So the onset of this project was spurred by a few goals-
- I have a wordpress site that might as well be a honeypot because wordpress on a DMZ offering services to the interwebs is, well, pretty much asking for it.
- I had a Raspberry Pi 3B just sitting there- it had a few roles before but I just couldn't find a new one after giving up on Home Assistant
- I want to increase my auditing and analysis fu
One could go about installing BRO from source, and a great guide (though meant for Ubuntu) is, of course, found on digital ocean:
https://www.digitalocean.com/community/tutorials/how-to-install-bro-on-ubuntu-16-04
And I might go down this path later to have more control and understanding of the setup.
But to saver yourself a little headache, and to add additional features, sneakymonk3y on github made the foxhound-nsm build. It did not install correctly, but I reached out and gebhard73 had a fork that did work (except for critical stack who seemed to drop ARM support).
Check out sneakymonk3y's blog post on the build (pay attention to the critical stack account, hopefully critical stack supports ARM again as it looks awesome):
https://www.sneakymonkey.net/2016/10/30/raspberrypi-nsm/
One day I hope to be able to make a build like that.
So step one: foxhound build done.
Step two: Mirror/Span port to Pi from router of DMZ interface
My home router is a pfSense box (thank you pfSense and netgate crew for everything!)- using a generic appliance box from Amazon, I highly recommend pfSense to learn routing, firewall ACLs, Snort and other network fundamentals. After googling how to bridge the DMZ to an available interface as a mirror port, packets were streaming into the Foxhound BRO pi.
Step three: Look at Bro logs. Going to var/log/bro/current shows that Bro was indeed getting information in! But how good of a grep'er or regex'er are you? I wanted pretty SIEM stuff, so now to-
Step four: installing a splunk ARM universal forwarder. You will need an account with Splunk, and using wget with username and password then the URL of the "download" button will just download the html of the page. I had to download the tar to my workstation, then scp the file to the pi (after making a tmp folder in the foxhound directory).
https://www.raspberrypi.org/documentation/remote-access/ssh/scp.md
The support for the Splunk UF for the raspberry pi is great at the dev level, the forward is the latest 7.0.3 build which was great to see, but the supporting documentation is next to nothing. Following the Linux tar install instructions:
https://answers.splunk.com/answers/553373/couldnt-determine-splunk-home-perhaps-it-should-be.html
Next, my Splunk server is using a free license, so I have to manually configure the forwarder's outputs.conf, and manually install any add-on to give the forwarder the functionality an app on the server requires (such as data input from the bro logs, ingesting and conducting source typing and field extractions for the app's dashboard).
Go backs: I would like to make an Ubuntu VM BRO build simply to get critical stack working as well, but my ESXi machine would need another NIC that it does not have, and its such an old box the BIOS doesn't have enough memory to support a PCI NIC I have... maybe there is some neat networking trick to get the pfSense mirror port output through the LAN NIC of the hypervisor and into a BRO VM.
- I have a wordpress site that might as well be a honeypot because wordpress on a DMZ offering services to the interwebs is, well, pretty much asking for it.
- I had a Raspberry Pi 3B just sitting there- it had a few roles before but I just couldn't find a new one after giving up on Home Assistant
- I want to increase my auditing and analysis fu
One could go about installing BRO from source, and a great guide (though meant for Ubuntu) is, of course, found on digital ocean:
https://www.digitalocean.com/community/tutorials/how-to-install-bro-on-ubuntu-16-04
And I might go down this path later to have more control and understanding of the setup.
But to saver yourself a little headache, and to add additional features, sneakymonk3y on github made the foxhound-nsm build. It did not install correctly, but I reached out and gebhard73 had a fork that did work (except for critical stack who seemed to drop ARM support).
Check out sneakymonk3y's blog post on the build (pay attention to the critical stack account, hopefully critical stack supports ARM again as it looks awesome):
https://www.sneakymonkey.net/2016/10/30/raspberrypi-nsm/
One day I hope to be able to make a build like that.
So step one: foxhound build done.
Step two: Mirror/Span port to Pi from router of DMZ interface
My home router is a pfSense box (thank you pfSense and netgate crew for everything!)- using a generic appliance box from Amazon, I highly recommend pfSense to learn routing, firewall ACLs, Snort and other network fundamentals. After googling how to bridge the DMZ to an available interface as a mirror port, packets were streaming into the Foxhound BRO pi.
Step three: Look at Bro logs. Going to var/log/bro/current shows that Bro was indeed getting information in! But how good of a grep'er or regex'er are you? I wanted pretty SIEM stuff, so now to-
Step four: installing a splunk ARM universal forwarder. You will need an account with Splunk, and using wget with username and password then the URL of the "download" button will just download the html of the page. I had to download the tar to my workstation, then scp the file to the pi (after making a tmp folder in the foxhound directory).
https://www.raspberrypi.org/documentation/remote-access/ssh/scp.md
The support for the Splunk UF for the raspberry pi is great at the dev level, the forward is the latest 7.0.3 build which was great to see, but the supporting documentation is next to nothing. Following the Linux tar install instructions:
Install from a tar file
- Expand the tar file into an appropriate directory using the
tarcommand. The default installation location issplunkin the current working directory.tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz
- To install into
/opt/splunkforwarder, run:tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz -C /opt
https://answers.splunk.com/answers/553373/couldnt-determine-splunk-home-perhaps-it-should-be.html
Next, my Splunk server is using a free license, so I have to manually configure the forwarder's outputs.conf, and manually install any add-on to give the forwarder the functionality an app on the server requires (such as data input from the bro logs, ingesting and conducting source typing and field extractions for the app's dashboard).
Go backs: I would like to make an Ubuntu VM BRO build simply to get critical stack working as well, but my ESXi machine would need another NIC that it does not have, and its such an old box the BIOS doesn't have enough memory to support a PCI NIC I have... maybe there is some neat networking trick to get the pfSense mirror port output through the LAN NIC of the hypervisor and into a BRO VM.
No comments:
Post a Comment