Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A local Warden Server receiving events via connectors from probes and sensors in your local constituency.
  • A warden_filer_receiver receiving events from your local Warden Server.
  • A Mentat storing the events received from your local Warden Server and from the peers.
  • Warden_filer_receivers for receiveing events from the peer nodes i.e. from a PROTECTIVE node in other NRENs.
  • The connectors are included in the Annex of this document. How to set up connectors for real data mode is documented.
    The connectors are:
      • Real Data: For the live environment during the pilots, steps are provided for connecting the following connectors

        • Kippo

        • Dionaea 

        • LaBrea

        • IntelMQConnector
        • Fortigate
        • Juniper SRX 
        • SIEM Mcafee 
        • Warden Parser

...

2.2        Access Requirements

You will need to access to the protective-h2020-eu project in Gitlab - https://gitlab.com/protective-h2020-eu/.This project is Open Source so, you shouldn't find any problem accessing to it. 

If you don't have access, please request at have any problems accessing, please contact to: pilot@protective-h2020.eu

...

In order to be able to connect with other Peer nodes, certificates are needed for communication between Warden server and each Peer node’s Warden filer receiver. The procedure in order to get the certificates assumes that the system administrator (admin) will get the certificates. Admin will be the person doing the installation of the PROTECTIVE node at each NRENPeer node. To prepare for configuration of event collection from a peer node [warden] server, the process is as follows:

Assuming that the NREN Peer Sender (NRENPeer-S) and NREN Peer Receiver (NRENPeer-R) have agreed to share data, the NRENPeer-R admin provides the following data to the NRENPeer-S admin:

    1. chosen client name
    2. machine DNS name
    3. name and email address of the administrator (where
  1. NREN
    1. Peer-S admin and automated inspection scripts will be able to reach him)
    2. A  brief description of planned utilisation of the received events
    3. Any additional information or questions

For now, gather this information. 

...

2.4.2 You will need to email address of the admin for each peer node that you want to collect events from.  

RoEduNet: lucian.paiusescu@roedu.net

CESNET: cernym@cesnet.cz

PSNC: dzordz@man.poznan.pl

2.4.3 Peer Node DNS names

RoEduNet: node1.protective.roedu.net

CESNET: protective.cesnet.cz

PSNC: veratrum.man.poznan.pl

...

If you don't have it, please request it at: pilot@protective-h2020.eu

2.5        Probes and Sensors to be Connected

...

In order to send data to peer nodes, the peer node warden filer receivers must be registered in the warden server of the PROTECTIVE node by the NRENPeer-S admin.

3.4.1 Receive email from

...

Peer-R at each peer node

As NRENPeer-S admin, you will have received a PGP encrpyted email from an NRENPeer-R requesting a token [and server.crt] with the following information:

    1. chosen client name
    2. machine DNS name
    3. name and email address of the administrator (where
  1. NREN
    1. Peer-S admin and automated inspection scripts will be able to reach him)
    2. A  brief description of planned utilisation of the received events
    3. Any additional information or questions

3.4.2 Registering in Warden Server

...

Once you have the token, the token and the server.crt located in protective-node/node_name/data/keys/warden_server, next step is to send an email to the NRENPeer-R admin by secure mail. The email should include the token, the server.crt and the url of the warden server. Also, if in step 3.4.2 when registering the client you generated a secret for it, you should include this secret in the email.

...

To receive event from a peer node, the warden filer receiver must be configured in the PROTECTIVE node by the admin acting as the NRENPeer-R admin. The NRENPeer-R admin will be doing the reverse of the steps outlined in chapter 3.3.

3.5.1 Send email to

...

Peer-S admin

For each peer node you would like to receive events from, send an email to the peer node admin requesting registration in and connection to the peer node warden server.

As NRENPeer-R admin, you will send a PGP encrpyted email to an NRENPeer-S requesting a token, a server.crt and the url for the warden server. You will provide the following information:

    1. chosen client name
    2. machine DNS name
    3. name and email address of the administrator (where
  1. NREN
    1. Peer-S admin and automated inspection scripts will be able to reach him)
    2. A  brief description of planned utilisation of the received events
    3. Any additional information or questions

3.5.2 Receive email from each

...

Peer-S admin in the peer nodes

You will receive an email with a token, server.crt  and warden server url by secure mail from each peer node. 

...