Skip to main content

Quick Start

Description

This guide will help you quickly set up an instance of Galileo for generating, collecting and storing network streams. It assumes you have basic knowledge of Docker and Linux administration.

Requirements

To get started with Galileo, you need to have the following:

  • Root access to your Linux machine.
  • A network interface that can capture traffic (e.g., a SPAN port or TAP).
  • Install Docker and Docker Compose on your machine. You can find the installation instructions for your operating system in the Docker documentation and Docker Compose documentation.
  • Install DuckDB Command line on your machine. You can find the installation instructions for your operating system in the DuckDB documentation.

Instructions

  1. Pull the latest version of the Galileo Docker image:
docker pull fidelismachine/galileo_toolkit:latest
  1. Copy the following docker-compose.yml file to your working directory:
services:
  gnat_sensor:
      image: fidelismachine/galileo_toolkit:latest
      container_name: gnat_sensor
      restart: unless-stopped
      network_mode: host
      cap_add:
        - net_admin
        - net_raw
        - sys_nice
      environment:
        GNAT_INTERFACE: ${GNAT_INTERFACE}
        GNAT_OBSERVATION_TAG: ${GNAT_OBSERVATION_TAG}
        GNAT_OUTPUT: /var/spool/${GNAT_OBSERVATION_TAG}
        GNAT_EXPORT_INTERVAL: 20
      volumes:
        - /var/spool/gnat:/var/spool
      command: /opt/gnat/scripts/entrypoint-gnat_sensor.sh

  gnat_import:
      image: fidelismachine/galileo_toolkit:latest
      container_name: gnat_import
      restart: unless-stopped
      environment:  
        GNAT_INPUT: /var/spool/${GNAT_OBSERVATION_TAG}
        GNAT_OUTPUT: /var/spool/import
      volumes:
        - /var/spool/gnat:/var/spool
      command: /opt/gnat/scripts/entrypoint-gnat_import.sh

  gnat_store:
      image: fidelismachine/galileo_toolkit:latest
      container_name: gnat_store
      restart: unless-stopped
      environment:
        GNAT_INPUT: /var/spool/import
        GNAT_OUTPUT: /var/flow
        TZ: UTC
      volumes:
        - /var/flow:/var/flow
        - /var/spool/gnat:/var/spool
      command: /opt/gnat/scripts/entrypoint-gnat_store.sh

  1. Create a .env file in the same directory with the following content:
GNAT_INTERFACE=eth0
GNAT_OBSERVATION_TAG=gnat

Replace eth0 with the name of the network interface you want to monitor. You can find the name of your network interface by running the command ip link show. Additionally, you can change the GNAT_OBSERVATION_TAG to a custom string value that will be used to tag the observations.

  1. Create a directory for the output data:
mkdir -p /var/spool/gnat
  1. Start the Docker containers:
docker-compose up -d
  1. Verify that the containers are running:
docker-compose ps

Verifying flow data

After a few minutes, you should be able to query the flow data collected by Galileo, using the DuckDB command line tool. Here is an example of how to query the data. Make sure to change the date to match your data.

$ duckdb -c "SELECT * FROM read_parquet('/var/flow/*/*/*/*/*.parquet') WHERE stime >= current_timestamp - INTERVAL 1 MINUTE;"

The four asterisks in the path represent the year, month, day, and hour directories, respectively.

info

See more query examples