TRAFFICTHIEF Readme

USA, My TRAFFICTHIEF Configuration Read Me Overview (SHREL) TRAFFICTHIEF is the NSA corporate alerting and tipping system. Independent collection systems such as XKEYSCORE provide real-time messages, called events {tips}, to the TRAFFICTHIEF server. TRAFFICTHIEF receives these tips in real?time when targets are actively communicating, enhances messages with geo?location information and then immediately alerts to this activity. Pie-Configuration Reouirements Before configuring xkscon?g for TRAFFICTHIEF tipping, you must: 1. Confirm Unified Targeting Tool tasking is delivered from a Site Selection Distribution Manager Please refer to the UTT Configuration Read Me for configuring UTT tasking. Confirm the UTT sends selector targeting information to the SSDM to manage selector tasking at a field site. The SSDM receives load and update requests from UTT and is responsible for any site?specific processing that must be performed before forwarding the appropriate subset of information to the sitelocal collection system. Confirm that port 443 is open if tips will be sent via socket to the server log, using the alert_traffi othie plugin}. NOTE: If tips will be sent over MAI LORDER using the alert_mailorder pl ugin}, then port 443 does not need to be opened. Confirm MAILCI RDER is con?gured to pick up MAILCIRDER files from the directory on the Master server. To do this, create a MAILORDER ticket to set up the pickup directory for your Master XKS server: a. Type go mail order in the URL field of a browser on a high-side computer. b. Click PATHMASTER Remedy Ti cket near the top right of the screen. The Remedy Ticket Submission screen will appear. c. In the bottom half of the Remedy Ticket Submission screen is two yellow Submit Remeoil Ticket buttons. Click the top button of the two. [This ticket pertains to New Data?Flow}. The ITSC login screen will appear. 1 I USA, we:

SECRETHRELTO USA, Fyn' d. Enter the SID of your alternate PDC and then click Continue. A screen containing contact information for you and your POC will appear. e. AddKEd it the contact information as appropriate and then click Continue to go to the Data tronsport service screen. f. Click Dataflow request and then click Continue. The Requestfor New Data Fiow on an Existing Transport System screen will appear. g. Enter as much information as you can. In the Data Fiow Ginnge Description field, specifically indicate that the pick?up directory should be: er h. Click Submit. You will receive a confirmation e?mail indicating the ticket has been receiyed and more information may be requested before the ticket can be completed. Dyerall, the process might take anywhere from a few days to a week to complete. Using Socket to Send 5l?s Tips to TRAFFICTHIEF (UHFOUO) Follow these steps to configure the xksronfig file use Socket to send 5 l?s Tips to TRAFFICTHIEF: 1. 2. (UHFOUO) Log on as the user oper. At the command line from within any directory, type vi oonfig and then press Enter. The xi-(sronfig file will open. In the inputs section of xicsconfig, set the following configurations: a. alert_output true Thisturnstipping?on.? b. alert_output_type so cket This indicates that all output will be sent via secure socket. c. alert_inatanoe .si tename This helps the analyst determine where the tip came from. The aitename name is included in the XML of the actual tip sent to TRAFFICTHIEF. d. alert_noat 7.216.26.130:443 ThisistheIPaddressand portnumberwhere the alerts are sent. Note: eyer value is set equal to alert_inatanoe is the yalue that is put into the instance ?eld of the actual alert. (UHFOUO) Type wa and then press Enter to exit xks.config. 2 SECRETHRELTO USA, Fyn'

5. SECRETHRELTO USA, F?v?E?r? (UHFOUO) Perform the following commands onlvr after ma king changes in Jrks.cm?g. At the command prompt, type: El . eetup plugine This ensures anvr applicable changes to plugin con?gurations will take effect. xke reyne puen_eonfig This pushes the latest configuration files tothe slaves in the cluster. xka proo aafereatart After setup is complete, this restarts pro ee ee_data_p arent' a for the new configuration to take effect. This process loads all the dictionaries and fingerprints and then performs dictionarvr scanning, meta data extraction, databasing of meta data, and archival of content. When the parent is finished reloading, it will do a staggered restart of its children based on which slave the parent is running on. Using Socket to Send NOFDRN Tips to TRAFFICTHIEF Follow these steps to configure the xksronfig file use Socket to send NO FORN Tips to TRAFFICTHIEF: 1. 2. Log on as the user oper. At the command line from within any' directory, tvpe vi config and then press Enter. The xksron?g file will open. In the inputs section of xksron?'g, set the following configurations El . b. alert_output true: This turns tipping alert_output_type so eket This indicates that output will be sent via secure socket. alert_inatanoe si rename This is the location where the tip came from. The sitename is retrieved from the actual XML of the tip that is generated. alert_noat the alerts are sent. 7 .216 . 2 6. 2 443 This is the IP address and port number where Note: (UHFOUO) The instance in the actual alert is filled in with the value assigned to alert_inetanoe in Tvpe wa and then press Enter to exit xksron?g. 3 USA, F?v?E?r?

5. SECRETHRELTO USA, F?v?E?r? (UHFOUO) Perform the following commands after ma king changes in Jrks.cm?g. At the command prompt, type: a. setup plugioa This enables the alert_traffiothief plugin with the configurations established in Step 3 above . b. xka rayno This pushes the latest configurations to the slaves in the cluster. c. pro aafereatart After setup is complete, this restarts pro oe aa_data_parer1t' a for the new configuration to take effect. This process loads all the dictionaries and fingerprints and then performs dictionarvr scanning, meta data extraction, databasing of meta data, and archival of content. Using MAILDRDER to Send 5l?s Tips to TRAFFICTHIEF Follow these steps to configure the xks.config file to use send 5l?s Tips to TRAFFICTHIEF: 1. 2. Log on as the user oper. (UHFOUO) At the command line from within directorv, tvpe vi config and then press Enter. The xkscon?g file will open. (UHFOUO) In the inputs section of xksronfig, set the following configurations: a. alert_output true Thisturnstipping?on.? b. alert_output_type mailorder This indicates that output will be sent via MAILURDER. c. alert_inatanoe 31' rename This is the location where the tip came from. The sitename is retrieved from the actual XML of the tip that is generated. d. alert_hoat This is the IP address where the alerts are sent. No IP address is required because, in this case, tips are being sent via MAILDRDER. Note: The instance in the actual alert is filled in with the value assigned to alert_inatanoe in (UHFOUO) Tvpe wa and then press Enter to exit xks.con?g. Perform the following commands onlyr after ma king changes in At the command prompt, type: a. xka setup plugioa This ensures anyr applicable changes to plugin con?gurations will take effect. 4 USA, F?v?E?r?

SECRETHRELTO USA, FUEY b. xke rayon: pu eh_oor1f ig This pushes the latest configuration files to the slaves in the cluster. c. xka pro aafereatart After setup is complete, this restarts process_data_parent?s for the new configuration to take effect. This process loads all the dictionaries and fingerprints and then performs dictionary scanning, metadata extraction, databasing of metadata, and archiyal of content. Using MAILDRDER to Send Tips to (UHFOUO) Follow these steps to configure the xkscon?'g file to use MAILO RDER to send NO FD RN Tips to TRAFFICTHIEF: 1. 2. (UHFOUO) Log on as the user oper. At the command line from within any directory, type vi config and then press Enter. The xksron?'g file will open. a. alert_output true Thisturnstipping?on.? b. alert_output_t3pe mailorder This indicates that output will be sent yia MAILURDER. c. alert_inatanoe 31' rename This is the location where the tip came from. The sitename is retrieyed from the actual XML of the tip that is generated. e. alert_hoat This is the IP address where the alerts are sent. No IP address is required because, in this case, tips are being sent yia MAILDRDER. Note: The instance in the actual alert is filled in with the yalue assigned to alert_inatanoe in Type :wa and then press Enter to exit xksron?g. Perform the following commands only after making changes in xksron?'g. At the command prompt, type: a. xka setup plugioa This ensures any applicable changes to plugin con?gurations will take effect. b. xke rayon: pu eh_oor1fig This pushes the latest configuration files to the slaves in the cluster. c. st proo aaferestart After setup is complete, this restarts process_data_parent?s for the new con?guration to take effect. This process loads all the dictionaries and ?ngerprints and then performs dictionary scanning, metadata extraction, databasing of metadata, and archiyal of content. 5 USA, we: