This page describes how a **Starlight** Network sensor can be installed within a VM using KVM.

Prerequisite

The target system will be an Ubuntu or CentOS system with at least the following resources

available for a guest VM.

  • 4 CPU Cores.
  • 8 Gbytes of RAM.
  • 64 Gbytes of file system storage.
  • DPDK-capable Ethernet Port(s) are recommended.

Before installing any software, verify whether the system has the VM capabilities required.   This can be done from the command line. For Intel-based systems use the command

cat /proc/cpuinfo | grep vmx

If no lines are listed then VM hardware support is not available.   It may be needed to be enabled in the system BIOS.

For AMD CPU-based systems use:

cat /proc/cpuinfo | grep svm

One line will be listed for each secure-VM core available.  If no lines are listed then VM hardware support must be enabled in the system BIOS.

Warning: if VM capability is not reported by these commands, do not proceed until the condition is remedied.

The system will require the KVM, tools, and Linux bridge tools installed.   On Debian/Ubuntu these can be installed as follows:

apt-get install -y net-tools qemu-utils qemu-kvm virt-manager libvirt-bin virtinst virt-viewer bridge-utils

For CentOS the following command may be used:

yum install net-tools qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils

systemctl start libvirtd

systemctl enable libvirtd

Installation Steps: Bridge Mode

Create Bridge

This process will create a Linux bridge named `br-aio` to be used by the Network Sensor.  The installation script is designed to take an existing, configured port and transfer its settings (IP address) to the bridge interface.   The VM itself will require a new IP address in the same sub-net.

To obtain a helper script that will perform this step the following `curl` command may be used.

curl -k -u CREDENTIALS https://acps.stellarcyber.ai/release/3.2.0/dataprocessor/create_bridge.sh -o create_bridge.sh

The script is executed as follows.  In this example the host port eno1 is used.   Substitute the correct interface name when used.

bash create_bridge.sh eno1
Note: Because this script reconfigures the network, any connecton that uses the network port may become non-responsive for some period of time.  This includes the shell session that is executing this procedure if the user is using SSH via the named port. The script will ask for confirmation that this is acceptable.

Install Sensor VM

To obtain the installation script use the following curl command:

curl -k -u CREDENTIALS -o virt_deploy_device_ds.sh https://acps.stellarcyber.ai/release/3.2.0/datasensor/virt_deploy_device_ds.sh

To complete the installation where the Sensor will obtain its management IP address from a DHCP server use the command as follows.   Substitute the desired value in place of ds1 for the hostname.

sudo bash virt_deploy_device_ds.sh -- --hostname=ds1 --release=3.2.0 --span=eno2 --feature=nds

Alternatively if a static IP address is to be used the following command format can be used.

sudo bash virt_deploy_device_ds.sh -- --hostname=ds1 --release=3.2.0 --bridge=br0-aio|<bridgename> [--ip=192.168.1.223] [--netmask=<netmask>] [--gw=192.168.1.1] [--dns=8.8.8.8] [--dns-search=example.com] [--installdir=<imagedir>] [--span=eno2]  --feature=nds

The command parameters can be supplied as follows.
Note the presence of the  string in the first parameter position.

This is required by the script.

  • –feature is currently required to be set to the fixed string nds.
  • –hostname specifies the name of the host.  The VM name and the name of the sensor within Starlight will both be set to this value.
  • –release is the version number of the software to download.  Currently this is required to be set to the value 3.2.0.
  • –bridge names the bridge to use for the management interface.   This will be the same bridge that was created in the step above.
  • –ip provides the static IPv4 address.
  • –netmask  must be set to the net mask of the form 255.255.255.0.
  • –gateway  specifies the IP address of the gateway.
  • –dns  specifies the IP addresses of the DNS servers to use.
  • –dns-search provides the default domain name for DNS searches.
  • –installdir  This optional parameter specifies what directory will be used for the VM image installation.
  • –span  This parameter provides a list of host ethernet ports to be included in the aio-span bridge.

When the script is executed it will download and install the VM, and create a linux bridge of

the name aio-span.   The ports in the –span parameter will be added.

Sensor Configuration

Once the Sensor’s VM is up and running it needs to be configured.   This may be done by either SSH or via the VM’s console.

To access the VM console the following command may be used:

sudo virsh console ds1

where the string ds1 is replaced by the actual host name used in the –hostname parameter in the prior steps.   This will initiate a console session on the current terminal.  The session may be terminated with the ctrl-].

Alternatively, if the IP address of the sensor is known, an ssh session can be initiated with a command such as

ssh aella@192.168.1.223

where the IP address is replaced with the correct IP address.

The default login credentials are username aella with a password of changeme.   On the first

login the sensor will require a change of password.

Once logged in the IP address of the data processor (CM) must be entered with a following command:

set cm Express.StellarCyber.ai

where the IP address is replaced with either the IP address of the DP or with its DNS name.

The status of the sensor can be verified with the command:

show version

Congratulations!

Please email us at express@stellarcyber.ai to get the credentials for the portal.