1. Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1 Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.1 Configure DINO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.2 Configure GeoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.3 Configure SiLK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.4 Configure SNORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.4 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.5 Screenshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

HomeUpdate: DINO version 1.5 was released on 2011/10/05 to add Google Maps Functionality

Project:DINO is a lightweight front end for network visualization. Project:DINO, short for Drop In Network Observer utilizes the open sourcenetwork monitoring tools SiLK and SNORT to create an easy to use dashboard for situational awareness.

It is built on PHP and Open Flash Chart, it is designed to be run on linux systems and has been tested on Fedora, Redhat and Ubuntu.

DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly traffic/top ports and snortalerts with the related flows records.

 

Recently UpdatedAs you and your team create contentthis area will fill up and display the latestupdates.

Navigate space

DownloadsDINO is a single rpm install, but some of the prereqs can be tricky to install. 

Current

DINO 1.5 - Release 2011/10/05

RPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.5-0.noarch.rpm

SRPM:https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.5-0.src.rpm

Source: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.5.tar.gz

Past Releases

DINO 1.3.3 - Release 2011/09/01

RPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-3.noarch.rpm

SRPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-3.src.rpm

Source: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3.tar.gz

DINO 1.3.1 - Released 2011/08/31

RPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-1.noarch.rpm

SRPM: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-1.src.rpm

Source: https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3.tar.gz

DINO 1.3.0 - Updated 2011/08/25

RPM: dino-1.3-0.noarch.rpm https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-0.src.rpm

SRPM: dino-1-3-0.src.rpm https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3-0.src.rpm

Source: dino-1.3.tar.gz https://forensics.cert.org/confluence/download/attachments/1671180/dino-1.3.tar.gz

DINO LiveCD

Fedora 14 and Dino 1.3 https://forensics.cert.org/confluence/download/attachments/1671180/SiLK+Drop+In+Network+Observer+LiveCD.iso

Dependencies

libfixbuf https://forensics.cert.org/confluence/download/attachments/1671180/libfixbuf-0.8.0-1.i386.rpm

silk-common https://forensics.cert.org/confluence/download/attachments/1671180/silk-common-2.4.0-1.i386.rpm

silk-analysis https://forensics.cert.org/confluence/download/attachments/1671180/silk-analysis-2.4.0-1.i386.rpm

silk-rwflowpack https://forensics.cert.org/confluence/download/attachments/1671180/silk-rwflowpack-2.4.0-1.i386.rpm

yaf https://forensics.cert.org/confluence/download/attachments/1671180/yaf-1.3.1-1.i386.rpm

InstallationDINO uses the SiLK toolsuite, created and maintained by the team at CERT for flow collection and analysis functionality and the pNetSA SNORTackage as for IDS functionality. You will have to sign up for and download snort rules from their website. Consider using to keep yourOinkMasterrules current.

You will need to install the following packages:

libfixbufsilk-commonsilk-analysissilk-rwflowpackyaf

These packages can be found at the CERT repo: as well as this site.http://www.cert.org/forensics/tools/

dino

Found on  the download page https://forensics.cert.org/confluence/display/dino/Downloads

After the installation is complete you will need to configure SiLK, SNORT and DINO.

Sample configuration files:

yaf startup /etc/init.d/yaf https://forensics.cert.org/confluence/download/attachments/1671176/yaf

rwflowpack.conf /etc/sysconfig/rwflowpack.conf https://forensics.cert.org/confluence/download/attachments/1671176/rwflowpack.conf

sensors.conf /data/sensors.conf https://forensics.cert.org/confluence/download/attachments/1671176/sensors.conf

silk.conf /data/silk.conf https://forensics.cert.org/confluence/download/attachments/1671176/silk.conf

Configure DINOYou will need to edit a few variables under /var/www/html/dinolib.php

Set the following variables related to Snort for your installation, and logdir csvfile. 

For example:

$logdir="/var/log/snort/";$csvfile=$logdir . "alert.csv";

For packet capture to work, edit the variable to point to the location of your pcap files.pcapdir

For example:

$pcapdir="/data/pcap";

To be able to download the pcap files from the web site, you will need to either add a virtual directory to apache, or create a symbolic link to thepcap dir from /var/www/html.

For example:

cd /var/www/htmlln -s /data/pcap pcap

Then create directories for tcpxtract to put its files.

mkdir -p /data/pcap/tcpxtract/thumbschown -R apache:apache /data/pcap

Configure GeoIPTo enable GeoIP functionality you will need to download and install the GeoIPLite package from Maxmind, follow the configuration for SiLK GeoIPConfiguration here: http://tools.netsa.cert.org/silk/rwgeoip2ccmap.html

And finally configure the following values in /var/www/html/dinolib.php:

$enableGeoIP='y';

Configure SiLKSiLK requires some configuration you will need to edit /etc/sysconfig/rwflowpack.conf, /data/silk.conf, /data/sensors.conf & provide a start scriptfor yaf. These can be downloaded as a tar here: https://forensics.cert.org/confluence/download/attachments/1933314/sample-silk.tar

Be sure to edit /data/sensors.conf to have the variable reflect your internal network subnet."internal-ipblock"

probe localhost ipfix listen-on-port 18001 protocol tcp accept-from-host 127.0.0.1end probe

sensor localhost ipfix-probes localhost internal-ipblock 192.168.1.0/24 external-ipblock remainderend sensor

Next edit the file /data/silk.conf

probe localhost ipfix    listen-on-port 18001    protocol tcp    accept-from-host 127.0.0.1end probe

sensor localhost    ipfix-probes localhost    internal-ipblock 192.168.1.0/24    external-ipblock remainderend sensor

[joe@smallpc data]$ more silk.conf sensor 0 localhost

class all    sensors localhostend class

# Be sure you understand the workings of the packing system before# editing the class and type definitions below.  Editing above this# line is sufficient for sensor definition.

version 1

class all    type  0 in      in    type  1 out     out    type  2 inweb   iw    type  3 outweb  ow    type  4 innull  innull    type  5 outnull outnull    type  6 int2int int2int    type  7 ext2ext ext2ext    type  8 inicmp  inicmp    type  9 outicmp outicmp    type 10 other   other

    default-types in inweb inicmpend class

default-class all

# The default path format from SILK_DATA_ROOTDIRpath-format "%N/%T/%Y/%m/%d/%x"

# The plug-in to load to get the packing logic to use in rwflowpack.# The --packing-logic switch to rwflowpack will override this value.# If SiLK was configured with hard-coded packing logic, this value is# ignored.

# The plug-in to load to get the packing logic to use in rwflowpack.# The --packing-logic switch to rwflowpack will override this value.# If SiLK was configured with hard-coded packing logic, this value is# ignored.packing-logic "packlogic-twoway.so"

You will need to have YAF start on boot. A sample script is here, place it in /etc/init.d:

#!/bin/bash## yaf           This shell script takes care of starting and stopping#               yaf .## chkconfig: - 58 74# description: yaf is a flow collection process.

### BEGIN INIT INFO# Provides: yaf# Required-Start: $network $local_fs $remote_fs# Required-Stop: $network $local_fs $remote_fs# Short-Description: start and stop yaf# Description: ntpd is yaf process.### END INIT INFO

# Source function library.. /etc/init.d/functions

# Source networking configuration.. /etc/sysconfig/network

prog=yafYAF=/usr/bin/yaf

DAEMONIZE=/usr/sbin/daemonizePID=/var/log/yaf.pid

INTERFACE=bond0OPTIONS=" --silk --ipfix=tcp --live=pcap --in=$INTERFACE --out=127.0.0.1 --ipfix-port=18001"

start() {        # Check that networking is up.        [ "$NETWORKING" = "no" ] && exit 1

        [ -x /usr/bin/yaf ] || exit 5

        # Start daemons.        echo -n $"Starting $prog: "        $DAEMONIZE -p $PID $YAF $OPTIONS        RETVAL=$?        echo        [ $RETVAL -eq 0 ]        return $RETVAL}

stop() {        echo -n $"Shutting down $prog: "        kill `cat $PID`        RETVAL=$?        echo        [ $RETVAL -eq 0 ]        return $RETVAL}

status() {

    YAFCOUNT=`ps -ef | grep $prog | grep -v grep | wc -l`    if [ $YAFCOUNT -lt 1 ]    then        echo "ERROR: YAF not running"    else        echo "YAF Running with PID `cat $PID`"    fi}

restart() {    stop    start}

# See how we were called.case "$1" in  start)        start        ;;  stop)        stop        ;;  status)        status $prog        ;;  restart)        stop        start        ;;  *)        echo $"Usage: $0 {start|stop|status|restart}"

        exit 2esac

Configure SNORTTo get SNORT working with DINO you'll need to download the VRT rules from SNORT here: http://www.snort.org/start/rules

Add the following two options to your snort.conf file in order for SNORT to log in CSV format.

# syslogoutput alert_csv: alert.csv default

# pcapoutput log_tcpdump: tcpdump.log

Add lastly check dinolib.php, set the variable enableSNORT to "y".

$enableSNORT='y'; //Set this to y to enable SNORT functionality

OverviewProject:DINO is a lightweight front end for network visualization. Project:DINO, short for rop n etwork bserver utilizes the open sourceD I N Onetwork monitoring tools SiLK and SNORT to create an easy to use dashboard for situational awareness of your network.

It is built on PHP and Open Flash Chart, it is designed to be run on linux systems and has been tested on Fedora, Redhat and Ubuntu.

DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly traffic/top ports and snortalerts with the related flows records.

Additionally Project:DINO has the ability to analyze an uploaded PCAP file created with tcpdump, it will create a summary report and extract thefiles within the packet capture using tcpxtract.

Release NotesCurrent Release

1.2 | 2010/12/01

Added file carving from PCAP uploadAdded SNORT alerting from PCAP upload

1.1  | 2010/11/29

Added a simple pcap analyzer (will add more features in next release)Added ability to disable SNORT functionalityRemoved SNORT prereq from RPMAdded geoIP functionality (will add more features in next release)

Prior Versions

1.0 | 2010/11/19

Rewrote all of the graphing code to make reusableAdded network inventory code

ScreenshotsTop Talkers For the Current Day. By mousing over the bars you will see a summary of the traffic for that point on the chart.

Google Maps Geo Location: Project DINO performs Geo Location of Net Flow Data.

.

: This chart is reached by clicking on the bar in the above graph.Top Talkers by IP Address

Top Talker by Minute in the hour, which is clicked on the above bar. 

Traffic Overlays Two charts are available for overlaying traffic from previous weeks and months.

 

 

By clicking on a point in the graph you can view data for that day. 

As seen above, by hovering over a point a summary is given, and by clicking on that point a report for the days traffic is generated.

By clicking on a point in the above graph you can see traffic for the hour.

IP Summary Example IP Summary Report

 

Network Inventory A network inventory is available which will attempt to identify known servers as well as all internal hosts. Each host isclickable to generate the report seen above.

SNORT Alerts Additionally SNORT is used to generate IDS alerts.

 

 

Packet Capture

 

Network captures can be generated in either full pcap or just the first 68 bytes.

System Status

 

Packet Capture Analysis

 

The following is a screenshot of a report generated from a PCAP upload.

DINO extracts files from uploaded PCAPs and presents thumbnails of any images.

DINO also displays any alerts from SNORT they are within the PCAP

.