← All docs· Edit on GitHub ↗

Getting started

Stand up the platform end‑to‑end on a single host in ~10 minutes. Numbers below are the lab defaults; substitute your own where it matters.

Prerequisites

Tool	Version	Why
Linux	kernel ≥ 5.10	AF_PACKET, eBPF‑ready (sensor)
Docker + compose plugin	recent	NATS, PostgreSQL, Redis, Prometheus, Grafana
Rust	1.95 (`stable`)	sensor (`backend/sensor`)
Go	1.22+	correlator + API (`backend/correlator`, `backend/api`)
Node	≥ 18	frontend (`frontend/`)
Python	3.11 (stdlib only)	control‑plane scripts (`backend/control`)
Ansible (optional)	2.16+	4‑node provisioning (`infra/ansible`)

A single segment NIC (ens33 in the lab) must be reachable in promiscuous mode.

1. Data plane

make stack            # NATS + PG + Redis + Prometheus + Grafana (docker-compose up -d)
psql -h 127.0.0.1 -U postgres -d arpg -f infra/sql/001_baseline.sql
psql -h 127.0.0.1 -U postgres -d arpg -f infra/sql/002_dhcp_leases.sql
psql -h 127.0.0.1 -U postgres -d arpg -f infra/sql/003_incidents.sql
psql -h 127.0.0.1 -U postgres -d arpg -f infra/sql/004_policies_settings.sql
psql -h 127.0.0.1 -U postgres -d arpg -f infra/sql/005_ml_scores.sql
psql -h 127.0.0.1 -U postgres -d arpg -f infra/sql/006_users.sql

Or one‑shot from the repo root:

make stack-up           # docker compose up
make db-migrate         # apply infra/sql/* in order

2. Sensor

cd backend
make sensor             # cargo build --release  (sensor lands in sensor/target/release/arpg-sensor)
make caps               # setcap cap_net_raw,cap_net_admin+eip — re-run after every cargo build
sudo ip link set ens33 promisc on
make sensor-baseline    # start sensor with PG-driven baseline, NDJSON → NATS

Quick sanity test without privileges or the network: make sensor-selftest. It exercises Tier 1/2/3 on synthetic frames and prints a verdict line per case.

3. Correlator + mitigation controller

make correlator MODE=guarded     # monitor | guarded | enforce

The mode gates which mitigation level the controller is allowed to take:

Mode	What auto‑acts	Used for
`monitor`	Nothing (alert only)	Development, low confidence in baseline
`guarded`	L1 corrective ARP	Default safe production
`enforce`	L1 + L2 NAC quarantine	Hardened sites with confirmed actuators

4. Operator API + dashboard

export ARPG_JWT_SECRET="$(openssl rand -hex 32)"   # stable sessions; persists tokens across restarts
export ARPG_ADMIN_PASSWORD="set-on-first-run"      # bootstrap admin password
cd backend
make api                                            # serves :8080

Open http://localhost:8080/ and sign in.

Account	Default password	Role
`admin`	`ARPG_ADMIN_PASSWORD` env	admin
`analyst`	`analyst123`	analyst
`responder`	`responder123`	responder
`viewer`	`viewer123`	viewer

The demo accounts other than admin are created on first API start. Change them.

5. Working on the dashboard

cd frontend
npm install
npm run dev             # http://localhost:5173 — proxies /api and /events to :8080

When you're ready to ship a change:

make sync-dashboard     # frontend npm run build → backend/api/static → go build
sudo systemctl restart arpg-api   # or kill / restart your `make api`

6. Smoke test

# Generate a benign poison from another host on the segment (authorized lab only).
sudo python3 backend/generator/arp_attack.py -i ens33 --mode poison --spa 192.168.10.1

You should see a CRITICAL incident on the dashboard within ~5s, an audit row in mitigation_audit, and (in guarded/enforce) a corrective ARP burst from the controller.

7. Teardown

make stack-down         # docker compose down
sudo ip link set ens33 promisc off

That removes the runtime; data on disk persists (Postgres volume) unless you pass -v to docker compose down.