RaspberryPi NSM

Foxhound: Blackbox - A RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack.
Suitable for a home 'blackbox' deployment - it will record everything that happens on your network. Use it to detect threats and/or to provide network forensics to a malware lab. Primarily I've used this over the last few months to learn more about Bro.
If your looking for something more suitable for the enterprise look at Security Onion.
Original concept Sweet Security by Travis Smith over at Tripwire.
Shopping list
- Raspberry Pi 3 (case, power, pi board)
- Class 10 microSD card 64Gb (80Mb/s) Sandisk.
- Linux Raspbian Lite Debian OS.
- NetGear Gigabit Switch or similiar that supports port mirroring. In my case I used a PoE D-Link 1100-08P as it powers my IoT Mirai botnet.
- Critical Stack API for Threat Intel / IOCs.
- Mailgun Account or similar mail service for alerts/notifications.
Total ~£75
Overview
Key Tech
- What is Port Mirroring?
To replicate the traffic in one port to another (passively). Cheaper then a tap but will put load on the switch.
- What is Bro?
IDS Protocol analyser. Think of it as Wireshark's protocol analyser but without the GUI and much faster.
- What is Netsniff?
Packet capturing daemon that utilises AF-packet processing to speed up the capture process. FPC (Full packet capture) is the ultimate source to an analyst "PCAP it, or it didn't happen".
- What is LOKI?
File scanning daemon based on YARA. For signature detection much like AV but you can write the custom rules for detection. See Florian Roth's Yara repo or Yara-rules repo
- What is Critical Stack?
Threat Intelligence on a shoe-string budget. Log in, set some feeds to follow and link it to the Pi using the API.
- What is Team Cymru MHR ?
Malware Hash Registry. Checks the file hash against a database of known bad and will report back on last seen and AV detection. Enabled in Bro by default.
Building
- Flash base OS onto Pi.
- Give the Pi an IP.
- Run bash script.
- Done.
1. Flashing Raspbian onto the microSD card
Flash Raspbian onto microSD. I used my MacBook so methods may differ. See Raspbian Lite Imaging for further details.
Insert microSD card
Find the disk number.
Flash the Raspbian image onto the microSD card 'disk'
Unmount once finished
2. Configuring the network
Login using the defaults. User: pi Password: raspberry
Set IP wifi on wlan0 for your trusted management access.
Once you have received a DHCP IP, you can SSH in from this point.
Leave eth0 as your monitoring interface. This does not need an IP address.
(whatever text editor you prefer)
Add/edit the following lines
Restart the interface eth0
3. Deployment
Download and run the bash script. Interrogate it and copy it as you wish. Tested on Raspbian
- Installs the core set of programs
- Configures network options (disables NIC offloading etc)
- Creates the services for each program.
- Creates the email alerts using Mailgun/SSMTP
- Configures cron jobs.
Done! Cookie approved!
Whats next? - Hook it up like in the diagram if you haven't already and you should be seeing data coming in. All services should be active once the script has finished.
Performance
TCPReplay a PCAP.
Spam the monitor port eth0 some pcap data. I used some pre-captured traffic.
Before and after broctl netstats
for home/lab use the IDS performs adequately well - its dropped 10,000 packets after receiving nearly 1,000,000! My broadband speed is 40 Mbps which is perfectly fine for the IDS to cope with. If you need extra performance, avoid running it on a Raspberry Pi and look into caching mechanisms such as NTOP's PFRING/ZC modules which come shipped with Security Onion.
For more NIC perf tests, on a server run
then on the Pi run
I assume the bottleneck here is the microSD card which runs at ~80MB/s.
Bro Basics
- Default storage of all Bro logs are /nsm/bro/logs/
- Default scripting location is /usr/local/bro/share/bro/site/bro-scripts/
Log directory should look something like...
Use head to provide you with the field names
using bro-cut to parse the logs
basic report
For more excellent examples, try the official Bro exercises over at Bro.org. If your pretty handy with GREP, AWK and SED you'll kickass here.
Tail DNS.log and then generate some DNS traffic from a client.
Also note, MaxMind GEOIP lookups is enabled only on the conn.log
I've not created any dashboarding but you could spin up a VPS ELK instance and ship the logs securely to the cloud if you didn't fancy building one from scratch. Otherwise I'd recommend you build one locally using ELK/Splunk/Graylog.
Basic Maintenance
stop/start netsniff-ng
stop/start/network statistics bro
Running Loki manually
Check Critical Stack IOCs, this periodically checks in via the cron script.
Further Research
Pretty open ended but easily built upon. Just a few ideas...
- Dashboarding with ELK/Splunk FREE version / Graylog
- Graphing/Mapping with D3js
- Local NMAP scanning
- Snort/Suricata IDS Support
- Virus Total integration
- Google Stenographer PCAP
- AOL Moloch PCAP
- PassiveDNS , though Bro's dns.log and filtering can offer the same capabilities.
- Laika BOSS: Object Scanning System