NetSA Portal For Linux

NetSA (Network Situational Awareness) Portal is a web-based tool for presenting network data and analysis results obtained from NAF, YAF, SiLK and other analysis tools (such as relational databases). The Portal uses RAVE to manage analysis results.

The portal provides its capabilities in modules; adding new capabilities to the portal is a matter of adding a new module (and a corresponding set of analyses in RAVE).

The NetSA Portal software and analyses are released under the GPL.

Requirements:

� SiLK 0.11.7 � Python 2.4.4 � RAVE 1.9.5 � Python Imaging Library (PIL) 1.1.6 � numpy 1.0.2 � scipy 0.5.2 � matplotlib 0.90.0 � PostgreSQL 8.2.4 � psycopg2 2.0.6 � mod_python 3.3.1

$ python install.py install --prefix=${prefix}

This will create several subdirectories under ${prefix}. ${prefix}/htdocs will be served by your web server. ${prefix}/analyses will be served by RAVE.

In ${prefix}/etc, you will find a number of template files which have had as much information as possible placed into them. Some of these files should be installed in other portions of the system.

portal.conf.sample should be placed in /etc/portal.conf NOTE: There are a number of items in this file that absolutely should be changed for your site. Specifically, site_name must be changed. The sensor_groups and sensor_display_groups and so on should be changed to match your locally installed sensor names.

portal-httpd.conf should be loaded into your Apache HTTP server. On some systems, this may be done by placing the file into an /etc/httpd/conf.d directory. On other systems, you might choose to add an Include directive to include this file from the portal install directory.

raved.init is an init script that should be run at startup time in whatever way is appropriate for your system. start-raved can also be used to run it by hand instead of as a service.

All of the other configuration files in this directory are read directly by the portal system and do not need to be installed elsewhere.

You should also read the installation instructions in doc/port_database/README-sql in order to correctly configuring the PostgreSQL database for this sub-system.

Make sure to restart your Apache HTTP server and start RAVE, and the system should be oprational.

The install.py script in this directory handles installation of the system. The following flags and optional arguments are allowed by install.py:

You can give this script a --prefix argument to specify where the portal should be installed. You may optionally give it an --htdocs-prefix argument to specify a different location from the default for the HTML document directory to be installed. You may also use --root to specify an overall replacement root directory, for certain specialized installations.

The --debug switch will display more verbose information while processing.

By using --force-install, you may tell the system to ignore the results of checking for required software and install anyway.

In addition to the configuration parameters listed above, you must also give one or more commands to install.py. The following commands are implemented:

"check" runs automated tests to determine whether software that the portal requires is installed and behaving correctly. Check will run automatically if you ask for an install.

"check-analysis" and "check-web" run checks for the portions of the software that will be used on analysis or web host machines. See details below regarding "split installation".

"install" installs the software underneath the chosen directory prefix. If --htdocs-prefix is given, HTML documents will be installed at a different location (perhaps under the document root of your web server.)

"install-analysis" and "install-web" separately install the components required for an analysis or web host machine, respectively. See details below regarding "split installation".

"link" sets up symlink trees all of the installation areas in the source area, which is an appropriate style of installation for development purposes. See doc/developing.txt for more details.

"clean" removes the symlink trees produced by "link".

If you make changes to the installation, you should do it *only* under the ${prefix}/modules/ subdirectory, specifically in modules you create yourself. If you make changes in ${prefix}/analyses/ or other install locations, then the next time the "install" command is run (for an upgrade, for example), those changes will be destroyed.

If you make changes to the configuration files under ${prefix}/etc/, however, these changes are guaranteed not to be overwritten by a later installation of the portal. As a result, you should be sure to read through the upgrade notes in any future version of the portal software in order to be sure you add appropriate configuration information for new features.

In order to maintain a greater separation between potentially sensitive flow data and web users, some people prefer to run the analysis software (which requires direct access to flow data) and the web server software (which does not) on separate machines.

In order to install in this sort of environment, you should use the install-analysis command on the analysis host, and the install-web command on the web server host. Make sure that you keep /etc/portal.conf the same across both machines, and that RAVE is installed on both machines.

There are two separate portal-httpd.conf files for the split installation. portal-httpd-split-web.conf contains the configuration needed for the web server host, while portal-httpd-split-analysis.conf contains the configuration for the analysis host.

Also make sure that the portal-httpd.conf file on the web host is configured to look for the RAVE service in the correct location. (The portal.proxy.rave-service URL should point at the analysis host, and the appropriate port on that host should allow access from the web host.)

You may also wish to change the URL_BASE in raved.init and start-raved to use https instead of http in a split configuration, so that this information does not transit wires in the clear.

Core system: mod_python 3.3.1 Python 2.4.4 RAVE 1.9.5

network_map module: Python Imaging Library (PIL) 1.1.6 SiLK 0.11.7

port_database module: matplotlib 0.90.0 PostgreSQL 8.2.4 psycopg2 2.0.6 SiLK 0.11.7

sensor_health module: SiLK 0.11.7

watchlists module: numpy 1.0.2 Python Imaging Library (PIL) 1.1.6 scipy 0.5.2 SiLK 0.11.7