forked from gamelinux/echidna
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
198 lines (134 loc) · 5.95 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
--------------------------------------------------------------------------
0. INTRODUCTION
--------------------------------------------------------------------------
Echidna - A Cyber-Security Monitoring Framework (TM)
Echidna is a framework for connecting the variety of different Network
Security Monitoring disciplines together in an open, module based
framework.
We aim to be community friendly, easily extendible, module based, open
for all kinds of different plug-ins, fast and stable :)
--------------------------------------------------------------------------
1. PROPOSED FEATURES
--------------------------------------------------------------------------
NODES
- Flowdata (netflow, cxtracker)
- NIPS/NIDS (Snort, Suricata, Bro)
- Full packet capture (daemonlogger)
- Passive OS and Service detection (PRADS)
- HIDS - Host Based Intrusion Detection (OSSEC, samhain)
- Network File tracker (nftracker)
- Passive DNS (pdnstracker)
WORKERS
- File carving from pcaps (tcpxtract, xtract.py, xplico? etc)
- Anti Virus scanning (with md5sum checking) of files. For example:
- ClamAV,
- AVG,
- Google
- File anomaly checking (pdfid.py)
- Data Loss Detection (spamassassin + sa-learn)
- JavaScript parser (Didier Stevens modified SpiderMonkey?)
SERVER
- MySQL/Percona/PGSQL and NoSQL/Fastbit
- Server software
- Collects data from NODES and stores in DBs
- Updates clients in "real-time"
- Automatic kicks off tasks based on events
- Can manage NODES and WORKERS
- ACL aware!
MASTER SERVER
- MySQL/Percona/PGSQL and NoSQL/Fastbit
- Master Server software
- Collects data from SERVERs and stores in DBs
- Updates clients in "real-time"
- Automatic kicks off tasks based on events
- Can manage SERVERs, NODES and WORKERS
- ACL aware!
CLIENT
- GUI based.
- Mainly for handling events and searching
- Handling of IDS/IPS events
- Handling of flowdata
- Handling of nftracker data
- Handling of pcap extraction
- Making of Policies (PRADS data vs what is legal on your network)
- Configure MASTER SERVERS, SERVERS, WORKERS and NODES
- Manage users, groups, ACL, etc.
- Manages NODES (start,stop,restart,configure)
- Manage SERVERS (purge-db/archiving, add/del NODES)
- Manage MASTER SERVERS (purge-db/archiving, add/del SERVERS, add/del NODES)
--------------------------------------------------------------------------
2. ROADMAP
--------------------------------------------------------------------------
The project needs to aim high, but start with implementing the fundamentals.
STAGE 1
So the most important part would be to implement some of the NODES functions.
I would say that Flowdata, IPS/IDS data and PCAP handling is the most
important.
But with out having a system to collect data, how would one know if the NODES
are working? So SERVER and NODE goes hand in hand.
STAGE 2
Stage two is to implement a CLIENT to browse the events and to handle them.
STAGE 3
Extend the NODES, SERVERS and the CLIENT for a 1.0 release. This needs to be a
release that really works and that you can do real work with. It also needs to
be ready for developers to jump on the train, so the main architecture to the
framework needs to be consistent in the near future. This will enable easy
development of modules/plug-ins on NODES, SERVERS and CLIENT. It is important
that it is easy to add plug-ins in the NODES and CLIENT!
VERSION 1.0
STAGE 4
Documentation!!! This would (and should) normally be done along side the other
stages. However, this stage is dedicated to getting completed to the current
architecture and feature list.
STAGE 5
Implement extra features that makes the CLIENT crispy, exiting and innovative.
Th CLIENT now also needs to be able to configure the NODES and MASTER. The
WORKERS should also be functional.
VERSION 2.0
STAGE 6
This is the stage that the MASTER SERVER will be implemented. It is important
that during the other Stages, that the project is aware that it might be
governed from the MASTER SERVER. The MASTER SERVER is much like the SERVER,
but it does not need to store all the meta data that the SERVERS does. It will
reach out and talk to the SERVERS when it needs data.
VERSION 3.0
STAGE 7
Its important polish the code, comment it and have it easy for others
to read. This is important in the whole project, but now its time to
rewrite the functions/subroutines that are quick hacks!?
We should make sure that all that a developer needs/wants to make modules
are in place. This is the Stage for making the framework perfect.
VERSION 4.0
STAGE 8
Innovation! This is the stage where things have evolved, computer power has
grown according to expected, and we need to work hard on our data, doing
correlation, data-mining and other resource intensive stuff...
Maybe this will be implemented on own WORKERS?
VERSION 4.1 ?
STAGE 9
All hands on the GUI.
Lots of more stuff needs to be implemented...
VERSION 5.0
Along all the stages, the will be improvements, bug-fixing, feature requests,
additions, deletions and loads more.
--------------------------------------------------------------------------
3. GETTING STARTED
--------------------------------------------------------------------------
This quick getting started will set up the simple test environment that is
being used by the developers. As we progress through the stages, the hard
values will become fewer and the configuration flexibility will evolve.
1. Grab the source code.
2. Ensure all dependencies are met, refer to the INSTALL.
3. Server Configuration.
You will need to set up a clean (no tables) database with a designated user
who has been granted all privileges to the table.
Ensure the database settings in your server.yaml file match your database
configuration and has the credentials you've just created.
The current implementation only supports MySQL databases (this will be
extended to more backends in future stages).
4. Run the server.
# ./server/server
5. Run the nodes.
# ./nodes/barnyard2
# ./nodes/cxtracker
6. Run the feeders.