Introduction
NETALERT Overview
NETALERT is an advanced NDR (Network Detection and Response) to monitor, analyze and respond to network threats in real-time. In the current context, where cyber attacks are becoming increasingly sophisticated and frequent, its deployment becomes critical. The solution passively captures network traffic via a TAP device, with support for span prot in VMware/physical environments.
NETALERT focuses on identifying a range of threats and sensitive points using static analysis and artificial intelligence/machine learning techniques. These include:
- DDoS attacks
- Connections to TOR endpoints
- Failed DNS requests
- Heartbleed exploits
- Connections with invalid SSL certificates
- Brute-force attack
- Port and address scans
- Dynamic DNS
- Crypto-mining activities
- Connections with indicators of compromise (IOC)
- Behaviour specific to APT attacks (Advanced Persistent Threats) attacks with detection at detection
- Detection of transferred file types, including.exe and other file types
- Lateral network movement of malware
- Abnormal network connections
- Abnormal device behaviour
- DNS anomalies
- SMTP traffic monitoring
- Machine learning specific anomalies and alerts
- IDS rule type alerting (Suricata/Snort compatible ruletypes)
How NETALERT works
- Passively captures network traffic so as not to impact the monitored environment.
- groups several packets into connections to be sent to the ML engine for analysis (for TCP)
- calculates connections statistics (Packet loss, connection size, etc.)
-
checks for match on the static analysis rules (including ids rules)
-
Collects flow exported from third-party devices from one or more sites which are in different VLANs.
- Scans the traffic obtained, using static flow analysis and artificial intelligence/machine learning.
- Alerting the system who generates real-time alerts when it detects abnormal behaviour/anomalies in network traffic, connections to network area with possible suspicious activity
- Network traffic recording up to 32 KB in PCAP format.
- Decode binary protocols such as DNS, SMTP and HTTP for specific analysis.
- Send alerts to third-party systems, such as SIEM (Security Information and Event Management) solutions, for centralised analysis and management of generated security alerts.
- Traffic processing is not limited by the number of analyzed devices or the number of events per second but rather by the hardware resources allocated to the solution.
- Traffic capture, analysis and alert generation are performed exclusively on-premises, without data transmission to external systems.
Machine Learning
NETALERT uses several ML models for anomaly detection. Each anomalous alert is generated by an ensamble of ML models and the final "confidence" level on the accuracy of detection is being calculated out of each detection model score. ML parameters can be tuned in the product in order to minimize false positives and increase accuracy.
Architecture
NETALERT composes is composed out of several components which can reside on a single physical/virtual machine or in a distributed architecture.
The composability is achieved by using the docker-compose.yml configuration file on one and/or multiple hosts.
A sample is provided:
networks:
sharedNet:
volumes:
mltraffic:
external: true
mldns:
external: true
mlsmtp:
external: true
opensearch-data:
external: true
confMySQL2:
external: true
dataRabbitMQ:
external: true
netalertData:
external: true
netalertCache:
external: true
aptFiles:
external: true
syslogFiles:
external: true
services:
#machine learning
mldns:
image: "${DOCKER_REGISTRY}/${MLDNS_IMAGE}:${MLDNS_TAG}"
restart: always
container_name: mldns
depends_on:
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
WebServer:
condition: service_healthy
networks:
- sharedNet
environment:
TZ: ${TimeZone}
OPENSEARCH_HOST: opensearch-node
OPENSEARCH_PORT: 9200
OPENSEARCH_USER: *****
OPENSEARCH_PASS: *****
RABBIT_MQ_USER: rmqcquser
RABBIT_MQ_PASS: *****
RABBIT_MQ_HOST: rabbitmq
TRAINING_INTERVAL_IN_MINUTES: 5
REST_API_URL: https://WebServer:443/apiv2
REST_API_MAC_PATH: /postMacAddressesGet
OPENBLAS_NUM_THREADS: 1
volumes:
- mldns:/usr/local/lib/python3.10/site-packages/netalert-app-static/results
- /var/log/netalert/ml/mldns:/usr/local/lib/python3.10/site-packages/netalert-app-static/logs
mlsmtp:
image: "${DOCKER_REGISTRY}/${MLSMTP_IMAGE}:${MLSMTP_TAG}"
restart: always
container_name: mlsmtp
networks:
- sharedNet
depends_on:
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
WebServer:
condition: service_healthy
environment:
TZ: ${TimeZone}
OPENSEARCH_HOST: opensearch-node
OPENSEARCH_PORT: 9200
OPENSEARCH_USER: *****
OPENSEARCH_PASS: *****
RABBIT_MQ_USER: rmqcquser
RABBIT_MQ_PASS: *****
RABBIT_MQ_HOST: rabbitmq
TRAINING_INTERVAL_IN_MINUTES: 5
REST_API_URL: https://WebServer:443/apiv2
REST_API_MAC_PATH: /postMacAddressesGet
OPENBLAS_NUM_THREADS: 1
volumes:
- mlsmtp:/usr/local/lib/python3.10/site-packages/netalert-app-static/results
- /var/log/netalert/ml/mlsmtp:/usr/local/lib/python3.10/site-packages/netalert-app-static/logs
mltraffic:
image: "${DOCKER_REGISTRY}/${MLTRAFFIC_IMAGE}:${MLTRAFFIC_TAG}"
restart: always
init: true
container_name: mltraffic
ipc: host
ulimits:
memlock:
soft: -1
hard: -1
stack:
soft: 67108864
hard: 67108864
shm_size: 1g
networks:
- sharedNet
depends_on:
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
WebServer:
condition: service_healthy
environment:
TZ: ${TimeZone}
OPENSEARCH_HOST: opensearch-node
OPENSEARCH_PORT: 9200
OPENSEARCH_USER: *****
OPENSEARCH_PASS: *****
RABBIT_MQ_USER: rmqcquser
RABBIT_MQ_PASS: *****
RABBIT_MQ_HOST: rabbitmq
TRAINING_INTERVAL_IN_MINUTES: 5
REST_API_URL: https://WebServer:443/apiv2
REST_API_MAC_PATH: /postMacAddressesGet
OPENBLAS_NUM_THREADS: 1
MAX_DOC_COUNT: 500000 # impacts heavily memory usage, 1M ~ 50G RAM
volumes:
- mltraffic:/usr/local/lib/python3.10/site-packages/netalert-app-ml/results
- /var/log/netalert/ml/mltraffic:/usr/local/lib/python3.10/site-packages/netalert-app-ml/logs
deploy:
resources:
limits:
memory: 30G
reservations:
memory: 20G
#capture
datasense:
# image: harbor.cyberquest.cloud/cyberquest/app_collect_ubuntu_22.04:latest
image: "${DOCKER_REGISTRY}/${DATASENSE_IMAGE}:${DATASENSE_TAG}"
network_mode: "host"
privileged: true
cap_add:
- IPC_LOCK
environment:
- TZ=${TimeZone}
- TZ="Europe/Bucharest"
- AgentGUID=AE3138CA-6A56-BF94-0199-59C690476360
- ElasticSearchHost=http://127.0.0.1
- ElasticSearchPassword=*****
- ElasticSearchPort=9200
- ElasticSearchUserName=*****
- toProcessThreads=25
- trafficCaptureThreads=50
# networkFlow setup
- netflowIP=0.0.0.0
- netflowPort=2055
- jflowIP=0.0.0.0
- jflowPort=2056
- sFlowIP=0.0.0.0
- sFlowPort=6343
#interface setup
- InterfaceName=eno3,eno4
- VLANS=eno3:VlanID1,eno4:VlanID2
- Location=DefaultLocation
- processingThread=25
- MasterServerAddress=https://127.0.0.1
- RabbitMQHost=127.0.0.1
- RabbitMQPassword=*****
- RabbitMQPort=5672
- RabbitMQUserName=rmqcquser
- cacheListPath=/data/netAlert/cacheListPath
- purgeDataInterval=10
- userName=superadmin
- geoDB_path=/release/datapack/bin/GeoIP.mmdb
restart: always
depends_on:
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
WebServer:
condition: service_healthy
volumes:
# - /lib/x86_64-linux-gnu/libdbus-1.so.3:/lib/x86_64-linux-gnu/libdbus-1.so.3:rw
- /dev/hugepages:/dev/hugepages:rw
- netalertData:/data/netAlertPath/:rw
- netalertCache:/data/netAlert/:rw
#- /etc/pf_ring/#######:/etc/pf_ring/##########:ro zc license
apt-scanner:
image: "${DOCKER_REGISTRY}/${APT_SCANNER_IMAGE}:${APT_SCANNER_TAG}"
restart: always
container_name: apt-scanner
networks:
- sharedNet
environment:
TZ: ${TimeZone}
OPENSEARCH_HOST: opensearch-node
MYSQL_HOST: mariadb
MYSQL_USER: mariadbcquser
MYSQL_PASSWORD: *****
OPENSEARCH_PORT: 9200
OPENSEARCH_USER: cq
OPENSEARCH_PASS: *****
depends_on:
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
WebServer:
condition: service_healthy
volumes:
- aptFiles:/usr/src/app/files
syslog-forward:
image: "${DOCKER_REGISTRY}/${SYSLOG_FORWARDER_IMAGE}:${SYSLOG_FORWARDER_TAG}"
restart: always
container_name: syslog-forward
networks:
- sharedNet
depends_on:
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
WebServer:
condition: service_healthy
environment:
TZ: ${TimeZone}
SETTINGS_URL: "https://WebServer/apiv2/getForwardingExternal"
OPENSEARCH_HOST: "opensearch-node"
OPENSEARCH_PORT: 9200
OPENSEARCH_USER: *****
OPENSEARCH_PASS: *****
MAIL_URL: "https://WebServer/apiv2/postSendAlertsToMail"
REQUEST_TTL: 60
volumes:
- syslogFiles:/usr/src/app/files
WebServer:
image: "${DOCKER_REGISTRY}/${WEB_APPLICATION_IMAGE}:${WEB_APPLICATION_TAG}"
ports:
- "443:443"
# volumes:
# - ./backend:/opt/netalert/web
# - ./docker/etc/nginx/sites-enabled/cq.conf:/etc/nginx/sites-enabled/site.conf
# - ./docker/etc/ssl/certs/myssl.crt:/etc/ssl/certs/myssl.crt
# - ./docker/etc/ssl/private/myssl.key:/etc/ssl/private/myssl.key
healthcheck:
test: [ "CMD-SHELL", "curl -k -f -s https://localhost/|| exit 1" ]
interval: 30s
timeout: 30s
retries: 130
networks:
- sharedNet
restart: always
depends_on:
mariadb:
condition: service_healthy
rabbitmq:
condition: service_healthy
opensearch-node:
condition: service_healthy
# WebServer:
# condition: service_healthy
environment:
TZ: ${TimeZone}
MYSQL_USER: mariadbcquser
MYSQL_PASSWORD: *****
MYSQL_HOST: mariadb
ELASTIC_HOST: opensearch-node
ELASTIC_PORT: 9200
ELASTIC_USER: *****
ELASTIC_PASS: *****
#default services
opensearch-node:
image: "${OPENSEARCH_IMAGE}:${OPENSEARCH_TAG}"
container_name: opensearch-node
restart: always
environment:
- TZ=${TimeZone}
- cluster.name=opensearch-cluster
# - discovery.type=single-node
- node.name=opensearch-node
- discovery.seed_hosts=opensearch-node
- cluster.initial_master_nodes=opensearch-node
- plugins.security.ssl.http.enabled=false
- "http.cors.enabled=true"
- "http.cors.allow-origin=\"*\""
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "OPENSEARCH_JAVA_OPTS=${_OPENSEARCH_JAVA_OPTS}" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
- "http.cors.allow-credentials=true"
- "http.cors.allow-headers=X-Requested-With, X-Auth-Token, Content-Type, Content-Length, Authorization, Access-Control-Allow-Headers, Accept"
# - "http.cors.allow-methods=OPTIONS, HEAD, GET, POST, PUT, DELETE"
healthcheck:
test: [ "CMD-SHELL", "curl -k -f -s http://localhost:9200/_cat/health|| exit 1" ]
interval: 30s
timeout: 30s
retries: 5
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- opensearch-data:/usr/share/opensearch/data
- ./opensearch/internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml:rw
ports:
- 9200:9200
- 9602:9600 # required for Performance Analyzer
networks:
- sharedNet
cerebro:
# image: lmenezes/cerebro:0.9.4
image: "${CEREBRO_IMAGE}:${CEREBRO_TAG}"
#network_mode: "host"
networks:
- sharedNet
restart: always
container_name: cerebro
command:
- -Dplay.ws.ssl.loose.acceptAnyCertificate=true
environment:
- TZ=${TimeZone}
- CEREBRO_PORT=9000
ports:
- "9000:9000" # HTTP API
rabbitmq:
image: "${RABBITMQ_IMAGE}:${RABBITMQ_TAG}"
networks:
- sharedNet
restart: always
container_name: 'rabbitmq'
environment:
- TZ=${TimeZone}
- RABBITMQ_ERLANG_COOKIE=XCMMWKERXFOHHKRWOBMN
ports:
- "15672:15672" # HTTPS API
- "5672:5672" # SSL AMQP
healthcheck:
test: [ "CMD", "rabbitmq-diagnostics" ,"-q", "ping" ]
timeout: 30s
retries: 130
volumes:
- dataRabbitMQ:/var/lib/rabbitmq/:rw
- ./rabbitmq/definitions.json:/opt/definitions.json:ro
- ./rabbitmq/rabbitmq.config:/etc/rabbitmq/rabbitmq.config:ro
mariadb:
# image: mariadb:10.5.21
image: "${MARIADB_IMAGE}:${MARIADB_TAG}"
#network_mode: "host"
networks:
- sharedNet
restart: always
#command: mariadbd --sql_mode="IGNORE_SPACE,NO_ENGINE_SUBSTITUTION"
volumes:
- ./sql/:/sql/
- confMySQL2:/var/lib/mysql/:rw
- ./sql:/docker-entrypoint-initdb.d/
ports:
- 3306:3306
environment:
TZ: ${TimeZone}
MYSQL_ROOT_PASSWORD: *****
MYSQL_USER: mariadbcquser
MYSQL_PASSWORD: *****
MYSQL_DATABASE: netalert
healthcheck:
test: [ "CMD-SHELL", "mariadb --execute=\"select * from netalert.permissions limit 0;\"|| exit 1" ]
timeout: 30s
retries: 130
Distributed architecture is achieved by having multiple nodes splitting the services and or growing the opensearch cluster. All low-level settings are done in the compose file.
The sample provided contains the following services:
| mldns | In in charge of Machine Learning detections of anomalous DNS traffic (the sample contains the GPU implementation which is suitable JUST for applicances which contains Nvidia GPUs) |
| mlsmtp | In in charge of Machine Learning detections of anomalous SMTP traffic (the sample contains the GPU implementation which is suitable JUST for applicances which contains Nvidia GPUs) |
| mltraffic | In in charge of machine learning detections of general network traffic (the sample contains the GPU implementation which is suitable JUST for applicances which contains Nvidia GPUs) |
| datasense | Performs data-collection from the network card. It needs a supported virtual/physical NIC |
| apt-scanner | Performs alerting for apt alerts |
| WebServer | Contains the web interface of the solution |
| opensearch-node | Contains the opensearch master-node. Additional nodes can be added on the same VM/phisical mashine or other VMs |
| rabbitmq | Message Queuing |
| mariadb | Server for storing configurations |
| syslog-forward | Syslog forwarding components |
Their settings are self explanatory and can be configured in the docker-compose file.
For bringing the system up, the command is issued in the folder where the docker-compose file resides.
docker compose up -d
Minimum system requirements
Server minimum system requirements
NETALERT is a Virtual/Physical appliance but can be installed as a physical appliance as well.
In order to install NETALERT physical or virtual machines must be provided. NETALERT resides on a Linux Ubuntu 20.04 LTS. instance.
-
For all NETALERT residing virtual machines resources must be reserved (CPU cores and RAM).
-
For NETALERT best performance 6th gen Intel CPU’s or equivalent must be provided with NVIDIA GPUs (at least 1) or vGPUs
In case there are no GPUs available on the system, Machine Learning retraining will take longer and will be done on the CPUs provided to the appliance. By default, the ML will use ALL GPUs available on the system.
Minimum recommended are:
| NETALERT | Minimum RAM recommended | Minimum Storage Recommended - GB (for data only) | Average events (traffic) /seconds analyzed |
|---|---|---|---|
| 1Gbps | 128* | 2048** | 32.000 |
| 5Gbps | 128* | 4096** | 32.000 |
| 10Gbps | 128* | 8192** | 32.000 |
*This is the minimum recommended RAM to be granted to virtual machines hosting NETALERT instances. As the solutions may scale, higher RAM capacity must be allocated. For such situations, a certified NETALERT technician must be consulted.
**This is the minimum recommended storage capacity – for data only. The retention period (data availability for hot searches and PCAP data archive) is directly proportional with the storage capacity. For situations where online and offline data must cover longer periods, a certified NETALERT technician must be consulted in order to provide requirements for storage capacity. Additionaly OpenSearch nodes can scale the solution to the desired data retention requirements
Hardware configuration
The NETALERT solution can be configured to analyze large volumes of traffic. The distribution of resources depends on the available hardware configuration, as detailed in the table below:
| Processing CPU Cores | RAM Memory | Average events (traffic) /seconds analyzed |
|---|---|---|
| 64 | 128 | 16 000 |
| 128 | 128 | 32 000 |
| 256 | 128 | 64 000 |
User(client) web application minimum system requirements:
- Web Browsers: Firefox (86+), Chrome (83+)
- Resolution: Full HD Display (1980x1080)
Network card support
Internally, NETALERT uses the PF_RING technology (https://www.ntop.org/guides/pf_ring/vanilla.html) for packet capture. Installation is supported on all platforms (bare-metal / virtual), but we recommend using a Zero-Copy supported network card (https://www.ntop.org/guides/pf_ring/zc.html):
We recommend using a dedicated network card (physical, virtual or pass through device) with a chipset which has a ZC driver already included: These include Intel based NICs, Mellanox. Please consult the following : https://www.ntop.org/guides/pf_ring/vm/virsh_hostdev.html (for pass through devices) https://www.ntop.org/guides/pf_ring/modules/index.html (list of supported nics)
In a typical VMWare environment, the recommended NIC is e1000e which is supported and has gigabit support.
Supported virtual enviroments
VMware is supported for installation/deployment. Upon installation / deployment The capture network card should be e1000e.
KVM is supported for installation. NextGen does not provide a dedicated image for KVM but the manual installation is supported when using a supported NIC pass-through device.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_administration_guide/chap-guest_virtual_machine_device_configuration
Hyper-V is supported for installation. NextGen does not provide a dedicated image for Hyper-V but the manual installation is supported when using a supported NIC pass-through device.
Installation for VMware
Prior installation system requirements
In order to configure the virtual machine, the following requirements must be met first:
- ESXi 6.0 or later (VM version 11);
- 128 CPU cores;
- minimum 128 RAM (256 GB recommended);
- DISK1: 100 GB;
- DISK2: minimum 2 TB (4 TB recommended, but not exceeding 6 TB).+;
- Optional but recommended vGPUs;
Installing NETALERT
A. OVA Deployment
The OVA file contains 2 NICs:
- One is used for management/web access
- the second NIC is used for passive traffic capture
Hence, the second NIC must be connected to a Virtual Switch which ALLOWS Promiscuous mode
At the virtual switch level, promiscuous mode must be enabled:
For deploying the NETALERT virtual machine (OVA file), follow these steps:
- Connect to vCenter (or ESXi Hypervisor). Open vSphere Client or the web interface. Fill in the username and password credentials.
- Right click on Virtual Machines and select Create/Register VM
- In this window, select Deploy a virtual machine from an OVF or OVA file and click on Next
- Choose a name for the virtual machine ("NETALERT" in this example), and click on Click to select files or drag/drop to select files for NETALERT server deployment.
- In the new window, locate the NETALERT virtual machine, select the files and click Open > Next.
- Choose the storage where to import the virtual machine on and click Next.
- Select the network and VLAN and check the box for Thin in Disk provisioning, then click Next.
- Review the previously selected parameters, click Finish and wait for the import of NETALERT virtual machine to be complete.
- To Power on the NETALERT virtual machine from the vSphere client (or from the web interface) by clicking on the Power on button in the top menu.
- To open the console, press right click on the virtual machine, press click on Console > Launch remote console. You can also use the Console menu button.
- To open the console, press right click on the virtual machine, press click on Console > Launch remote console. You can also use the Console menu button.
- Connect using the username “root” and password “toor1”.
- Open the vSphere Client, locate the NETALERT virtual machine on the left side tree, right click on NETALERT virtual machine, select Power and click on Power Off.
Configure Application
Navigate to **Administration ** in order to set-up various aspect of NetAlert operations. Low Level configs must be done at docker-compose level.
Proxmox Installation
Log in to the Proxmox Web Interface
Log in to the Proxmox Web Interface: Use the credentials set during installation.
Create a New VM
-
Click on "Create VM" in the top right corner.
-
Enter a VM ID and name.
- Choose the storage location for the ISO image, then select that image as the VM's installation media.
- Configure the "System" settings (BIOS, SCSI Controller, etc.).
- Configure three disk partitions as part of the virtual machine setup:
The recommended setup is:
- scsi0 - 10 GB (used for the Operating System installation)
- scsi1 - 2048 GB (used for data storage)
- scsi2 - 32 GB (used for storing Docker containers)
- Configure CPU and memory resources based on the deployment requirements.
A minimum of 64 CPU cores is recommended for optimal performance.
- A minimum of 131072 MiB (128GB) of memory is recommended for stable performance.
- Configure the network settings, including bridge, MAC address, model, and VLAN (if applicable).
- Review all configurations and confirm the settings before proceeding with the deployment.
CYBERQUEST OS Installation
Start the newly created virtual machine, choose Live System, and proceed with the CYBERQUEST OS installation process.
Step 1: Select the appropriate region and city to configure the system's locale and time zone.
- Step 2: Select the target disk where the CYBERQUEST OS will be installed.
-
Step 3: Select the disk that will be used for data storage. Make sure to choose the disk with a 2TB capacity.
-
Step 4: Select the disk that will be used to store Docker containers and related data.
- Step 5 (Optional): Configure the Network Time Protocol (NTP) server to maintain accurate and synchronized system time.
- Step 6: Specify the system administrator’s username and set a strong password to secure access to the system.
- Step 7: Configure the Management Network using one of the following two methods:
The first method uses DHCP to automatically assign network settings to the system.
The second method involves manually configuring the IP address, netmask, gateway, and DNS server settings.
- Click Finish to continue and follow the installation prompts.
- Scroll down to proceed with the installation. After completion, press any key to restart the machine.
After the restart, remove the installation CD from the VM. Then, in Proxmox, go to Options > Boot Order and verify that the partition where the OS was installed (e.g., scsi0) is set as the first boot device.
Once the operating system has booted, log in using the credentials set during the installation process.
Network Configuration for NETALERT Deployment
Add a network interface that will be used for traffic monitoring.
1: Go to Hardware > Network > Add > Network Device
2: Configure the following settings:
- Bridge: Select the appropriate bridge (e.g.,
vmbr1, depending on your setup)
Note:
- Multiqueue: Set this to match the number of vCPU cores assigned to the VM (e.g.,
4for 4 cores). - A value greater than 1 is recommended for improved performance.
3.Open a terminal and run the following commands to configure the previously created net1 interface:
cd /etc/netplan/
sudo nano def.yaml
4.Add the net1 interface to the def.yaml configuration file:
network:
version: 2
ethernets:
ens18:
addresses:
- 192.168.2xx.xxx/24 #Static IP for ens18
ens19:
addresses:
- 192.168.2xx.xxx/24 #Static IP for ens19
gateway4: 192.168.2xx.1 #Shared gateway for the network
nameservers:
addresses:
- 8.8.8.8
sudo netplan apply
4.Verify that the new network interface has the correct IP address:
ip a
NETALERT OneClick – Installation
The NETALERT OneClick Installation provides a fast and streamlined way to deploy NETALERT on both Proxmox and VMware environments. Designed to simplify the installation process, OneClick automates the setup of all essential components and configurations, eliminating the need for manual steps.
With a single command, users can initiate the full deployment process, significantly reducing setup time and minimizing the risk of configuration errors. An active internet connection is required during installation, as the script pulls the latest packages and dependencies.
One-Click Install has been tested and validated on the following operating systems:
- Debian 12
- RedHat 9.4
- Ubuntu 24.04 LTS
Whether setting up in a production environment, the OneClick installer ensures a consistent and reliable deployment experience.
mkdir netalert-deployment && cd netalert-deployment && curl -O https://download.cyberquest.cloud/install_netalert_for_CQOS_sfx.sh && sudo bash ./install_netalert_for_CQOS_sfx.sh
docker compose pull
Open the .env file to update the interface configuration:
sudo nano .env
Locate the following line:
DatasSense_InterfaceName=any
Replace any with the name of the monitored network interface (e.g., ens19).
Start the containers using Docker Compose:
docker compose up -d