Dynamite-NSM is a free Network Security Monitor (NSM), built on top of several leading, enterprise-grade technologies. The tool provides network and cybersecurity operators with holistic insights into their networks while giving them the ability to deep-dive into lower-level activities.
The solution presents powerful dashboards, giving comprehensive view into performance and threat-based metrics. Dynamite-NSM can be easily deployed in different environments including high-speed data centers, small-to-large enterprises, IoT & industrial networks, and even at home.
Dynamite-NSM handles massive volumes of network traffic through scalable ingestion and optimized network sensors. The solution includes two key components: the agent and the monitor. The agent analyzes and forwards network events, while the monitor processes incoming events and displays analytic information.
The monitor component builds upon the ELK stack (ElasticSearch, LogStash, Kibana) and is coupled with the fine-tuned Zeek sensor (aka Bro), flow data inputs (NetFlow, sFlow, IPFIX), and Suricata IDS security alerts. Dynamite-NSM now includes the DynamiteLab component made of the python API for easy data access and integrated JupyterHub hosted notebooks as the data science environment.
Dynamite-NSM is designed to be deployed very quickly with minimal configuration. Unlike many other tools, it can be installed and managed with a standalone command-line utility. The system is inherently passive without disruption to the network. There is no need to install agents on every computer, perform network scans, or directly interact with network assets. To start receiving analytics, we just connect agents and optional flow sources to the monitor.
Dynamite NSM can be installed and managed through a commandline utility implemented in pure Python.
No need to download a huge ISO image or install a dedicated operating system!
It is compatible with both Python2 and 3, across these Linux distributions.
pip install dynamite-nsm...And checkout the Wiki.
Agents are scattered throughout your environment, and bind to a network interface (typically a mirrored port), after which traffic is forwarded to the monitor for enrichment and indexing.
| Component | Description |
|---|---|
| Zeek [2.6.1] | Previously Bro, Zeek is a powerful network analysis framework that is differs from your typical IDS. It is capable of enumerating detailed information surrounding network connections and their underlying protocols. |
| Suricata [4.1.4] | Suricata is an Intrusion Detection System (IDS), powered by the latest open EmergingThreat rule-sets. |
| Oinkmaster [2.0] | A script to automate management of Suricata rule-sets, and keep rules up-to-date. |
| PF_RING [7.4.0] | A new type of network socket that dramatically improves the packet capture speed. It is used in conjunction with the Zeek to improve packet analysis. |
| Filebeat [7.2.0] | A powerful log forwarder, with a built in queue mechanisms, and a pressure sensitive protocol that works in conjunction with Logstash. |
Your monitor is responsible for parsing, enriching, indexing, and visualizing analyzed traffic sent from multiple agents or NetFlow exporters.
| Component | Description |
|---|---|
| Logstash [7.2.0] | A server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it. |
| Elasticsearch [7.2.0] | A distributed, RESTful search and analytics engine. |
| Kibana [7.2.0] | A web-app that allows you to visualize your Elasticsearch data |
| ElastiFlow™ [3.5.0] | Provides network flow (and now Zeek!) data collection and visualization. |
| Synesis [1.1.0] | Provides Suricata data normalization and visualization. |
Dynamite monitor is built on top of the ElasticStack, and makes full use of Kibana for visualizing a variety of network metrics.
Get direct insight into your network traffic with the powerful events view, compatible with both the provided agent or NetFlow exporters!
Quickly find evil on your network with Suricata IDS paired with the Emerging Threats Rule Sets.
Understand the normal behavior of assets on your network; gain insight into what is anomalous.
Easily track agents and NetFlow devices forwarding traffic to DynamiteNSM.
Install JupyterHub alongside our custom SDK, and explore your data inside Jupyter Notebooks.
Easily add new agents and monitoring components into your environment through intuitive installation.
Configure components without ever having to interact with a configuration file.
While there are quite a few components that are a part of Dynamite-NSM. Standing up a standalone agent/monitor deployment is very simple.
Check to see if your operating system is supported.
Linux Kernel: 2.6.32+
14 GB of RAM at least 4 vCPU
Grab the the release, and install.
pip install dynamite-nsmInstall the monitoring components all on the same machine.
dynamite install monitorStart the monitor. The Kibana UI can be found at: http://localhost:5601
dynamite start monitorYou can login with the elastic user and the password you set during installation.
Linux Kernel: 2.6.32+
8+ GB of RAM at least 4 vCPU
Grab the the release, and install.
pip install dynamite-nsmPrepare the agent, this installs any required kernel-headers needed to install the PF_RING kernel module.
dynamite prepare agentReboot, and install the agent. This process can take between 10 and 40 minutes depending on your specs.
dynamite install agent --interface mon01 --agent-label honeypot1 --ls-host <logstash-host> --ls-port 5044Start the agent
dynamite start agentIf you need to point the agent to a new monitor, this can be accomplished using the below command.
dynamite point agent --ls-host <new-logstash-host> --ls-port 5044In addition to being able to stand up the monitor as a single instance (ElasticSearch, Logstash, and Kibana all installed) This tool can also be used to install these components separately.
Check out the advanced guide here.