Our main objective is to identify a dynamic dataset suitable for analysis through the platform, understand the key parameters of the dataset,parsing of the dataset,create a dashboard and generate alerts upon any anomalies recorded in the dataset.This project is all about how to analyze data real-time inside DNIF with the help of inbuilt function.
DNIF is a data platform that can collect, parse, enrich, index, balance, and analyse data in a continuously changing environment, helping enterprises take precautionary measures for cyber defence. It allows users to partition one data infrastructure and enable multiple teams to solve many challenges.
Apart from cybersecurity analytics, DNIF can also be used for any Big Data analytics use case, transaction analytics, fraud detection, analytics on IoT data, and financial risk analysis.
The platform offers consumers three types of deployment — on-premises (installed and runs on computers in the premises), on cloud, and virtual.
It offers four plans, including free, community, standard and enterprise, to suit the need and pocket of consumers. Consumers can subscribe as per usage and install DNIF on commodity servers. The software will then stream log data from servers, network devices, and security devices. Once downloaded, DNIF will ingest this data and identify threats using techniques like thresholding, lookups, profilers/baseliners, and machine learning.
- Virtual Box
- JetBrains: PyCharm Community Edition
- Ubuntu 16.04 or above
- Docker
- VirtualBox
- Ubuntu ISO
- DNIF Account
- Minimum configuration required is 4 Cores
- 16GB RAM
- 200GB Disk Space
DNIF can be installed in any physical/virtual machine.Check All the Pre-Requisites
Note - The hardware ready reckoner only provides an indicative stack required to run DNIF. You are free to start slow and upgrade your hardware as your usage builds up. DNIF is built on a big data framework and therefore it can scale in phases.
Download Virtual Box Download from here
Set Minimum 4 GB Ram in System setting
Go to Network setting, Under Attached Network Select Bridge Adapter
Download Latest version of Ubuntu from here
Configure your Ubuntu and install in Virtual Box
Open terminal and copy paste following command in the terminal
-
Update the apt package index
sudo apt-get update -
Install packages to allow apt to use a repository over HTTPS
sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ software-properties-common -
Add Docker’s official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - -
Verify
sudo apt-key fingerprint 0EBFCD88 -
Set up the stable repository
sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" -
Update the apt package index
sudo apt-get update -
Check For release
apt-cache madison docker-ceorapt-cache policy docker-ce -
Install Docker
sudo apt-get install docker-ce=17.06.2~ce-0~ubuntuYou can replace after = for different release -
Verify that Docker is installed correctly
sudo docker run hello-world -
Install python-pip
sudo apt-get install python-pip -
Install Docker-Compose
sudo pip install docker-compose
Note: If facing any difficulties with the above commands, please visit the Docker website where these steps are mentioned. Visit that webpage, and copy the command (that isn’t working from this list) and paste it as it is.
Docker Installation official Link:Click here
- Register Yourself Sign Up
- Download All in One File – Named as A10.Click here to download A10 file
- Create folder on desktop (a10 folder) and paste a10 file inside this folder.
- Open docker-compose.yml file and change following parameter/field
/path/to/volume:Replace this text with the path where you would like to install the files (for example, /home/test/).DKEY: Put your own deployment key. Check email title: DNIF: Getting StartedCRIP: Replace this value with the IP address of the machine on which the installation is being done. In case you don't know IP address open terminal and type ifconfig and run command.
Try to keep localhost IP static. If it's dynamic. Check this
- run
sudo docker-compose upinside a10 directory. This command successfully performs a “pull” operation , which gets the latest code from the online repository and runs the same.
Do not close the “Terminal” window after the above command has been executed, otherwise the application will cease
to operate and terminate itself. However, you can minimize it.
- Once the folder is created in the path specified in Volumes field, download license and signature.bin files attached in mail Title =DNIF - Getting Started
- Move both files in your_deployment_key_folder/LICENSE (the folder which got created in the Volumes path specified).
if not able to move file open new terminal and write this command
sudo chown -R $USER: $HOME
- Visit https://go.dnif.it/
- Login.
You need Google Authenticator to generate OTP, your secret Auth key is specified in Email Title:Sign In to Web Console and visit here Account Name: DNIF Key: Provided in mail. Named as GAuth Key DropDown: Time Based
- Once logged in, Go to Management Tab -> Connection -> Change Source Address Field (same as the one provided in CRIP. This is the Ubuntu IP address) and click on link and add SSL certificate.
- Save and Update field.
- Enjoy your DNIF installation and configuration is done.
If any doubt please wiki. Click here To get overview about installation check out our infographics, click here
Webiron provides a comprehensive managed security service that will keep your web servers safe from harm. Webiron's intelligent technology is designed to immediately detect, block and prevent automated bot and malware attacks.
Abuse e-mail feed contains a log of our abuse reports and status of the issue reported. This feed is filterable by e-mail address, IP address, or ASN number. This is the master feed for the Twitter “bad abuse” feed and is pulled from live data.
| Field | Description |
| Log Entry Type | Contains the action. This is either, report sent, report opened, report or if the host has replied with a resolved statement. |
| Log Time | Time action was done. |
| Attacker IP | The IP reported for issues (lookup link forwards to IP lookup page). The “IP” link filters the feed by the IP while the “lookup” provides more detailed information on the IP. |
| Logged E-Mails | These are either a list of e-mail addresses reported to for the attacker IP or the address that responded to a resolved or opened event. Clicking on an e-mail will filter the feed by that e-mail address. |
| Log Message | The list of issues reported or an action message. |
| Deliverable | Was the e-mail accepted by the host? |
| Days Unresolved | The number of days the issue since the issue was reported to the host. |
| Incidents Reported | The number of incidents reported. Some bots use thousands of nodes rather than heavier concentrations from fewer hosts. The damages are the same however. |
You can interact with DNIF in two ways
- Through Event Store. To read more about event store ,click here
- Through live dataset using connectors.
- Using in built DNIF data models,to know about these data model click here
Please refer to wiki , click here
Please refer to wiki , click here
- List of event message:
Query:
_fetch * from event limit 100 >>_agg count_unique $event_msg
- List of entry type
Query:
_fetch * from event limit 100 >>_agg count_unique $entry_type
- Days Unresolved
Query:
_fetch * from event limit 100 >>_agg count_unique $days_unresolved
- IP which is reported more than 4 times
Query:
_fetch * from event where $entry_type= report group count_unique $attacker_ip >>_checkif int_compare count_unique >4 include
- List of event emails
Query:
_fetch * from event limit 100 >>_agg count_unique $event_emails
Dashboard is DNIF function where you can do threat analysis visually. But to do that you need to create different widgets and then add those widget to dashboard
