NfQuery

Welcome to NfQuery website.

What is NfQuery?

NfQuery is NfSen based framework for multi-domain environments which uses the NetFlow data for analysis of threats and burst the usage of already available data from various sources such as on-line repositories and local security tools of each domain (Honeypots, IDS and etc.) The framework has been developed to enable integration of various threat detection methods and transmission of information over a multi-domain environment automatically. A central server in this framework coordinates the information sharing and integration of various detection methods, where the plug-in running in each domain represents the interface of the system to the administrators for their analysis and information exchange. The main design criterion lying behind NfQuery is to develop a tool for multi-domain threat analysis which eases the privacy concerns of each domain included in the framework. This is achieved by keeping the NetFlow data belonging to a domain locally and sharing only the queries to be applied over the flow data via the server and the statistics on the results of these queries (which is even optional but quite crucial for the system).

Background

NfQuery has been developed under JRA2.T4 of GN3 project. The NfQuery release to be delivered at the end of GN3 project (March 2013) will consist of a Query Server (QS) application and the NfQuery Plug-In.

Main Components

The Query Server (QS) operates at the center of NfQuery framework in order to generate Nfdump queries by using the threat data published by various sources and to distribute these queries to the registered domains. This distribution is achieved by the NfQuery Plug-ins which operates on the NfSen installations in each registered domain. NfQuery Plug-in enables the registered domains to apply these queries over their flow data. Plug-in sends the statistics of results of queries to QS which is used to rate the queries in QS pool. This improves the overall efficiency of the system. On the other hand, Plug-in preserves the user data privacy at registered domain side by keeping the actual flow data and the results on local NfSen server. The only exception of such behaviour occurs when Plug-in detects a Multi-domain threat which means the applied queries result in a match to an IP address belonging to another domain registered to the same QS. In such a case, the Plug-in sends an alert to the QS which includes information on the query and the included domain.

In an NfQuery instance there exists a central QS and various NfQuery Plug-Ins installed at the participating domains.

QS collects and parses data from sources. QS installation comes with 4 pre-defined sources namely DFN Honeypot, Malcode, Spyeyetracker and SES. QS generates new queries using the data collected from these sources. QS sends the generated queries to Plug-in instances and collects feedback for the queries sent. The main components of the NfQuery Framework are represented in Figure 2.

Figure 1: Components of the NfQuery Framework

Downloads

Stable version

Query Server v0.1.1 [ tar.gz ] [ sha1 = e12e45e32dcb1782dfe47083373e8008b11dd47f ]

Plugin v0.1.2 [ tar.gz ] [ sha1 = aee86c42e7ad5bbba35652c96d99b18c8b8a5b12 ]

Development

https://github.com/ULAKBIM/NfQuery

Documentation

Guides & Manuals

• NfQuery Plugin How-to

Presentations

• [ pdf ] NfQuery: A Privacy Friendly Framework for Multi-Domain Threat Analysis @ GEANT Symposium 2012, Vienna, Austria 15-19 October 2012
• [ pdf ] NfQuery: A Privacy Friendly Framework for Multi-Domain Threat Analysis @ Campus Network Monitoring Workshop, Brno, Czech Republic 24-25 April 2012

Media

• GEANT NfQuery Demo June 2012

Authors and Contributors

• Serdar Yiğit [@syigit]
• Murat Soysal [@msoysal]
• Emre Yüce [@EmreY]
• Serhat Demircan [@sdemircan]
• Ahmet Can Kepenek [@ackepenek]

How you can contribute?

Be a developer: Help development of NfQuery.

Be a source: Feed QS with incident data.

Contact

nfquery@ulakbim.gov.tr