Skip to content

Manager Installation

Manager Installation Prerequisites

• The DeepFinder Manager installation order is as follows: DFServer -> DFDB (elastic, postgres) -> DFAPI -> DFAPPS.

• The Manager installation must be performed in a directory where a general user account has read and write permissions. ex) /usr/local/src

• The Server can be started after the license is registered and the DB is running. Other programs will run automatically after installation.

• The DB is installed with default values and may require tuning in the future.

Server Installation

1) Download the installation file
Download the DeepFinder Manager Server installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFServer.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFServer.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script. 

[root@localhost~]# cd DFServer

[root@localhost~]# ./setup.sh


License Registration

Request and receive a license key from your vendor.
Save the received key to /usr/local/dfserver/license/license.txt.

[root@localhost~]# cd /usr/local/dfserver/license

[root@localhost~]# echo "License Key" >> license.txt

Check the Configuration File

If configuration changes are needed, modify the config.xml file located in the “/usr/local/dfserver/conf” path.
(It can also be changed in the GUI.)

※ Skip if no configuration changes are needed

[root@localhost~]# vi /usr/local/dfserver/conf/config.xml


<Server>

  server_id="101"
  license_file="license.txt"  // license directory

  myip="192.168.1.51"   // IP for redirect handling - if absent, it will reconnect using the agent's svrip

  myport="10012"    // default port

  tcp_workers="4"   // number of workers for tcp - set according to the number of CPUs

  ssl_wrokers="4"   // number of workers for ssl

  logformat=""      // log transmission format (see syslog define)

  detail_log_address="https://192.168.1.51/common/logdetailext?seqno="  
  // detail log view address

  ssl_pemfile="deepfinder.pem"  // certs directory

  ssl_password="****"

  systemlogheader="deepfinder: SystemLog"

  auditlogheader="deepfinder: AuditLog"

  agentlistheader="deepfinder250: AgentList"

  sysinfo_checktime="15"  // sysinfo check interval (15 seconds)

  default_charset="EUC-KR"  // character set

  db_type="pgsql"   // db type pgsql/mysql (default pgsql)

  write_db_ip="127.0.0.1"   // db ip (hostname is possible)

  write_db_port="5432"    // db port

  write_db_user="***"

  write_db_passwd="***"

  write_db_name="****"

  read_db_ip="127.0.0.1"

  read_db_port="5432"

  read_db_user="****"

  read_db_passwd="****"

  read_db_name="****"

  elastic_address="127.0.0.1"   // elastic search address (loopback address)

  elastic_port="9200"     // elastic search port

  debug="0"

  update_time="30"    // db update check interval (30 seconds)

  logfilesize="20"    // max log file size (20MB - default)

  log_merge="0"     // Condense duplicate header/cookie logs into a single log
>

<logserver     // SYSLOG server information 

  No="0"      // No 0 ~ 4, max of 5

  address="52.78.61.134"

  port="10514"      // UDP transmission port

/>

<logserver

  No="1"

  address="52.78.61.135"

  port="10515"

/>

</Server>

<MailAlert                      // Mail alert settings

  read_db_ip="127.0.0.1"

  read_db_port="5432"

  read_db_user="****"

  read_db_passwd="****"

  read_db_name="****"

  mailto=""                     // email address

  mailcc=""

  update_time="1800"

  check_interval="3"

/>

<ProcessWatch>      // Send Syslog when CPU, Memory thresholds are reached

  <process cmd="nginx" match="master" />

  <process cmd="java" match="elastic" cpulimit="0" memlimit="50" />

</ProcessWatch>


Configuration Example) config.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<Server
  server_id="101"
  myip=""
  myport="10012"
  tcp_workers="4"
  ssl_workers="4"
  ssl_pemfile="deepfinder.pem"
  ssl_password="****"
  logformat="deepfinder: AlertLog|logDate:%T|Agent IP:%X|CompanyName:%C|Attack IP:%I|Domain:%D|Log Type:%L|Pattern Grp:%G|Pattern Nm:%P|Action:%A|Risk Level:%R|URL:%U|Parameters:%E|Detect Msg:%M|Httpbody:%B|Httpheader:%H"
  detail_log_address="https://serverip/common/logdetailext?seqno="
  systemlogheader="deepfinder: SystemLog"
  auditlogheader="deepfinder: AuditLog"
  agentlistheader="deepfinder250: AgentList"
  sysinfo_checktime="15"
  license_file="license.txt"
  default_charset="EUC-KR"
  db_type="pgsql"
  write_db_ip="127.0.0.1"
  write_db_port="5432"
  write_db_user="****"
  write_db_passwd="****"
  write_db_name="****"
  read_db_ip="127.0.0.1"
  read_db_port="5432"
  read_db_user="****"
  read_db_passwd="****"
  read_db_name="****"
  elastic_address="127.0.0.1"
  elastic_port="9200"
  debug="0"
  update_time="5"
  log_merge="0"
>
    <logserver
        No="0"
        address="10.10.10.10"
        port="10514"
   />
<ProcessWatch>
  <process cmd="nginx" match="master" />
  <process cmd="java" match="elastic" cpulimit="0" memlimit="50" />
</ProcessWatch>
</Server>

SYSLOG Definition

After configuring SYSLOG, dfserver must be restarted for the changes to take effect.

case 'A': case 'a':    // Action
case 'B':       // HttpBody
case 'b':     // HttpBody (Encoded)
case 'C':       // Company Name
case 'c':     // Company Name (Encoded)
case 'D':       // Domain
case 'd':     // Domain (Encoded)
case 'E':       // parameter
case 'e':     // parameter (Encoded)
case 'G':     // Pattern Group
case 'g':     // Pattern Group (Encoded)
case 'H':     // HttpHeader
case 'h':     // HttpHeader (Encoded)
case 'I': case 'i':   // Attack IP
case 'J': case 'j':   // Agent ID
case 'k':     // ISO country code (not K)
case 'L':       // LogType
case 'l':     // LogType (Encoded)
case 'M':       // Detect Msg
case 'm':     // Detect Msg (Encoded)
case 'N': case 'n':   // Instance ID
case 'O':     // DomainGroup ID
case 'o':     // Company ID
case 'P':       // Pattern Name
case 'p':     // Pattern Name (Encoded)
case 'R': case 'r':   // RiskLevel
case 'S': case 's':   // Manager IP (Agent only)
case 'T': case 't':   // logDate
case 'U':       // URL
case 'u':     // URL (Encoded)
case 'X': case 'x':   // Agent IP (Server only)
case 'Z': case 'z':   // Detail Log URL (Server only)

Configuration Example) deepfinder: AlertLog|logDate:%T|Manager IP:%S|CompanyName:%C|AID:%J|InstanceID:%N|Attack IP:%I|Domain:%D|Log Type:%L|Pattern Grp:%G|Pattern Nm:%P|Action:%A|Risk Level:%R|URL:%U|Parameters:%E|Detect Msg:%M|Httpbody:%B|Httpheader:%H


DB Installation

1) Download the installation file
Download the DeepFinder DB installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFDB.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFDB.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script.

[root@localhost~]# cd DFDB
[root@localhost DFDB]# ./setup_elastic.sh
[root@localhost DFDB]# ./setup_postgres.sh

If the installation is completed successfully, the Elasticsearch and postgres processes will be running.


APPS Installation

1) Download the installation file
Download the DeepFinder APPS installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFAPPS.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFAPPS.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script. 

[root@localhost~]# cd DFAPPS
[root@localhost DFAPPS]# ./setup.sh

If the installation is completed successfully, the Tomcat process will be running.


API Installation

1) Download the installation file
Download the DeepFinder API installation file from the repository. 

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFAPI.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFAPI.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script. 

[root@localhost~]# cd DFAPI
[root@localhost DFAPI]# ./setup.sh

If the installation is completed successfully, the uwsgi and nginx processes will be running.


Starting the Server

Once the license registration and DB installation are complete, start the Server.

  • Server start command
service dfserver start

DeepFinder Manager HA Configuration

DeepFinder supports HA in three ways: 1. Agent Redundancy 2. Server Redundancy 3. DB Redundancy

The DeepFinder HA configuration can be set up in an Active-Standby model.
To configure it, network communication between the Active and Standby servers must be seamless beforehand.
After configuration is complete, all DB data from the Active server is replicated to the Standby server in real time.
In case of an Active server failure, all Agents will automatically switch over (Failover) to the Standby server.

Active - Server Installation

1) Download the installation file
Download the DeepFinder Manager Server installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFServer.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFServer.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script.
When running the script, enter the IP of the HA server you wish to configure.

[root@localhost~]# cd DFServer

[root@localhost~]# ./setup.sh ha $SlaveIP


Active - DB Installation

1) Download the installation file
Download the DeepFinder DB installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFDB.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFDB.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script.

[root@localhost~]# cd DFDB

// When installing the Master server
[root@localhost DFDB]# ./setup_postgres.sh master

// When installing the Slave server
[root@localhost DFDB]# ./setup_postgres.sh slave $slaveIP

If the installation is completed successfully, the postgres process will be running.


Standby - Server Installation

1) Download the installation file
Download the DeepFinder Manager Server installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFServer.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFServer.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script.
When running the script, enter the IP of the HA server you wish to configure.

[root@localhost~]# cd DFServer

[root@localhost~]# ./setup.sh ha $MasterIP


Standby - DB Installation

1) Download the installation file
Download the DeepFinder DB installation file from the repository.

[root@localhost~]# wget http://download.deepfinder.co.kr/DeepFinder/dfServer/DFDB.tar.gz


2) Decompress the file
Decompress the downloaded installation file.

[root@localhost~]# tar xvfz DFDB.tar.gz


3) Run the script
Navigate into the decompressed directory and run the installation script.

[root@localhost~]# cd DFDB

[root@localhost DFDB]# ./setup_postgres.sh slave $slaveIP

If the installation is completed successfully, the postgres process will be running.

Afterward, refer to the standard Manager installation method to install Elasticsearch, UWSGI, Nginx, etc.


Agent HA Installation

1) Download the installation file
Download the DeepFinder Agent installation file from the repository.

[root@localhost ~]# wget download.deepfinder.co.kr/DeepFinder/1.0/DeepFinder.tar.gz

2) Decompress the file
Decompress the downloaded installation file.

[root@localhost ~]# tar xvfz DeepFinder.tar.gz

3) Proceed with Agent Installation
Navigate into the decompressed directory and run the installation script. 

[root@localhost ~]# cd DeepFinder
// Apache Install -> setup.sh $Active_IP,$Standby_IP auth_info
// Nginx Install -> nginx.sh $Active_IP,$Standby_IP auth_info

[root@localhost DeepFinder]# ./nginx.sh 1.1.1.1,2.2.2.2 c8b34ff005611dd4300b9141xxxxx
************************************
SERVER IP : 1.1.1.1
SERVER IP2 : 2.2.2.2
AUTH KEY : c8b34ff005611dd4300b91412e89xxxxxxxxxxxxxxxxxxxxxxxxxxxx
SYSTEM KERNEL : 2.6
CHECK OS : Linux
CHECK LINUX : CentOS  Linux
CHECK SELinux : Disabled
CHECK OS BIT : x86_64 (64 bit)


4) Check Agent config

Once the installation is complete, check if the Manager IPs have been correctly entered into the Agent config file as shown below.

[root@localhost ~]# /usr/local/deepfinder/conf/config.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<Agent
        aid="1"
        authdata="1a2b**"
        ssl_pemfile="deepfinder.pem"
        ssl_password2="aXNkd2ViY29ueA=="
        svrip="1.1.1.1"         // HA Active IP
        svrip2="2.2.2.2"        // HA Standby IP
        svrproto="tcp"
        svrport="10012"
        filter_check_url="http://localhost/"
        debug="0"
/>