK, SNORT and DINO.
Sample configuration files:
yaf startup /etc/init.d/yaf https://forensics.cert.org/confluence/download/attachments/1671176/yaf
rwflowpack.conf /etc/sysconfig/rwflowpack.conf https://forensics.cert.org/confluence/download/attachments/1671176/rwflowpack.conf
sensors.conf /data/sensors.conf https://forensics.cert.org/confluence/download/attachments/1671176/sensors.conf
silk.conf /data/silk.conf https://forensics.cert.org/confluence/download/attachments/1671176/silk.conf
Configure DINOYou will need to edit a few variables under /var/www/html/dinolib.php
Set the following variables related to Snort for your installation, and logdir csvfile.
For example:
$logdir="/var/log/snort/";$csvfile=$logdir . "alert.csv";
For packet capture to work, edit the variable to point to the location of your pcap files.pcapdir
For example:
$pcapdir="/data/pcap";
To be able to download the pcap files from the web site, you will need to either add a virtual directory to apache, or create a symbolic link to thepcap dir from /var/www/html.
For example:
cd /var/www/htmlln -s /data/pcap pcap
Then create directories for tcpxtract to put its files.
mkdir -p /data/pcap/tcpxtract/thumbschown -R apache:apache /data/pcap
Configure GeoIPTo enable GeoIP functionality you will need to download and install the GeoIPLite package from Maxmind, follow the configuration for SiLK GeoIPConfiguration here: http://tools.netsa.cert.org/silk/rwgeoip2ccmap.html
And finally configure the following values in /var/www/html/dinolib.php:
$enableGeoIP='y';
Configure SiLKSiLK requires some configuration you will need to edit /etc/sysconfig/rwflowpack.conf, /data/silk.conf, /data/sensors.conf & provide a start scriptfor yaf. These can be downloaded as a tar here: https://forensics.cert.org/confluence/download/attachments/1933314/sample-silk.tar
Be sure to edit /data/sensors.conf to have the variable reflect your internal network subnet."internal-ipblock"
probe localhost ipfix listen-on-port 18001 protocol tcp accept-from-host 127.0.0.1end probe
sensor localhost ipfix-probes localhost internal-ipblock 192.168.1.0/24 external-ipblock remainderend sensor
Next edit the file /data/silk.conf
probe localhost ipfix listen-on-port 18001 protocol tcp accept-from-host 127.0.0.1end probe
sensor localhost ipfix-probes localhost internal-ipblock 192.168.1.0/24 external-ipblock remainderend sensor
[joe@smallpc data]$ more silk.conf sensor 0 localhost
class all sensors localhostend class
# Be sure you understand the workings of the packing system before# editing the class and type definitions below. Editing above this# line is sufficient for sensor definition.
version 1
class all type 0 in in type 1 out out type 2 inweb iw type 3 outweb ow type 4 innull innull type 5 outnull outnull type 6 int2int int2int type 7 ext2ext ext2ext type 8 inicmp inicmp type 9 outicmp outicmp type 10 other other
default-types in inweb inicmpend class
default-class all
# The default path format from SILK_DATA_ROOTDIRpath-format "%N/%T/%Y/%m/%d/%x"
# The plug-in to load to get the packing logic to use in rwflowpack.# The --packing-logic switch to rwflowpack will override this value.# If SiLK was configured with hard-coded packing logic, this value is# ignored.
# The plug-in to load to get the packing logic to use in rwflowpack.# The --packing-logic switch to rwflowpack will override this value.# If SiLK was configured with hard-coded packing logic, this value is# ignored.packing-logic "packlogic-twoway.so"
You will need to have YAF start on boot. A sample script is here, place it in /etc/init.d:
#!/bin/bash## yaf This shell script takes care of starting and stopping# yaf .## chkconfig: - 58 74# description: yaf is a flow collection process.
### BEGIN INIT INFO# Provides: yaf# Required-Start: $network $local_fs $remote_fs# Required-Stop: $network $local_fs $remote_fs# Short-Description: start and stop yaf# Description: ntpd is yaf process.### END INIT INFO
# Source function library.. /etc/init.d/functions
# Source networking configuration.. /etc/sysconfig/network
prog=yafYAF=/usr/bin/yaf
DAEMONIZE=/usr/sbin/daemonizePID=/var/log/yaf.pid
INTERFACE=bond0OPTIONS=" --silk --ipfix=tcp --live=pcap --in=$INTERFACE --out=127.0.0.1 --ipfix-port=18001"
start() { # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 1
[ -x /usr/bin/yaf ] || exit 5
# Start daemons. echo -n $"Starting $prog: " $DAEMONIZE -p $PID $YAF $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] return $RETVAL}
stop() { echo -n $"Shutting down $prog: " kill `cat $PID` RETVAL=$? echo [ $RETVAL -eq 0 ] return $RETVAL}
status() {
YAFCOUNT=`ps -ef | grep $prog | grep -v grep | wc -l` if [ $YAFCOUNT -lt 1 ] then echo "ERROR: YAF not running" else echo "YAF Running with PID `cat $PID`" fi}
restart() { stop start}
# See how we were called.case "$1" in start) start ;; stop) stop ;; status) status $prog ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|status|restart}"
exit 2esac
Configure SNORTTo get SNORT working with DINO you'll need to download the VRT rules from SNORT here: http://www.snort.org/start/rules
Add the following two options to your snort.conf file in order for SNORT to log in CSV format.
# syslogoutput alert_csv: alert.csv default
# pcapoutput log_tcpdump: tcpdump.log
Add lastly check dinolib.php, set the variable enableSNORT to "y".
$enableSNORT='y'; //Set this to y to enable SNORT functionality
OverviewProject:DINO is a lightweight front end for network visualization. Project:DINO, short for rop n etwork bserver utilizes the open sourceD I N Onetwork monitoring tools SiLK and SNORT to create an easy to use dashboard for situational awareness of your network.
It is built on PHP and Open Flash Chart, it is designed to be run on linux systems and has been tested on Fedora, Redhat and Ubuntu.
DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly traffic/top ports and snortalerts with the related flows records.
Additionally Project:DINO has the ability to analyze an uploaded PCAP file created with tcpdump, it will create a summary report and extract thefiles within the packet capture using tcpxtract.
Release NotesCurrent Release
1.2 | 2010/12/01
Added file carving from PCAP uploadAdded SNORT alerting from PCAP upload
1.1 | 2010/11/29
Added a simple pcap analyzer (will add more features in next release)Added ability to disable SNORT functionalityRemoved SNORT prereq from RPMAdded geoIP functionality (will add more features in next release)
Prior Versions
1.0 | 2010/11/19
Rewrote all of the graphing code to make reusableAdded network inventory code
ScreenshotsTop Talkers For the Current Day. By mousing over the bars you will see a summary of the traffic for that point on the chart.
Google Maps Geo Location: Project DINO performs Geo Location of Net Flow Data.
.
: This chart is reached by clicking on the bar in the above graph.Top Talkers by IP Address
Top Talker by Minute in the hour, which is clicked on the above bar.
Traffic Overlays Two charts are available for overlaying traffic from previous weeks and months.
By clicking on a point in the graph you can view data for that day.
As seen above, by hovering over a point a summary is given, and by clicking on that point a report for the days traffic is generated.
By clicking on a point in the above graph you can see traffic for the hour.
IP Summary Example IP Summary Report
Network Inventory A network inventory is available which will attempt to identify known servers as well as all internal hosts. Each host isclickable to generate the report seen above.
SNORT Alerts Additionally SNORT is used to generate IDS alerts.
Packet Capture
Network captures can be generated in either full pcap or just the first 68 bytes.
System Status
Packet Capture Analysis
The following is a screenshot of a report generated from a PCAP upload.
DINO extracts files from uploaded PCAPs and presents thumbnails of any images.
DINO also displays any alerts from SNORT they are within the PCAP
.