Skip to content

DynamiteNSM

Introduction
About
About
- Project Goals
- Architechture
- Event Data Model
  Event Data Model
  - Data Model Overview
  - Sample Logs
    Sample Logs
    
    Suricata Alert
    
    Zeek Connection
    
    Zeek DHCP
    
    Zeek DNS
    
    Zeek Files
    
    Zeek HTTP
    
    Zeek Portable Executables
    
    Zeek SSH
    
    Zeek SSL
    
    Zeek Weird
    
    Zeek X509
Requirements
Requirements
Installation
Installation
- Installation Overview
- Agent
  Agent
  - Overview
  - Preparing Inspection Interfaces Preparing Inspection Interfaces
    Table of contents
    
    Inspection Interface(s)
    
    /etc/network/interfaces
  - Install on the Same Instance
  - Install across Separate Instances
- Monitor
  Monitor
Configuration
Configuration
- Configuration Overview
- Agent
  Agent
- Monitor
  Monitor
  - Elasticsearch
  - Kibana
Services
Services
- Setup
- Authentication
- Updates
- Monitor
- Agent
- Elasticsearch
- Logstash
- Kibana
- Kibana Package Manager
- Zeek
- Suricata
- Filebeat
Guides
Guides
- Quick Start
- Remote Management
- Navigating Kibana
  Navigating Kibana
  - Overview
  - Alert
  - Conversations
  - Hosts
  - Protocols
  - Pivot Fields
- Working with Kibana Package Manager
- Software Developer Guides
  Software Developer Guides
  - Overview
  - Create a Commandline Utility
  - Create a Kibana Package
  - Software Development Kit
    Software Development Kit
    
    Overview
    
    cmd
    cmd
    
    base_interface
    
    inspection_helpers
    
    config_object_interfaces
    
    service_interfaces
    
    services
    services
    
    base
    base
    
    install
    
    config
    
    config_objects
    config_objects
    
    generic.py
    
    filebeat
    filebeat
    
    misc.py
    
    targets.py
    
    suricata
    suricata
    
    misc.py
    
    rules.py
    
    zeek
    zeek
    
    node.py
    
    local_site.py
    
    local_network.py
    
    bpf_filter.py
    
    logs
    
    process
    
    profile
    
    monitor
    monitor
    
    install
    
    process
    
    agent
    agent
    
    install
    
    process
    
    filebeat
    filebeat
    
    install
    
    config
    
    logs
    
    process
    
    profile
    
    suricata
    suricata
    
    install
    
    config
    
    logs
    
    process
    
    profile
    
    zeek
    zeek
    
    install
    
    config
    
    logs
    
    process
    
    profile
    
    elasticsearch
    elasticsearch
    
    install
    
    config
    
    process
    
    profile
    
    logstash
    logstash
    
    install
    
    config
    
    process
    
    profile
    
    kibana
    kibana
    
    install
    
    config
    
    process
    
    profile
Resources
Resources
- Contributing Guide
- Coding Guidelines

Preparing Inspection Interfaces

Inspection Interface(s)

Inspection interfaces receive traffic from a SPAN port or TAP device. Typically, they do not need IP addresses.

ⓘ A notable exception is on AWS's port-mirroring implementation for VPCs which relies on VXLAN encapsulation requiring the monitored interface to have a routable ip address.

Disabling any NIC offloading functions such as tso, gso, and gro can also improve performance.

`/etc/network/interfaces`

auto mon0
iface mon0 inet manual
  up ifconfig $IFACE -arp up
  up ip link set $IFACE promisc on
  down ip link set $IFACE promisc off
  down ifconfig $IFACE down
  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6