README: Setup Guide
Table of Contents
Overview 1
The Remote Administration Client 9
License and Acknowledgments 10
Contact 10
DNA is an open, flexible and extensible deep network analyzer (software server) and architecture for gathering and analyzing network packets, network sessions and applications protocols, passively off enterprise class networks. DNA is designed to be used for Internet Security, Intrusion detection, Network Management, Protocol and Network Analysis, Information Gathering, Network Monitoring applications
DNA runs as a distributed application under a Java Virtual Machine (JVM) environment and is portable across many OS environments, including: Network appliances, Switches and Routers.
Deep packet and session processing (layers 2-7)
Configurable processing and output:
Layer 4 Packet flows
Layer 4-7 Stateful Sessions flows (client/server flow pairs)
Layer 7 Packet and Session Application protocol Parsing (HTTP, DNS, P2P, VoIP, etc)
Application protocol parsing toolkit enables easy development of new new protocol parsers.
Support for both symmetric and asymmetric routing links.
Targeting based full session capture facility, like a real time targeted TCPDump.
Flexible targeting from IP address, port tuple to application sensitive targeting.
Configurable and extensible output adaptor utilizing OpenAdaptor able to send output to a variety of resources including: Flat file, Oracle, MySQL, MSSQL, Sybase, Sockets, JMS, RMI, WebService.
Extensible real time collection engine portable across many OS/Packet processing environment :
Specialized linux drivers mechanisms
Network Appliances
Network Switches / Routers
Highly parallelized for increased performance over multi processor environment
System meta data dictionary externalizes processing type definition
Linux/Unix Operating Systems
Win32 (2k, XP, 2003, etc)
Other JVM based environments that support libpcap
Live capture via Netfilter.
Supports wired and wireless LAN's (WiFi)
Standard Netfilter support (for NAT devices, routers, etc)
Promiscuous mode patch support (for passive monitoring appliances)
Live capture directly from device(via pcap/winpcap)
Supports wired and wireless LAN’s (WiFi)
Layer 2 Ethernet / Layer2 Encapsulation (PPOE)
Batch file based processing though Java PCAP.
Http
Static Port Packet Capture
Java 1.4 or greater
winpcap (win32) include in this release.
IPTables 1.2 or greater
LDAP Server
J2EE Application Server (JBoss, WebSphere, etc)
SQL Databases: MySql, Oracle, Sybase, MSSQL
MQSeries
Download and follow the instructions appropriate to your environment:
Dow load the "DNASetup.exe" file
Execute the file (this can be done automatically by IE or by double-clicking on it) an MS-Dos window appears and shows the available Java Virtual Machines found on your system, if any.
Choose the first one if proposed, or enter the path to your Java VM if asked.
The installer starts and guides you through the rest of the installation process
Download the "DNASetup.sh" file
Open a shell console
Cd to where you put the downloaded file
Execute the file:
$ sh DNASetup.sh
* the installer starts and guides you through the rest of the installation process
Download the "DNASetup.jar" file
Execute the jar: double-click on it, or if it fails, open a console and type
java -jar DNASetup.jar
The installer starts and guides you through the rest of the installation process
Launch the uninstall script in the dnasystem’s install directory or on Windows, go to the "Software Install/Uninstall" panel and choose "DNASetup":
$ sh uninstall_DNASetup.sh
./jars jar files used in this release ./javadoc dnasystem and openadaptor javadoc ./doc Documentation ./lib JNI libraries (e.g Libvservipq.so, libjavacap.so, javacap.dll) ./OS OS specific patches and third party software ./scripts Scripts for launching programs ./config Configuration property files ./src Java sources
The system was installed to run a basic configuration of the analyzer. The ./scripts/sensor.bat (win32) and ./scripts/sensor.sh will start the analyzer using the default properties file ./config/DNASensor.props. The default properties will run the analyzer with the following configurations:
Local-only administration (non-rmi mode). In this mode use ^C or kill to stop the analyzer.
The output will be sent to a single flat file called SensorData.out in the current directory
The sensor’s log file, sensor.log, will be placed in the current directory
Layer 4 configuration:
TCP/UDP flow (suppressed)
TCP/UDP Sessions (enabled)
TCP/UDP Summary Flows (enabled)
Parsers:
HTTP on TCP ports 80,8008,8080
Summary output (enabled)
Detailed output (disabled)
StaticPortPacketCapture on UDP ports 6340-6350,7000-7010
Note: The term sensor and analyzer are used interchangeably.
This section will show how to run the sensor with the basic setup.
Start from a shell window or console
Set DNAHOME environment variable to the dnasystem install location
Run the shell script $DNAHOME/scripts/sensor.sh with options. The script will set the “-c config file to ./props/DNASensor.props.
> sh $DNAHOME/scripts/sensor.sh -h
Help - use option:
[-f file] to process from a tcpdump file
[-d dev] to process a pcap device
[-D] lists all interface devices capable of pcap cature
[-q] to process from IPTables QUEUE
[-h] print this help message
[-c file] specify config file location, [default=$PWD/config.cfg]
Run the sensor on “eth1”
> sh $DNAHOME/scripts/sensor.sh -d eth1
Type Control-C to stop the sensor. The server will complete it’s processing in a few seconds displaying the status.
Server recieved shutdown command with time 0 seconds.
Capture finished. Recieved Packets: 4 Packets Dropped: 0
The output will be placed in the users current directory in the file SensorData.out
Any error will be placed in the log file sensor.log in the current directory.
Note: if you are running SELINUX or received the following error:
“Exception in thread "main" java.lang.UnsatisfiedLinkError: /tmp/dnasystem/lib/libjavacap.so: /tmp/dnasystem/lib/libjavacap.so: cannot restore segment prot after reloc: Permission denied
Issue the following command as root $chcon -t texrel_shlib_t lib/*This section will show how to run the sensor with the basic setup.
Install WinPcap located in the install directory OS\win32\winpcap_3_1.exe
Start from a dos command window (Start->run-> cmd)
Set DNAHOME environment variable to the dnasystem install location set DNAHOME=<dir>
Run the batch file %DNAHOME%\scripts\sensor.bat with options. The script will set the “-c config file to .\props\DNASensor.props.
> $DNAHOME/scripts/sensor.sh -h
Help - use option:
[-f file] to process from a tcpdump file
[-d dev] to process a pcap device
[-D] lists all interface devices capable of pcap cature
[-q] to process from IPTables QUEUE
[-h] print this help message
[-c file] specify config file location, [default=$PWD/config.cfg]
List the interfaces for your windows machine, since windows network interfaces have are generally hidden from the user.
C:\ $DNAHOME/scripts/sensor.bat -D
1) \Device\NPF_GenericDialupAdapter Generic dialup adapter
2) \Device\NPF_{0584B40D-F833-43FA-9D60-DAF22F2C7AD2} (Microsoft's Packet Scheduler)
3) \Device\NPF_{625526D2-72A5-4CBD-8CDA-461239EF0F57} Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card (Microsoft's Packet Scheduler)
Run the sensor on the “WiFi” interface
> $DNAHOME/scripts/sensor.sh -d \Device\NPF_{625526D2-72A5-4CBD-8CDA-461239EF0F57}
Type Control-C to stop the sensor. The server will complete it’s processing in a few seconds displaying the status.
Server recieved shutdown command with time 0 seconds.
Capture finished. Recieved Packets: 4 Packets Dropped: 0
The output will be placed in the users current directory in the file SensorData.out
Any error will be placed in the log file sensor.log in the current directory.
IPTABLES Setup:
Ensure you have IPtables configured into your kernel see: /usr/src/<kernel version>/make menuconfig
Apply promiscous mode patch (if needed for passive monitoring. inline NAT/Firewalls do not need this patch)
and build a new kernel, diff files found in : ./os/linux/iptables-promisc-diffs-1.3.0-kern-2.6.tar
Change your linux start scripts to ensure that the following modules load:
ip_queue, iptable_filte, ip_tables
For passive monitoring: Ensure that you have set one of your interfaces to promiscous mode (I use eth1 on my machine)
ifconfig eth1 promisc up
For NAT/Firewall users: See netfilter/iptables documenation to forward all packets to ip_queue.
For passive monitoring: run the script ./script/iptables_rules.sh (change the script if your interface is not eth1). Output should look like this:
#./iptables_script.sh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1277K packets, 1027M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1295K packets, 393M bytes)
pkts bytes target prot opt in out source destination
Chain PROMISC (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3159K 1319M QUEUE all -- eth1 any anywhere anywhereJNDI NAMING SERVER: Java provides a number of options to support JNDI naming. The DNASensor.props provide templates for the following jndi services:
RMI registry
LDAP server, like openLDAP
J2EE Application Server, like JBOSS
The simplest JDNI SERVICE is to use the rmiregistry command, shown below. Refer to your ldap or J2EE server for server documentation for setup.
Ensure the application jars ./jars can be found in the CLASSPATH. The ./scripts/dna_classpath.sh or ./scripts/dna_classpath.bat scripts will set the correct classpath.
Run rmiregistry. Found in your JAVA_HOME/bin directory
Set the folloing properties in ./config/DNASensor.props
Admin.LOCAL_ONLY = true
Admin.JNDIClass=isc.util.ServerAdmin
Admin.NAMING_ADMIN_NAME=sensor
Admin.NAMING_CONTEXT_CLASS=Context
Admin.NAMING_PROVIDER_URL=rmi://localhost:1099
Admin.NAMING_INITIAL_CONTEXT_FACTORY=com.sun.jndi.rmi.registry.RegistryContextFactory
Admin.NAMING_URL_PKG_PREFIXES=com.sun.jndi.ldapThe sensor’s behavior is controlled by an external property file. The property file specifies the property/value pair the sensors java classes recognize as options. The default property file shipped with the release is ./config/DNASensor.props. For a complete list, refer to the sensor’s javadoc. The main options to be concerned with are:
Type of Layer 4 processing and output
Location of sensor output via openadaptor
The installed layer 7 parsers
The configuration options for each layer 7 parser
The packet processor and session processor components of the DNA architecture are responsible for parsing the raw packets and producing the various type of Layer 4 output.
The following files contain the Layer 4 object data definitions and sample output:
The Summary Flow output is included as part of the Session processing. Decide which type of output is desired and turn on/off (true/false) the following properties.
OutputType.TCPFlow = false
OutputType.UDPFlow = false
OutputType.TCPSession = true
OutputType.UDPSession = trueThe output adapter component of the DNA architecture, encompassing a powerful data dictionary and pluggable resource adapt ors, is responsible for transforming processed data objects to a portable format and transmitting them to external resource managers. The output adapter is implemented using the OpenAdaptor open source product.
The location, type and format of the sensor’s output are determined by the configuration of Open Adapter. The following preconfigured adapter output property files are supplied.
OAFileSink.props Output Sensor data to a file (Default)
OAJMSSink.props Output Sensor data to a JMS Queue
OAMultiFileSink.props Output Sensor data to multiple file (for each record type)
OASQLSink.props Output Sensor data to an SQL database
To change the output, edit the sensor’s property file, setting the #include line to the appropriate adaptor property file. (it will default to the current directory).
#include OAFileSink.props
In addition, to other property files are supplied to retrieve sensor data from datasources. These property files are meant to be used directly with OpenAdaptor. See the OpenAdaptor’s manual for description to use.
SqlSourceToPcap.props Retrieve Sensor “raw packets” from and SQL database and write a tcpdump style pcap file.
JMSSourceToSink.props Retrieve Sensor data from a JMS Queue
The application protocol session parser and APP protocol parser toolkit components of the DNA architecture are responsible for processing and selecting and passing packets to the configured protocol parser components.
The protocol parsers are pluggable modules developed to process a specific protocol or handle a specific task.
The following Parser currently supplied with this release:
HTTP Parser - A simple HTTP Protocol application parser.
Javaclass: isc.sensor.parser.HttpParser
StaticPortPacketCapture - A Parser which captures selected whole packets for evaluating with tools compatible with tcpdump format.
Javaclass: isc.sensor.parser.StaticPortPacketCapture
To install a parser into the sensor’s configuration property file:
Add the parser java class to the AppLayerXXX.Parsers list, where XXX is the protocol. The following will load the HttpParser for TCP only.
AppLayerTCP.Parsers=isc.sensor.parser.HttpParser
AppLayerUDP.Parsers=
Configure the parser properties (see the parser’s javadoc for detail on the options). The following will configure HTTP on ports 80,8008 and 8080, output HTTP Summary records and suppress HTTP detail records.
! HTTP Parser specifics
HttpParser.Ports=80,8008,8080
HttpParser.Flags=24,16
HttpParser.OutputSummary=true
HttpParser.OutputDetail=falseThe DNA_adminClient java client allows the sensor to be administered remotely. Current administration commands supported are:
Issue a shutdown sequence to the DNA_sensor
Change the log4 logging
Start from a shell window (or dos shell)
Run the command ./scripts/admin.sh -h (.\scripts\admin.bat for dos)
Help - use option:
[-s time] stop server, time = seconds, time=-1 will force stop
[-h] print this help message
[-c file] specify config file location, [default=$CWD/config.cfg]
[-l logging property] specify the logging property in java.lang.properties form (property=value)
Choose the -s options to stop the sensor daemon
./scripts/admin.sh -s 0
Choose the -l option to change a logging property (turn logging on/off, etc) SeeL log4j for details on logging.
./scripts/admin.sh -l log4j.category.isc.main=debug
The system is currently in compiled form under ./jars directory. The source code requires Apache Ant (http://ant.apache.org/) to compile.
ant -projecthelp
will list all build targets in build.xml.
The dnasystem is Copyright 2005 by John A. Casey and licensed under GPL described in the files in the install directory.
./LICENSE
./NOTICE
The dnasystem acknowledges the following open source software contribution
Virtual Services - http://www.savarese.org/
winpcap - http://www.winpcap.org/
OpenAdaptor - http://www.openadaptor.org/
netfilter - http://www.netfilter.org/
Email to: jcasey5366_at_sourceforge_dot_net