build your own sie
play

Build Your Own SIE Oct 22, 2012 Baltimore, MD Eric Ziegast - PowerPoint PPT Presentation

Jul 10, 2023 •131 likes •372 views

Build Your Own SIE Oct 22, 2012 Baltimore, MD Eric Ziegast <info@sie.isc.org> Monday, October 22, 2012 Agenda Limited Scope (internal only - no policy stuff) Hardware Infrastructure concepts nmsgtool Q&A

  1. Build Your Own SIE Oct 22, 2012 Baltimore, MD Eric Ziegast <info@sie.isc.org> Monday, October 22, 2012

  2. Agenda • Limited Scope  (internal only - no policy stuff) • Hardware • Infrastructure concepts • nmsgtool • Q&A Monday, October 22, 2012

  3. Hardware • SIE Switch  Many will fail over to broadcast traffic  Some that work • D-Link DGS-3026 (early, had issues) • Extreme Networks x450a-24t (production • Cisco 3750X (in beta) • Servers  2 or more 2.0GHz amd64 cores  lots of ram  Intel server-grade GigE NICs 3 Monday, October 22, 2012

  4. ISC SIE Infrastructure - Sensors - Sensor upload relays - Inter-node relays - Participants Monday, October 22, 2012

  5. Functionality / roles • SIE switch  partition VLANs  broadcast data  trunk to other switches • Sensor  collect data (ethernet tap, stream input)  upload: • dump to file regularly, rsync, ssh • broadcast directly to channel • relay over network to another nmsgtool 5 Monday, October 22, 2012

  6. Functionality / roles • Inter-node relay  Listen to VLAN and rebroadcast to another nmsgtool on remote side (lossy)  Dump to file, rsync to other side, replay (no loss, but might delay or clog) • Participants  Listen to data off the wire or broadcast  Dump to file for batch processing, or multi- threaded programmng to process in real time  Relay into server or off server to remote processing 6 Monday, October 22, 2012

  7. Functionality / roles • Participants (properties)  Loosely coupled multi-processor 7 Monday, October 22, 2012

  8. VLANs (Cisco) interface GigabitEthernet1/0/48 description SPLIT2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 7,14,25,26,80,81,201-204,206-209 switchport mode trunk interface GigabitEthernet1/0/7 desciption mc7.sie switchport trunk encapsulation dot1q switchport trunk allowed vlan 7,14,25,80 switchport mode trunk interface GigabitEthernet1/0/8 description mc8.sie switchport trunk encapsulation dot1q switchport trunk allowed vlan 7,14,25,80,202-204,206-208 switchport mode trunk Monday, October 22, 2012

  9. VLANs (Extreme) create vlan "sie-ch7" configure vlan sie-ch7 tag 7 ...etc... create vlan "sie-ch209" configure vlan sie-ch209 tag 209 configure ports 7 display-string mc7.sie configure ports 8 display-string mc8.sie configure ports 48 display-string SPLIT2 configure vlan sie-ch7 add ports 7-8, 48 tagged configure vlan sie-ch14 add ports 7-8, 48 tagged configure vlan sie-ch25 add ports 7-8, 48 tagged configure vlan sie-ch26 add ports 48 tagged configure vlan sie-ch80 add ports 7-8, 48 tagged configure vlan sie-ch81 add ports 48 tagged configure vlan sie-ch201 add ports 48 tagged configure vlan sie-ch202 add ports 7, 48 tagged ...etc... configure vlan sie-ch208 add ports 7, 48 tagged configure vlan sie-ch209 add ports 48 tagged Monday, October 22, 2012

  10. VLANs (servers) Linux: ip link add link eth1 name eth1.209 type vlan id 209 ip link set up eth1 mtu 9000 vconfig add eth1 209 ip addr add 10.0.209.18/24 dev eth1.209 eth1.7 inet addr:10.255.1.18 Bcast:0.0.0.0 Mask:255.255.255.0 eth1.14 inet addr:10.0.14.18 Bcast:0.0.0.0 Mask:255.255.255.0 ...etc... eth1.209 inet addr:10.0.209.18 Bcast:0.0.0.0 Mask:255.255.255.0 BSD: ifconfig create vlan 209 vlandev em1 vlan7: inet 10.255.1.18 netmask 0xffffff00 broadcast 10.255.1.255 � vlan: 7 parent interface: em1 vlan14: inet 10.0.14.18 netmask 0xffffff00 broadcast 10.0.14.255 � vlan: 14 parent interface: em1 vlan209: inet 10.0.209.18 netmask 0xffffff00 broadcast 10.0.209.255 � vlan: 209 parent interface: em1 Study our auto-config script: http://rsfcode.isc.org/git/sie-update/tree/sie-update Monday, October 22, 2012

  11. nmsgtool • NMSG  read/write from UDP • unicast (remote copy) • broadcast (SIE switch)  read/write from 0mq ( Unix or TCP sockets )  read/write from files in NMSG binary  print presentation output  read presentation output 11 Monday, October 22, 2012

  12. nmsgtool Receiving messages off the switch: [-C channel] or --readchan read nmsg data from socket(s) [-l so] or --readsock read nmsg data from socket (addr/port) See: (/usr/local)/etc/nmsgtool.chalias -C ch25 == -l 10.0.25.255/8430 -l 10.0.25.255/9430 [-c count] or --count stop or reopen after count payloads output Example: nmsgtool -C ch202 -o - -c 5 12 Monday, October 22, 2012

  13. nmsgtool Capturing data: [-i if[+][,snap]] or --readif read pcap data from interface ('+' = promisc) [-p file] or --readpcap read pcap data from file [-b filter] or --bpf filter pcap inputs with this bpf [-V vendor] or --vendor vendor [-T msgtype] or --msgtype message type Darknet relay example: nmsgtool -V ISC -T pkt -i sie.14+ -m 1280 \ -s ${REMOTE_SERVER_IP}/50140 -z 13 Monday, October 22, 2012

  14. nmsgtool SIE DNS sensor: NMSG_KICKER=/usr/local/lib/sie/sie-kicker ch202 DNSQR_CAPTURE_RD=0 DNSQR_RES_ADDRS=149.20.XX.YY, 2001:4f8:ZZ:XX::YY ARGV_NMSGTOOL= -i rl0 -V ISC -T dnsqr -z -t 60 -w /var/spool/sie/new/ch202/XX.isc.org /usr/local/bin/nmsgtool -D -P /var/run/sie_dns_sensor.pid Take a look at scripts included with sie-dns-sensor on rsfcode.isc.org or these: ftp://ftp.isc.org/isc/nmsg/misc/sie-scripts/ 14 Monday, October 22, 2012

  15. nmsgtool Cheating to create messages from text input: [-f file] or --readpres read pres format data from file [-V vendor] or --vendor vendor [-T msgtype] or --msgtype message type Event injection example (old ch21): #!/bin/sh REASON=$1 NMSGTOOL="nmsgtool -V sie -T reputation -f - \ --setsource $NMSG_ID -s 10.0.21.255/8430" while read ip do $NMSGTOOL <<EOF type: ADDRESS address: $ip tag: aa419_ddos_add value: $REASON EOF done 15 Monday, October 22, 2012

  16. nmsgtool Writing them to files: [-w file] or --writenmsg write nmsg data to file [-z] or --zlibout compress nmsg output [-c count] or --count stop or reopen after count payloads output [-t secs] or --interval stop or reopen after secs have elapsed [-k cmd] or --kicker make -c, -t continuous; run cmd on new files Writes files every 15 minutes and processes: nmsgtool -C ch113 -w /data/ch204 -z -t 900 -k convert2csv.sh The convert2csv.sh script gets $1 set as file argument 16 Monday, October 22, 2012

  17. nmsgtool Rebroadcasting them: [-s so[,r[,f]]] or --writesock write nmsg data to socket (addr/port) [-m mtu] or --mtu MTU for datagram socket outputs [--mirror] mirror payloads across data outputs [--unbuffered] don't buffer writes to outputs Take a file and spit it out to a channel: nmsgtool -r FILE -s 10.0.113.255/8430,10000,1000 --unbuffered Stripe it across multiple USP ports: nmsgtool -r FILE --unbuffered \ -s 10.0.113.255/8430,10000,1000 \ -s 10.0.113.255/8431,10000,1000 Mirror it to another port: nmsgtool -r FILE --unbuffered --mirror \ -s 10.0.113.255/8430,10000,1000 \ -s 127.0.0.1/8430 17 Monday, October 22, 2012

  18. nmsgtool Misc: [--getsource sonum] only process payloads with this source value [--getoperator opname] only process payloads with this operator value [--getgroup grname] only process payloads with this group value [--setsource sonum] set payload source to this value [--setoperator opname] set payload operator to this value [--setgroup grname] set payload group to this value 18 Monday, October 22, 2012

  19. Relay uploader Used to run chroot sshd+rsync or sftp server on FreeBSD. Maintained custom script to take an upload and queue uploaded FILEs for “nmsgtool -r FILE -s IP/PORT” playback. Now: http://rsfcode.isc.org/git/isc-sleigh/ isc-sleigh: Debian-based minimal privilege rsync/ssh file service ----------------------------------------------------------------- sleigh is a utility for automatically setting up a multi-user minimal privilege rsync-over-ssh file submission service on Debian-based systems. The sleigh Debian package ships a dedicated sshd_config file and runit service directory. Authentication is public key based, with public keys stored outside of chroot user home directories in the directory /etc/sleigh/authorized_keys.d. Individual users and "queues" (per-user writeable upload directories) are configured with the "sleigh" command line utility. sleigh makes use of the Debian libnss-extrausers package in order to avoid modifying the main /etc/passwd and /etc/group databases, and also depends on the isc-rsync-static and isc-rsync-server-wrapper packages, which are available from http://rsfcode.isc.org/. 19 Monday, October 22, 2012

  20. ISC SIE Properties (cont.) - Loosely Coupled Multi Processor - Open sourced data - making intermediate products available 20 Monday, October 22, 2012

  21. Build Your Own Internally - Get a switch - We use Extreme Networks x450a-24t - Testing Cisco 3750X - Configure VLANs - Find data - nmsgtool sensors JSON, XML, sie-dns-sensor - darknet arp vrf onto switch - sinkhole httpk null web server - netflow nfdump + nfreplay to roadcast address 21 Monday, October 22, 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is

self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is

New ways of delivering self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is changing? The New Self Build Policy Why Support Self Build? The Self Build Revolution so Far Some Case Studies What is Self

960 views • 56 slides
Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB)

Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB)

Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB) D B Asset Management Contract R M Design-Build-Finance (DBF) F Design-Build-Operate-Maintain (DBOM) Increasing Private Sector Role

218 views • 19 slides
Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software components into an executable system Different systems are built from different combinations of components Invariably supported by automated

557 views • 20 slides
Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS 17 Today Introduction n Theoretical Part: How to Build Secure Software n Brief Problem Overview n Setup HowTo for Phase I n 2 Prof. Eric

610 views • 50 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Best Practices and lessons learned about the Design Build process 2 3 Includes the

Best Practices and lessons learned about the Design Build process 2 3 Includes the

Design Build versus the traditional Design Bid Build process The benefits of using the Design Build process Maximizing DBE Program participation under the Design Build process Required special provisions and DBE goal setting

460 views • 35 slides
BUILD BUILD BUILD Nigerias Infrastructure Space Opportunities &amp; Challenges PRESENTATION

BUILD BUILD BUILD Nigerias Infrastructure Space Opportunities &amp; Challenges PRESENTATION

BUILD BUILD BUILD Nigerias Infrastructure Space Opportunities &amp; Challenges PRESENTATION BY THE INFRASTRUCTURE CONCESSION REGULATORY COMMISSION AT THE 1ST ISTANBUL PPP WEEK, 2015. ISTANBUL, TURKEY Engr. Chidi Izuwah Ag. DIRECTOR

774 views • 46 slides
Can we build a complete set of tools ? RT Can we build a complete set of tools ? RT Spectra,

Can we build a complete set of tools ? RT Can we build a complete set of tools ? RT Spectra,

Can we build a complete set of tools ? RT Can we build a complete set of tools ? RT Spectra, Images Channel maps Interfero: nIR + mm (CASA) SEDs Herschel, ALMA, PIONIER/Gravity, JWST, SPICA ALMA, SPHERE/GPI Can we build a

756 views • 28 slides
Media actions to increase the visibility of BUILD UP and its Partners Gilles VAILLE BUILD UP

Media actions to increase the visibility of BUILD UP and its Partners Gilles VAILLE BUILD UP

Media actions to increase the visibility of BUILD UP and its Partners Gilles VAILLE BUILD UP Users and Stakeholders Committee Brussels, 25 June 2010 BUILD UP Public Relations Desk Table of contents Webvertising actions Promotional

403 views • 16 slides
Build Engineering Build Engineering Evolution in Managing OS Pete Garcin , Senior Product

Build Engineering Build Engineering Evolution in Managing OS Pete Garcin , Senior Product

Build Engineering Build Engineering Evolution in Managing OS Pete Garcin , Senior Product Manager, ActiveState Shaun Lowry , Build Engineering Lead, ActiveState Build Engineering and its Role in Managing Open Source Build Engineering

688 views • 36 slides
You build it, you run it Matthias Rampke, SoundCloud You build it, you run it Operating

You build it, you run it Matthias Rampke, SoundCloud You build it, you run it Operating

You build it, you run it Matthias Rampke, SoundCloud You build it, you run it Operating SoundCloud's microservice architecture GOTO Berlin 2016 Intro: me Who I am and where I work Engineer in Production Engineering (platform, monitoring,

583 views • 32 slides
We cant always build the fvture for our youth, but we can build our youth for the fvture.

We cant always build the fvture for our youth, but we can build our youth for the fvture.

We cant always build the fvture for our youth, but we can build our youth for the fvture. - Franklin D. Roosevelt Student Interest in AT/PT TOP 10 CAREER CHOICET FOR GENERATION Z As a society, we must take the question of, What

483 views • 35 slides
Design-Build Presentation Objectives- Why Design-Build? What is the rush? What is the

Design-Build Presentation Objectives- Why Design-Build? What is the rush? What is the

22420 US 550-US160 Connection South Design-Build Presentation Objectives- Why Design-Build? What is the rush? What is the Difference How does that affect How I contribute My insurance Methods of Project Delivery CDOTs

321 views • 20 slides
WE BUILD &amp; WEB APP We build elegant and functional solutions We deliver apps essentials at

WE BUILD &amp; WEB APP We build elegant and functional solutions We deliver apps essentials at

WE BUILD &amp; WEB APP We build elegant and functional solutions We deliver apps essentials at your fjnger using Ruby on Rails, node.js, Angular JS and tips. Functional, fmawless and easy to use. more. SEO APP We build elegant and

410 views • 10 slides
Build a Geant4 application Geant4 tutorial Application build process 1) Properly organize your

Build a Geant4 application Geant4 tutorial Application build process 1) Properly organize your

JUNO GEANT4 SCHOOL Beijing ( ) 15-19 May 2017 Build a Geant4 application Geant4 tutorial Application build process 1) Properly organize your code into directories 2) Prepare a CMakeLists.txt file 3) Create a build directory and run

384 views • 10 slides
ABF as a Development Framework with ARM-powered Build Nodes by the example of OpenMandriva

ABF as a Development Framework with ARM-powered Build Nodes by the example of OpenMandriva

ABF as a Development Framework with ARM-powered Build Nodes by the example of OpenMandriva 2014.0 / Cooker armv7hl Alexander Khryukin (OpenMandriva) ABF - Automated Build Farm Main purposes: Build packages and ISO images for various

172 views • 13 slides
Research in an Open Cloud Exchange CLOUD COMPUTING IS HAVING A DRAMATIC IMPACT On-demand

Research in an Open Cloud Exchange CLOUD COMPUTING IS HAVING A DRAMATIC IMPACT On-demand

Research in an Open Cloud Exchange CLOUD COMPUTING IS HAVING A DRAMATIC IMPACT On-demand access Economies of scale All compute/storage will move to the cloud? Todays IaaS clouds One company responsible for implementing and

1.11k views • 65 slides
Talk Outline Core Computation for Data Exchange 1. Preliminaries Vadim Savenkov 2. Computing

Talk Outline Core Computation for Data Exchange 1. Preliminaries Vadim Savenkov 2. Computing

Talk Outline Core Computation for Data Exchange 1. Preliminaries Vadim Savenkov 2. Computing the core Vienna University of Technology DEIS 2010 November 9, 2010 Preliminaries: Labeled nulls and homomorphisms Embedded implicational

302 views • 5 slides
LHC Open Network Environment LHC Open Network Environment LHC ONE Artur Barczyk California

LHC Open Network Environment LHC Open Network Environment LHC ONE Artur Barczyk California

LHC Open Network Environment LHC Open Network Environment LHC ONE Artur Barczyk California Institute of Technology California Institute of Technology GLIF Technical Working Group Meeting Hong Kong, February 25 th , 2011 g g, y , 1 2

779 views • 28 slides
Topic 9 Using Objects, Interactive Programs and Loop Techniques &quot; There are only two kinds

Topic 9 Using Objects, Interactive Programs and Loop Techniques &quot; There are only two kinds

Topic 9 Using Objects, Interactive Programs and Loop Techniques &quot; There are only two kinds of programming languages: those people always [complain] Objects and Classes about and those nobody uses.&quot; Bjarne Stroustroup, creator of

398 views • 12 slides
LHC Open Network Environment LHC ONE Artur Barczyk David Foster Caltech

LHC Open Network Environment LHC ONE Artur Barczyk David Foster Caltech

LHC Open Network Environment LHC ONE Artur Barczyk David Foster Caltech CERN April, 2011 INTRODUCTION Overview Started with Workshop on Transatlantic Connectivity for LHC experiments June 2010 @ CERN

388 views • 21 slides
Overview Course overview and administrative issues 15-441/641: Computer Networks

Overview Course overview and administrative issues 15-441/641: Computer Networks

8/26/2019 Overview Course overview and administrative issues 15-441/641: Computer Networks Packet-switched networking fundamentals Introduction The Web as a motivating application (P1 preview) How to build an Internet: the

993 views • 19 slides
Scott A. Klasky klasky@ornl.gov Collaborators from SDM Center, CPES, GPSC, GSEP, Sandia, ORNL

Scott A. Klasky klasky@ornl.gov Collaborators from SDM Center, CPES, GPSC, GSEP, Sandia, ORNL

Fourth Workshop on Ultrascale Visualization 10/28/2009 Scott A. Klasky klasky@ornl.gov Collaborators from SDM Center, CPES, GPSC, GSEP, Sandia, ORNL H. Abbasi, J. Cummings, C. Docan,, S. Ethier, A Kahn, Q. Liu, J. Lofstead, P. Mouallem, M.

728 views • 27 slides
VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12

VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12

VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12 SESSIONS AND GET THE SUPERCOOL GOTO PRIZE SETH VARGO @sethvargo SECRET MANAGEMENT WHAT IS &quot;SECRET&quot;? SECRET VS. SENSITIVE SECRET

2.86k views • 65 slides

More recommend