Phantom enables collaboration in the security community through the use of open source Apps and Playbooks. Phantom Apps are connectors capable of connecting to the management APIs of security applications, products and services to orchestrate the environment from within the Phantom platform. Phantom Apps are Python modules, allowing anyone to expand the platform and contribute Apps to the Phantom App store.
This App model is one of the reasons that we refer to Phantom as being “Community Powered”. You can read more about Phantom and Apps here.
We are pleased to spotlight (no pun intended) a new Phantom App that was built by the community. The Phantom Floodlight App is now available at:
As you might expect, this App connects Phantom to the Floodlight Software-Defined Networking (SDN) controller, and supports more than two dozen actions (See the README file for more information).
It’s great to see collaboration and sharing in the community. If you want to try the new Phantom App, here is an outline of the steps to get started:
Start with a CentOS 7 endpoint, server, or VM, and clone the following repositories:
Building Floodlight is very straightforward. Make sure you have a jdk, ant, maven, and ant-junit installed and then run these commands from the Floodlight root:
- ant clean
- ant eclipse
It should build and run unit tests immediately if all dependencies are met. If not, review the README file for help.
Building Open vSwitch requires a bit more work, but the documentation steps through the process very well. Follow the instructions in INSTALL.RHEL.md. The result will be a set of .rpm files in the ~/rpmbuild/RPMS/x86_64 directory. Disable SELinux, install the resulting rpm’s, and reboot.
Next, register for a Phantom Community Edition account (it’s free to use).
Once registered, sign in and select “PRODUCT->RELEASES” and download the Official Release: Phantom version 1.1.72 (as of May 11, 2016).
Next, you might want to review a tutorial to learn Open vSwitch: http://openvswitch.org/support/dist-docs/tutorial/Tutorial.md.txt. I also recommend using Mininet to set up virtual networks.
Running Floodlight is simple. Just use the following commands from the Floodlight top-level directory:
- java -jar target/floodlight.jar
- Configure Open vSwitch to look for an OpenFlow controller on port 6653 with the following command: ovs-vsctl set-controller s3 tcp:<floodlight_host_ip>:6653
Finally, be sure to check your Firewall rules if you have problems connecting.
Join the Phantom-Community Slack channel as a great resource for Q&A as well as collaboration with the community.
Director, Product Management
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.