Catalyst / admin/Synapse-Sonar 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Synapse-Sonar

public

Attack Surface Simulation

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Synapse-Sonar / synapse-sonar / public / agents / README.md 4236 B · main
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
# Synapse Sonar collectors

Two ways to feed flow data into Synapse Sonar. Both push to the same endpoint
(`POST /api/ingest/flow-logs`) and authenticate with the **Sensor ingest key**
from the UI: **Integrations → NetscanXi → Sensor ingest key → Generate**.

| | Host agent (Linux) | Host agent (Windows) | Passive sensor |
|---|---|---|---|
| Where it runs | Each Debian/Ubuntu host | Each Windows host | Host on a SPAN/mirror port |
| Sees | That host's own connections | That host's own connections | All mirrored traffic to/from many devices |
| Built with | Python 3 (stdlib) | PowerShell 5.1 (built-in) | Python 3 (stdlib) |
| Privilege | Unprivileged | SYSTEM (scheduled task) | `CAP_NET_RAW` |
| Use when | You can install software | You can install software | The device **can't** take an agent (appliances, IoT, printers, OT) |
| Byte volumes | Not reported (0) | Not reported (0) | Measured from packets |

The Linux agent and sensor are pure Python 3 standard library; the Windows
agent uses only built-in PowerShell cmdlets. No third-party packages anywhere.

---

## Host agent (Debian / Ubuntu)

> Ubuntu is Debian-based, so the **same agent and installer work on both** —
> identical systemd + apt + Python 3. No separate build per distro.

```bash
cd public/agents/host-agent
sudo ./install.sh
sudo nano /etc/sonar-agent/sonar-agent.env   # set SONAR_URL + SONAR_INGEST_KEY
sudo systemctl enable --now sonar-agent
journalctl -u sonar-agent -f
```

It reads established connections via `ss` every `SONAR_INTERVAL` seconds and
reports them with this host's hostname, so the host appears as a named node.

---

## Host agent (Windows)

The Windows counterpart to the Linux agent. Reads established TCP connections via
`Get-NetTCPConnection` and pushes them; runs as a SYSTEM scheduled task that
starts at boot. Built-in PowerShell only — nothing to install from the gallery.

From an **elevated** PowerShell:

```powershell
cd public\agents\windows-agent
powershell -ExecutionPolicy Bypass -File .\install.ps1
notepad $env:ProgramData\SonarAgent\config.json   # set SonarUrl + IngestKey
Restart-ScheduledTask -TaskName SynapseSonarAgent
```

- Config: `%ProgramData%\SonarAgent\config.json`
- Logs: `%ProgramData%\SonarAgent\sonar-agent.log`
- Remove: `Unregister-ScheduledTask -TaskName SynapseSonarAgent -Confirm:$false`

> Windows has no built-in packet sniffer, so this is a host agent (own
> connections), not a passive sniffer. To passively monitor agentless Windows
> appliances, mirror their traffic to the Linux **passive sensor** below.

---

## Passive sensor (agentless)

For devices that cannot run an agent. Put a Linux box on a switch **SPAN/mirror
port** (or inline tap / gateway) so it can observe the traffic to and from those
devices, then:

```bash
cd public/agents/sensor
sudo ./install.sh
sudo nano /etc/sonar-sensor/sonar-sensor.env  # set SONAR_URL, SONAR_INGEST_KEY, SONAR_IFACE
sudo systemctl enable --now sonar-sensor
journalctl -u sonar-sensor -f
```

It sniffs IPv4 TCP/UDP, aggregates flows over `SONAR_FLUSH` seconds (with byte
counts), and excludes its own traffic to Sonar to avoid a feedback loop.

### Run the sensor in Docker (alternative)

```bash
docker run -d --name sonar-sensor \
  --network host --cap-add NET_RAW --cap-add NET_ADMIN \
  -e SONAR_URL=https://sonar.corp.internal:3000 \
  -e SONAR_INGEST_KEY=nsx_sensor_xxxx \
  -e SONAR_IFACE=eth1 \
  -v "$PWD/sonar-sensor.py:/app/sonar-sensor.py:ro" \
  python:3.12-alpine python /app/sonar-sensor.py
```
`--network host` is required so the container can see the mirrored interface.

---

## Notes & limits (honest)

- **Direction heuristic:** both collectors treat the lower port number of a
  connection as the "service" port. This is correct for the vast majority of
  flows but can misattribute unusual peer-to-peer ports.
- **IPv4 only** in the sensor today (IPv6 / VLAN-tagged frames are skipped).
- The sensor only sees what the mirror port forwards — size the SPAN session and
  the sensor NIC for the mirrored volume, or flows will be dropped upstream.
- The ingest key currently lives under the NetscanXi card (it doubles as the
  flow-collector key). Keep that integration enabled for ingestion to work.