Solution that adequately services 14 campus locations across the province of Nova Scotia. The Implementation • Budget of under $15,000 (Software and Hardware) • Producing useful results within 4 weeks • Modular and scalable • Low maintenance
Flow-tools - Analysis with Sguil (TCL/TK) - Web based Analysis and Reports (PHP/Bash/TCL) Third Party Product Integration (Examples) - McAfee ePolicy Orchestrator - Userlock Sensor and Server Design - OS and Software - Hardware - Deployment
Rule Options alert tcp any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;) • Alert Message • When to Fire • Action • Protocol • Source/Destination Address and Ports
common property) flow-tools: A toolset for working with NetFlow Data Components • fprobe - Export flows • flow-capture - Collect and store • flow-cat, flow-print - Merge and print • flow-filter, flow-nfilter, flow-stat, flow-report - Process based on filters or report definitions Data Collection
awareness - Best practice is not awareness • Robust Solutions - Lower TCO* - Not second rate • Unique development possibilities - perpetuates research - hones existing skills
- Inbound from Admins to SSH default port 22 (limit this) - Outbound to Server Server - Inbound from Sensors to Sguil default port 7736 - Inbound from Clients (techs) to Sguil default port 7734 (limit this) - Inbound from Sensors to MySQL default port 3306 - Inbound from Admins to SSH default port 22 (limit this) - Outbound to Sensors