Was wondering if anyone has some recommendations on hardware and configuration for building BroNSM fly-away or incident response kits. Whether this be laptops with multiple NIC’s, external HD’s, and high horsepower or mini-tower’s that can be pre-built and deployed quickly. In addition to hardware, I am interested in OS and cluster configuration ideas that might focus on IR vs. a “log the world” approach. Anyhow, thanks in advance for any advice or recommendations.
-will
Will, I did something similar, in a virtual sense. I needed to have
an ISO image that I could have our staff in the regions setup on a
generic system. I remastered a Security Onion CD (which includes Bro)
and customized as I needed. Here are my notes from that little
exercise. Might be useful...
• The purpose of this exercise is to create a customized Security
Onion Live DVD that will allow me to SSH to it upon boot up of the
DVD. This allows for emergency remote installs or even short-term
Live DVD network analysis (non-NSM) from a generic PC hardware
platform at a remote location.
• The username created in step 2 below will become the hostname of the
Live DVD. Don't know why this is, but it's important to keep in mind,
particularly with regard to the next note...
• Security Onion (Xubuntu) supports/particpates in dynamic DNS. So if
your environment supports it too, when your machine boots, it will be
registered with the *username* (not hostname) you create in step 2
below. This threw me off at first, but now that you know, you can easily
connect to the remote machine by name (username) if you are using
dynamic DNS.
Steps to custom ISO creation:
1. Installed SO to a new VM
2. Created a temp user with command "sudo adduser <username>"
3. Edit /usr/bin/remastersys shell script and comment out these 4
lines which would delete the SSH keys (if these keys get deleted
during the remastersys process, you won't be able to SSH to the Live
DVD):
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key.pub
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key.pub
4. Further customize the install as you see fit. For me, I wanted to
update the firewall to allow access only from my network:
sudo ufw delete allow 80/tcp
sudo ufw delete allow 22/tcp
sudo ufw allow from 10.10.10.0/24 to any
sudo ufw status (to verify configuration)
5. Create the new DVD image with the command "sudo remastersys backup
so-customized.iso". I used the 'backup' option from remastersys so
that the temp user I created would be left as-is.
6. Test your ISO. You will find it in /home/remastersys/remastersys.
At this point, you can run as a Live OS or you could install it remotely.
If you install it remotely, I suggest updating the SSH keys.
Hope that helps!
Mike
Mike,
Sorry for the delay. I really appreciate you sharing your notes on
this. Having a live disc makes sense, for both a scalability and an
incident response time perspective. Looking forward to putting
something similar together!
Thanks!
-will
Hi Will,
If you have questions specific to Security Onion, please join our mailing list:
http://groups.google.com/group/security-onion
Thanks,
Doug
One other thing to consider: If you're dealing with more of a
"scalpel" situation in which you already know a fair amount of IP
information you're looking for, you might consider simple pcap
collection with off-line Bro processing back at HQ via upload or NFS
over VPN. That's obviously not ideal, but it would be a lot easier to
reuse on-site hardware or very small hardware (even a Cisco NAM which
already has access to SPAN traffic).
Good point. I've considered using dumpcap or something similar to
archive and batch traffic back to a central monitoring location where
it could be analyzed any number of ways. Over saturation of a WAN or
MPLS link was the primary concern with back-hauling traffic, but if
broken into small enough jobs combined with compression, I think it
would be manageable. Thanks for the feedback!
Another thing which may be useful on the hardware side for this kit:
http://www.dual-comm.com/gigabit_port-mirroring-LAN_switch.htm
These are small, cheap (<$200), USB powered Gigabit switches with a built in mirror: all traffic to/from Port 1 is mirrored to port 4.
I purchased one of these and put it inline in my house as an IDS monitor: I don't know at which point it starts dropping packets (I didn't test that), but I was able to get it up and running trivially.
This is specifically designed for "incident response" type tapping: You have a notebook and a network you want to monitor, so you just splice this in with a short ethernet cable.