|
| 1 | +===================================================================================== |
| 2 | +NfQuery : NfQuery: A Privacy Friendly Framework for Multi-Domain Threat Analysis |
| 3 | +===================================================================================== |
| 4 | + |
| 5 | +.. contents:: |
| 6 | +.. |
| 7 | + 1 What is NfQuery Framework |
| 8 | + 1.1 Components |
| 9 | + 2 Dependencies |
| 10 | + 3 Documentation |
| 11 | + 4 Download |
| 12 | + 5 Copyright and License |
| 13 | + 6 Author |
| 14 | + |
| 15 | + |
| 16 | +What is it? |
| 17 | +=============== |
| 18 | +The main function of NfQuery is creating useful queries to be used in the NfSen Plug-ins of each organization or domain registered to the Query Server (QS). Queries are fetched from QS and executed by Plug-ins on the aggregated NetFlow data of organizations. As a result of these executions, NfSen Plug-in find the flow data which includes the related threat or attack information. After the detection, Plug-in alerts the QS automatically regarding the findings of the applied query. |
| 19 | +By collecting and interpreting attack statistics from each Plug-in, NfQuery creates a general overview of the threat trends seen in the multi-domain network. Finally, by utilizing the alerting system of NfSen, NfQuery becomes a threat detection and security alerting system for multi-domain networks. |
| 20 | + |
| 21 | +Components |
| 22 | +--------------- |
| 23 | +a. Query Server (QS) |
| 24 | +Query Server (QS) is placed in the center of the system and establishes the connection between all components. QS is composed of three sub-elements; Query Manager (QM), Query Generator (QG) and Query Repository (QR). |
| 25 | + |
| 26 | +b. NfQuery Plug-in |
| 27 | +The NfQuery Plug-in is installed at each domain side over the NfSen instance at the domain and communicates with QS to perform the administrator’s requests such as fetching new queries, updating query list, getting/sending statistical reports and executing the queries over the flow data. |
| 28 | + |
| 29 | +c. Sources |
| 30 | +NfQuery sources are the main components that provide threat information. This includes publicly available resources such as Botnet C&C server lists (Amada SpyEye), DNS blacklists (DShield), malicious domains and phishing sites lists or output of security analysis applications such as Honeypots, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or Firewalls which may provide data in means of log files for private use in NfQuery framework. |
| 31 | + |
| 32 | + |
| 33 | +Dependencies |
| 34 | +============ |
| 35 | +Please see the file called plugin/INSTALL for plugin dependecies. |
| 36 | +Please see the file called queryserver/INSTALL for queryserver dependecies. |
| 37 | + |
| 38 | +The Latest Version |
| 39 | +------------------ |
| 40 | +Details of the latest version can be found on the Official NfQuery Web Page. |
| 41 | +http://nfquery.ulakbim.gov.tr |
| 42 | + |
| 43 | +Documentation |
| 44 | +------------- |
| 45 | +Please see http://nfquery.ulakbim.gov.tr/ |
| 46 | + |
| 47 | +Installation |
| 48 | +------------ |
| 49 | +Please see the file called plugin/INSTALL to install plugin. |
| 50 | +Please see the file called queryserver/INSTALL to install queryserver. |
| 51 | + |
| 52 | +Licensing |
| 53 | +--------- |
| 54 | +Please see the file called LICENSE. |
| 55 | + |
| 56 | +Author |
| 57 | +====== |
| 58 | +Serdar Yigit <serdar.yigit@tubitak.gov.tr> |
| 59 | +Ahmet Can Kepenek <ahmetcan.kepenek@gmail.com> |
| 60 | +Serhat Rifat Demircan <demircan.serhat@gmail.com> |
0 commit comments