Architecturally, Sandfly uses a core server for the database, user interface and REST API. Scanning of remote systems for Sandfly is done by separate scanning nodes.
The scanning nodes receive orders from the server about what systems to scan, and what problems to look for on the remote hosts with a random selection of sandflies. The nodes perform the required checks by pushing down their sandflies to do investigations and report results. Any suspicious activity found by a sandfly is reported back to the server for user alerting and further actions.
Sandfly High-Level Architecture
During install we will setup the core server and scanning nodes. The server is comprised of a web server, a REST API and an Elasticsearch database. The nodes have a Rabbit messaging protocol system to talk to the server and multi-threaded high performance scanning engines to manage sandfly deployment and results.