Network managers at Middlebury College in Vermont have created an open source application that watches entries in log files, analyzes them and triggers actions such as alerting administrators, quarantining a user, or shutting down a switch port.
The application, dubbed Privateye, automates a large chunk of network security management activities by exploiting capabilities that are already found in common applications, including firewalls and intrusion-prevention systems (IPS), and in a network of managed switches.
A big part of Privateye's appeal is its relative simplicity. Two IT staffers at the college wrote the program in PHP, a widely used scripting language.
The program collects information about security events from log entries routinely kept by such systems as the campus network registration application, the firewall and the IPS. A set of rules, also written in PHP, decipher each event, check it against threshold settings, and carry out the alerts or remedial actions automatically.
Privateye addresses a need that became apparent when the college installed Bradford Networks' Campus Manager registration application and an enterprise IPS, says Michael Halsall, network security administrator and Privateye co-author. He declined to name the IPS vendor.
"After the first day of getting IPS alerts, and coordinating the IP addresses with people and their machines in the [Bradford] registration system, that got old real fast," he says.
Halsall and a Middlebury graduate intern, Graeme Connell, wrote Version 1.0 of Privateye, essentially a log parser that has three basic steps.
First, Privateye receives and picks apart inputs from such applications as the IPS, picking up each new entry to a logfile or from a central logging server. Or Privateye can take data directly from a raw TCP connection from other boxes, Halsall says. At Middlebury, other data feeds are from a network sniffer program and the Campus Manager. Privateye picks these log entries apart, separating the various data inputs into appropriate fields, such as severity, input IP address, output port and user name. It then groups and counts the entries, factoring in a time variable. This means Privateye can be programmed to act when a threshold has been crossed - five occurrences of an event in five minutes, for instance.
At this point, Privateye takes the second step of applying a list of rules to the entry groups. These are written in PHP and use an if-then methodology: If X is present, then do Y.
In the third step, Privateye's scripts contact an application to take action, or telnet to a firewall and instruct it via Perl script to block an IP address or contact a managed switch to flip a PC to a quarantine virtual LAN (VLAN) called the Penalty Box.
A good example of Privateye in action at Middlebury is how it manages the chronic problem of botnets, which are created when malicious code infects computers, allowing them to be used by an attacker.
A student gets a spoofed AOL instant message containing a Trojan that enlists his PC in a botnet. Middlebury's IPS sees the infection and creates an alert. Privateye collects the alert, processes it through the rules base, and does a lookup on Campus Manager to associate user ID with IP address and media access control address.
Privateye then sends an SNMP trap to Campus Manager, which flips the PC into a quarantine VLAN, creates an explanatory Web page for the PC user and notifies the campus help desk. All this activity and data are recorded in Privateye's MySQL database, which is open to network administrators and the help desk, allowing staff to work with the user to disinfect the computer, update security patches and software, and release the PC from quarantine.
In the past this was an entirely manual process, including detecting the botnet infection. Just disinfecting the client usually took about 15 minutes. In the first four months of 2006, there were 178 machines infected by botnet activity. "Fifteen minutes times 178 machines adds up," Halsall says. Now botnet detection is almost instantaneous, and Privateye largely automates the entire process, with the disinfecting handled in a few minutes by help desk staff.
The college has completed Version 2.0 of Privateye, which among other things made it more extensible so it can take inputs from other applications, and added features such as Boolean logic so administrators can create more complex rules and triggers.
Privateye's source code and information are available at http://privateye.sourceforge.net. Users need a thorough understanding of their network infrastructure and the goals they want to accomplish with Privateye, Halsall says. A managed switch fabric is essential, he adds. Privateye works with open source intrusion-detection system and IPS tools such as Snort, as well as the big commercial IDS/IPS systems.
Learn more about this topicINTEROP - LogLogic getting into open source
05/01/06Open source management arrives
05/12/06Open source routing reality check