Github user cestella commented on the issue:
https://github.com/apache/incubator-metron/pull/210
Testing Instructions
## Free Up Space on SNV
First, let's free up some headroom on SNV. If you are running this on a
multinode cluster, you would not have to do this.
* Kill monit via `service monit stop`
* Kill tcpreplay via `for i in $(ps -ef | grep tcpreplay | awk '{print
$2}');do kill -9 $i;done`
* Kill existing parser topologies via
* `storm kill snort`
* `storm kill bro`
* Kill flume via `for i in $(ps -ef | grep flume | awk '{print $2}');do
kill -9 $i;done`
* Kill yaf via `for i in $(ps -ef | grep yaf | awk '{print $2}');do kill -9
$i;done`
* Kill bro via `for i in $(ps -ef | grep bro | awk '{print $2}');do kill -9
$i;done`
## Install Prerequisites and Mock DGA Service
Now let's install some prerequisites:
* Flask via `yum install python-flask`
* Jinja2 via `yum install yum install python-jinja2`
Now that we have flask and jinja, we can create a mock DGA service to
deploy with MaaS:
* Download the files in
[this](https://gist.github.com/cestella/cba10aff0f970078a4c2c8cade3a4d1a) gist
into the `/root/mock_dga` directory
* Make `rest.sh` executable via `chmod +x /root/mock_dga/rest.sh`
This service will treat `yahoo.com` and `amazon.com` as legit and
everything else as malicious. The contract is that the REST service exposes an
endpoint `/apply` and returns back JSON maps with a single key `is_malicious`
which can be `malicious` or `legit`.
## Deploy Mock DGA Service via MaaS
Now let's start MaaS and deploy the Mock DGA Service:
* Start MaaS via `/usr/metron/0.2.0BETA/bin/maas_service.sh -zq node1:2181`
* Start one instance of the mock DGA model with 512M of memory via
`/usr/metron/0.2.0BETA/bin/maas_deploy.sh -zq node1:2181 -lmp /root/mock_dga
-hmp /user/root/models -mo ADD -m 512 -n dga -v 1.0 -ni 1`
* As a sanity check:
* Ensure that the model is running via
`/usr/metron/0.2.0BETA/bin/maas_deploy.sh -zq node1:2181 -mo LIST`. You should
see `Model dga @ 1.0` be displayed and under that a url such as (but not
exactly) `http://node1:36161`
* Try to hit the model via curl: `curl
'http://localhost:36161/apply?host=caseystella.com'` and ensure that it returns
a JSON map indicating the domain is malicious.
## Adjust Field Transformations for Squid to Call Model
TBD
## Adjust Threat Intel Triage to Adjust Risk Based on Model
TBD
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
