No description

Find a file

Blake Ridgway ba2959b69d docs: added todo		2025-07-12 17:07:47 -05:00
.idea	docs: updated readme file	2025-07-12 11:30:59 -05:00
templates	Initial commit	2025-07-12 10:06:52 -05:00
.gitignore	Initial commit	2025-07-12 10:06:52 -05:00
app.py	Initial commit	2025-07-12 10:06:52 -05:00
event_processor.py	Initial commit	2025-07-12 10:06:52 -05:00
LICENSE	Add new file	2025-07-12 11:38:32 -05:00
models.py	Initial commit	2025-07-12 10:06:52 -05:00
README.md	docs: forgot to change the github link from template	2025-07-12 11:32:11 -05:00
requirements.txt	Initial commit	2025-07-12 10:06:52 -05:00
snmp_listener.py	Initial commit	2025-07-12 10:06:52 -05:00
syslog_listener.py	Initial commit	2025-07-12 10:06:52 -05:00
TODO.md	docs: added todo	2025-07-12 17:07:47 -05:00

README.md

Sentinel

Sentinel is a lightweight Security Information and Event Management (SIEM) application built with Flask, designed to collect and display network events from various sources using SNMP Traps and Syslog. It aims to provide basic visibility into network activity, security incidents, and operational events.

Features

SNMP Trap Listener: Receives and processes SNMP traps (v1/v2c) from network devices.
Syslog Listener: Collects syslog messages over UDP from firewalls, routers, and other logging sources.
Unified Event Storage: Stores both SNMP and Syslog events in a SQLite database for easy access and querying.
Event Normalization & Enrichment:
- Maps common SNMP OIDs to human-readable names.
- Assigns severity (Critical, High, Medium, Low, Informational) to events based on predefined rules for both SNMP and Syslog messages.
Web-based Dashboard: A simple Flask web interface to view recent collected events, including their type, source, and assigned severity.
Background Listeners: SNMP and Syslog listeners run in separate threads, allowing continuous collection while the Flask web server operates.

Getting Started

Follow these steps to get Sentinel up and running on your system.

Prerequisites

Python 3.8+
pip (Python package installer)

Installation

Clone the repository:

git clone https://gitlab.com/blakeridgway/sentinel.git
cd sentinel

Create and activate a Python virtual environment:

python3 -m venv .venv
source .venv/bin/activate

Install the required Python packages:
```
pip install -r requirements.txt
```
Install Net-SNMP utilities (for testing snmptrap): On Debian/Ubuntu:
```
sudo apt update
sudo apt install snmp snmp-mibs-downloader
sudo download-mibs
```
On other Linux distributions, use your package manager (e.g., dnf install net-snmp-utils on Fedora/RHEL).

Running the Application

Ensure virtual environment is active:
```
source .venv/bin/activate
```
Run the Flask application:
```
python app.py
```
The application will start, and you will see messages indicating that both the SNMP Trap listener and Syslog listener have started.
Access the Web Dashboard: Open your web browser and navigate to: http://127.0.0.1:5000/

Configuration

Listener Ports

SNMP Traps: Listens on UDP port 1162.
Syslog: Listens on UDP port 1514.

Important: By default, standard SNMP (162) and Syslog (514) ports are privileged (below 1024) and require root permissions. For development, we use higher ports (1162 and 1514). If you wish to use standard ports in a production environment, you will need to configure your system accordingly (e.g., sudo setcap 'cap_net_bind_service=+ep' /path/to/python_executable or use a reverse proxy/port forwarding).

Configuring Devices to Send Logs

You need to configure your network devices (FortiGate, pfSense, routers, switches, servers) to send their log data to the IP address of the machine running Sentinel on the specified ports.

FortiGate / pfSense (Syslog)

Configure your firewall to send logs to the Sentinel server's IP address on UDP port 1514.

FortiGate: System > Log & Report > Log Settings -> Enable "Send Logs to Syslog", configure Server IP and Port.
pfSense: Status > System Logs > Settings -> Enable "Remote Logging", add Server IP and Port.

Any Device (SNMP Traps)

Configure devices to send SNMP traps to the Sentinel server's IP address on UDP port 1162. Ensure the SNMP community string is set to public (or match whatever is configured in snmp_listener.py).

Testing Log Ingestion

Test SNMP Trap

From your terminal (after installing snmp package):

snmptrap -v 2c -c public 127.0.0.1:1162 '' .1.3.6.1.6.3.1.1.5.1

You should see "SNMP Cold Start" with "High" severity in the web UI.

Test Syslog Message

From your terminal (on Linux):

echo "<13>Jul 10 15:30:00 myhost program: This is a test syslog message about a failed login attempt." | nc -u -w0 127.0.0.1 1514

You should see a syslog event with "Critical" severity in the web UI due to the "failed login" keyword.

Future Enhancements (Roadmap)

Advanced Syslog Parsing: Implement robust parsing for various syslog formats (RFC 3164, RFC 5424, FortiGate native logs, pfSense native logs) to extract more structured fields (e.g., username, source/dest IPs, port, action).
SNMP Polling: Add functionality to actively poll devices for specific OIDs (e.g., CPU, memory, interface status) at regular intervals.
Alerting Notifications: Integrate with email, Slack, or other platforms to send notifications when critical events occur.
User Interface Improvements:
- Filtering and searching of events.
- Pagination for large datasets.
- Real-time event updates using WebSockets (Flask-SocketIO).
- Dashboard analytics (graphs for event trends, top sources/events).
Rule Management: Allow web-based configuration of normalization and alerting rules.
Database: Migrate from SQLite to PostgreSQL for better performance and concurrency in production.
Containerization: Provide Dockerfiles for easy deployment.
Authentication & Authorization: Secure the web dashboard with user logins.

Contributing

Contributions are welcome! Please feel free to open issues or submit pull requests.

License

This project is open-source and available under the MIT License.