[Bro] Bro (SOC N' a Box) fly-away kit ideas

Will baxterw3232 at gmail.com
Mon Feb 27 09:51:58 PST 2012


Sorry for the delay. I really appreciate you sharing your notes on
this. Having a live disc makes sense, for both a scalability and an
incident response time perspective.  Looking forward to putting
something similar together!



On Thu, Feb 23, 2012 at 4:12 PM, Mike Pilkington <mpilking at gmail.com> wrote:
> Will, I did something similar, in a virtual sense.  I needed to have
> an ISO image that I could have our staff in the regions setup on a
> generic system.  I remastered a Security Onion CD (which includes Bro)
> and customized as I needed.  Here are my notes from that little
> exercise.  Might be useful...
> • The purpose of this exercise is to create a customized Security
> Onion Live DVD that will allow me to SSH to it upon boot up of the
> DVD.  This allows for emergency remote installs or even short-term
> Live DVD network analysis (non-NSM) from a generic PC hardware
> platform at a remote location.
> • The username created in step 2 below will become the hostname of the
> Live DVD.  Don't know why this is, but it's important to keep in mind,
> particularly with regard to the next note...
> • Security Onion (Xubuntu) supports/particpates in dynamic DNS.  So if
> your environment supports it too, when your machine boots, it will be
> registered with the *username* (not hostname) you create in step 2
> below.  This threw me off at first, but now that you know, you can easily
> connect to the remote machine by name (username) if you are using
> dynamic DNS.
> Steps to custom ISO creation:
> 1. Installed SO to a new VM
> 2. Created a temp user with command "sudo adduser <username>"
> 3. Edit /usr/bin/remastersys shell script and comment out these 4
> lines which would delete the SSH keys (if these keys get deleted
> during the remastersys process, you won't be able to SSH to the Live
> DVD):
> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key
> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key.pub
> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key
> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key.pub
> 4. Further customize the install as you see fit.  For me, I wanted to
> update the firewall to allow access only from my network:
> sudo ufw delete allow 80/tcp
> sudo ufw delete allow 22/tcp
> sudo ufw allow from to any
> sudo ufw status (to verify configuration)
> 5. Create the new DVD image with the command "sudo remastersys backup
> so-customized.iso".  I used the 'backup' option from remastersys so
> that the temp user I created would be left as-is.
> 6. Test your ISO.  You will find it in /home/remastersys/remastersys.
> At this point, you can run as a Live OS or you could install it remotely.
> If you install it remotely, I suggest updating the SSH keys.
> Hope that helps!
> Mike
> On 2/23/12, Will <baxterw3232 at gmail.com> wrote:
>> Was wondering if anyone has some recommendations on hardware and
>> configuration for building  BroNSM fly-away or incident response kits.
>> Whether this be laptops with multiple NIC's, external HD's, and high
>> horsepower or mini-tower's that can be pre-built and deployed quickly. In
>> addition to hardware, I am interested in OS and cluster configuration ideas
>> that might focus on IR vs. a "log the world" approach. Anyhow, thanks in
>> advance for any advice or recommendations.
>> -will

More information about the Bro mailing list