Network Tap: Autograph needs to be installed at the boundary of your network, where communication between internal and external hosts can be monitored. DMZ is a typical place for you to place Autograph. However, note that Autograph currently relies on port-scanner information to identify suspicious flows. Thus, Autograph needs to be placed before any proxy that filters out scanning activities.
Hardware: Autograph can be run on general type of PCs. For example, we are currently running Autograph on a general PC with Intel Pentium4 3GHz CPU, 1GB RAM, and a 100GB HDD to monitor a T3 network link.
OS: Autograph is tested on Linux, FreeBSD, and OpenBSD.
Hard disk: current Autograph stores intermediate states and
outputs the final results in HDD. Fast and large harddisk drive is recommended.
User Privileges: superuser to install Autograph and tap network interfaces in promiscuous mode. However, if you just want to test Autograph offline with tcpdump packet traces, you do not have to be a superuser.
Network Interfaces: packet capture on 10/100Mbps Ethernet card with libpcap support is tested.
rabinpoly version 1.0 or higher (http://www.cs.cmu.edu/~hakim/software) for COPP. Autograph needs the full source code of rabinpoly to compile. You don't have to compile or install the rabinpoly library. For further detail, refer to the Installation section of Quick Start Guide.
