NetReg
NetMon
VPN
DialupDocumentation
ServicesSoftware
Groups
Data Communications
Network Development
Network EngineeringInternal
[WebISO]
NetNotify System
System Overview
NetNotify (development name: Epidemic) is an abuse tracking system that interfaces with a variety of our backend systems. Namely, it can retrieve data from:- NetReg: Machine registration system
- NetMon: DHCP lease tracking, CAM/ARP table tracking
- VPN: VPN service connection logs
- RADIUS: Modem dialin connection logs
- LDAP: Binding user account information to canonical person identification
Incidents
Incidents are created in a particular category and having occurred at a particular time. The category defines, in broad terms, what kind of incident is being logged. For example, overuse of quota is one category, while a Welchia infection is another.
Categories
Categories have one or more states, and incidents are always in one category and one state within that category. The states define where the incident currently is in the lifecycle of the incident handling. For example, one state might indicate the machine or VPN/dialin access is suspended.Category States
Incidents can have a 'next state' with a transition time. This is the time that the incident will be automatically moved from the current state to the next state. This can be useful for enforcing certain suspension periods, periods in which a response is required, or other timed actions. States can have a 'default transition' that will be used for incidents entering the state. Thus, a complex sequence of state transitions can be done nearly automatically.Incident Creation
One design goal was to allow multiple incidents to be created quickly. For example, if a dozen machines are identified to be infected with the same worm, incidents for each machine are created simultaneously. The system collects "actor information" and then creates one incident per specified machine.Incident Actors
The actor information of an incident identifies all of the components that form the incident. Actors include NetReg registrations, DHCP leases, VPN/RADIUS logs, user entries, and entitlements (ability for a given user to use a service). Support for a switch port actor type is planned. One or more actors are "primary" actors; these will be suspended if specified by the category and state. Non-primary actors are used to provide additional context for the incident, and to "snapshot" the state of the world at the time the incident was created.Screenshots
| Add Incident | The form for adding new incidents. Multiple machines/IPs can be specified in the Actor Lookup box. The notes fields are used to specify additional data that can be included in outgoing mail; their use is category-dependent. |
| Simple Search | The simple search page, enabling quick access by incident number or a simple query by the common actor data fields. |
| Advanced Search | The more extensive search page, enabling complex queries, sorting, and grouping. This page is also the interface for saving queries for repeated execution. |
| Category Information | The category information page provides an overview of the states within the category, and the transitions among states. |
| Category State Editing | This page allows the specification of default transition information for a category state. If specified, this provides the default "next state" for incidents entering the state being edited. |
| Category State Transition Message | For each state transition, a message can optionally be specified. Outgoing mail mesages are sent as email, while User Messages are presented to users with incidents in the "from" state, enabling them to move the incident into the "to" state. This is done to enable feedback indicating a machine has been cleaned up, for example. |
| Incident View (Top) | The top part of an incident data screen. Basic incident information is provided, including the current and next state of the incidents. The state change box enables administrators to move the incident to a new state. Actors relevant to the incident are presented. The red actor is a primary actor. User actors would be displayed, but are not shown here. |
| Incident View (Bottom) | The bottom part of the incident data screen shows the responses executed by the system for this incident, a place to set incident variables (such as the note fields from the add incident page), and a full incident log. Each operation taken on the incident is recorded as a log entry. The responses are scheduled and executed by a backend process, which sets the Status to 'complete' once executed. The 'Resource' and 'Res ID' fields indicate the exact type of response. For example, 'ip-filter' is an actual filter applied to the first-hop router. |
| Incident Response - Mail | Clicking on the "Full Information" link in the Response section will open a window containing more information, including the scheduling and completion times. In the case of outgoing mail it contains a copy of the actual message sent. |
| User Actor - LDAP Lookup | User actors are linked to particular LDAP guids, and there is a basic interface for viewing the real-time LDAP data for the guid. |
Availability
Version 0.1 Released March 25, 2004: Epidemic is now available for download. Users of NetReg will be the most likely people that could make immediate use of the system. However, the actor modules are fairly independent; hence different actor types for local systems could be easily added.Download
| Version | Date | Quality | Files |
| 0.1 | 3/25/2004 | Alpha | epidemic-0.1.tgz PGP Signature |
Find Out More
Home | Webmaster | Copyright | Carnegie Mellon Home