Network managers at Middlebury College in Vermont have created an open source application that watches entries in log files, analyzes them and triggers actions such as alerting administrators, quarantining a user, or shutting down a switch port.
The application, dubbed Privateye, automates a large chunk of network security management activities by exploiting capabilities that are already found in common applications, including firewalls and intrusion-prevention systems (IPS), and in a network of managed switches.
A big part of Privateye's appeal is its relative simplicity. Two IT staffers at the college wrote the program in PHP, a widely used scripting language.
The program collects information about security events from log entries routinely kept by such systems as the campus network registration application, the firewall and the IPS. A set of rules, also written in PHP, decipher each event, check it against threshold settings, and carry out the alerts or remedial actions automatically.
Privateye addresses a need that became apparent when the college installed Bradford Networks' Campus Manager registration application and an enterprise IPS, says Michael Halsall, network security administrator and Privateye co-author. He declined to name the IPS vendor.
"After the first day of getting IPS alerts, and coordinating the IP addresses with people and their machines in the [Bradford] registration system, that got old real fast," he says.
Halsall and a Middlebury graduate intern, Graeme Connell, wrote Version 1.0 of Privateye, essentially a log parser that has three basic steps.
First, Privateye receives and picks apart inputs from such applications as the IPS, picking up each new entry to a logfile or from a central logging server. Or Privateye can take data directly from a raw TCP connection from other boxes, Halsall says. At Middlebury, other data feeds are from a network sniffer program and the Campus Manager. Privateye picks these log entries apart, separating the various data inputs into appropriate fields, such as severity, input IP address, output port and user name. It then groups and counts the entries, factoring in a time variable. This means Privateye can be programmed to act when a threshold has been crossed - five occurrences of an event in five minutes, for instance.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment