Quick Start

From The MetaFlows Security System Documentation
Jump to: navigation, search

This section gives the Quick Start instructions to get a sensor up and running on a physical or virtual appliance. For instructions on how to monitor cloud-based assets in Microsoft Azure or Amazon AWS, see Deep Packet Inspection of Cloud-based assets

1. Install CentOS 7 on a physical or virtual machine with two physical Ethernet interfaces. Instructions on how to install CentOS 7 can be found at [1]
  • One of the interfaces will need to communicate with the Internet as a client - the other should be connected to a SPAN/mirror port or a TAP (less common).
  • When configuring a mirror or span port on a switch, it is best practice to span or mirror both TX and RX traffic of the port connecting the switch to the firewall. Multiple passive interfaces can be bonded together at the OS level.
  • To configure the promiscuous interface on VMware ESXi please see these instructions
2. Verify that promiscuous traffic can be received from the second interface (eno2 in most cases) with the command
tcpdump -i eno2 -n -c 100 not broadcast
Ctrl-C to stop

Verify that both external to internal and internal to external IP packets from the hosts on your network are visible. If only RX or TX traffic is visible, check the mirror configuration. If no traffic is visible, contact MetaFlows to troubleshoot.

3. Verify that the machine can communicate with nsm.metaflows.com with the command
ping nsm.metaflows.com

or

wget http://nsm.metaflows.com
4. Install the MetaFlows sensor software
curl -O http://nsm.metaflows.com/linux.zip
yum install unzip
unzip linux.zip
cd nsm; 
./setup.sh (answer Y to all questions)
5. Configure a sensor on nsm.metaflows.com
  • Register at nsm.metaflows.com (if this has not been done already). For trials, send an email to support@metaflows.com for activation.
  • Login and click on sensor->add
  • Chose a sensor name, a sensor location, and the promiscuous interface (typically eno2)
  • It is recommended that you leave all configuration parameters at their default values. However, please make sure to change the following two parameters to their correct value:
    • Set the HOME_NET to the appropriate LAN network address (as in 192.168.1.0/24 or [10.0.0.0/8,192.168.2.0/24])
    • Set the correct name of the promiscuous interface (eno2 in most cases)
  • Save the configuration.
6. Start the software with the command
/nsm/etc/mss.sh start 

or select option 1 from the menu if it is a VM or a MetaFlows appliance.

  • Select sensor type 1 (SaaS)
  • Log in on the command line using the same credentials established to login at nsm.metaflows.com
  • Select sensor '0' (the only one you will have available)
7. Verify installation
  • After the sensor starts, the LED light visible on the top right corner of the browser should turn yellow, blue and then green.
  • Click on Real Time. After a few minutes, events should start to appear. If security issues are detected, email alerts will be sent to the email used for registration; reloading the main dashboard will show a summary of the corresponding incident reports. After 24 hours, the dashboard will also get populated with helpful statistics of event activity from the previous day.

Note: That trials use the ET GPL rules because of contractual limitations. Paying customers will be switched to the ET Pro rules automatically.