This repository is where the development of the Observable Networks Appliance (ONA) takes place. The ONA software is used to collect input data for Observable Networks' network security service. It can run on a variety of platforms, including embedded computers, physical servers, virtual machines, cloud servers, and Docker containers.

See observable.net for more information about Observable Networks' network security service.

Pre-built packages are available for several platforms.

• Ubuntu 12.04 and 14.04
  • 64-bit
  • 32-bit
• Ubuntu 15.04 and later:
  • 64-bit
  • 32-bit
• RHEL 6 and compatible (including CentOS 6* and Amazon Linux for EC2):
  • 64-bit
  • 32-bit
• RHEL 7 and compatible (including CentOS 7):
  • 64-bit
• Raspberry Pi 2 Model B with Raspbian (requires the upstart package):
  • 32-bit armhf
• Docker (tested with CoreOS):
  • 64-bit

To install the latest version on Ubuntu 12.04 or 14.04 (recommended for physical and virtual machine installations):

# wget https://onstatic.s3.amazonaws.com/ona/master/ona-service_UbuntuPrecise_amd64.deb
# dpkg -i ona-service_UbuntuPrecise_amd64.deb

(Replace master with a version tag if you need an older version.)

* RHEL 6 and others will need /usr/bin/python2.7 to point to a working Python 2.7 installation.

The ONA is composed of a number of configurable services, supervised by a single system service, obsrvbl-ona. Control which services are running by editing /opt/obsrvbl-ona/config.

• (Runs by default) obsrvbl-ona: Monitors for configuration changes, handles automatic updates. Starting this service will start the other services that are configured.
• (Runs by default) log-watcher: Tracks the sensor's authentication logs.
• (Runs by default) pdns-capturer - Collects passive DNS queries.
• (Runs by default) pna-monitor - Collects IP traffic metadata.
• (Runs by default) pna-pusher - Sends IP traffic metadata to the Observable cloud.
• (Runs by default) hostname-resolver - Resolve active IPs to local hostnames.
• netflow-monitor - Listens for NetFlow data sent by routers and switches.
• netflow-pusher - Sends NetFlow data to the Observable cloud.
• notification-publisher - Relays Observable observations and alerts over syslog or SNMP.
• arp-capturer - Collects ARP traffic from the LAN.
• ossec-alert-watcher - If OSSEC is installed, monitors its alerts.
• suricata-alert-watcher - If Suricata is installed, monitors its alerts.