[Bro] Bro (SOC N' a Box) fly-away kit ideas

Doug Burks doug.burks at gmail.com
Mon Feb 27 10:03:54 PST 2012

Hi Will,

If you have questions specific to Security Onion, please join our mailing list:


On Mon, Feb 27, 2012 at 12:51 PM, Will <baxterw3232 at gmail.com> wrote:
> Mike,
> Sorry for the delay. I really appreciate you sharing your notes on
> this. Having a live disc makes sense, for both a scalability and an
> incident response time perspective.  Looking forward to putting
> something similar together!
> Thanks!
> -will
> On Thu, Feb 23, 2012 at 4:12 PM, Mike Pilkington <mpilking at gmail.com> wrote:
>> Will, I did something similar, in a virtual sense.  I needed to have
>> an ISO image that I could have our staff in the regions setup on a
>> generic system.  I remastered a Security Onion CD (which includes Bro)
>> and customized as I needed.  Here are my notes from that little
>> exercise.  Might be useful...
>> • The purpose of this exercise is to create a customized Security
>> Onion Live DVD that will allow me to SSH to it upon boot up of the
>> DVD.  This allows for emergency remote installs or even short-term
>> Live DVD network analysis (non-NSM) from a generic PC hardware
>> platform at a remote location.
>> • The username created in step 2 below will become the hostname of the
>> Live DVD.  Don't know why this is, but it's important to keep in mind,
>> particularly with regard to the next note...
>> • Security Onion (Xubuntu) supports/particpates in dynamic DNS.  So if
>> your environment supports it too, when your machine boots, it will be
>> registered with the *username* (not hostname) you create in step 2
>> below.  This threw me off at first, but now that you know, you can easily
>> connect to the remote machine by name (username) if you are using
>> dynamic DNS.
>> Steps to custom ISO creation:
>> 1. Installed SO to a new VM
>> 2. Created a temp user with command "sudo adduser <username>"
>> 3. Edit /usr/bin/remastersys shell script and comment out these 4
>> lines which would delete the SSH keys (if these keys get deleted
>> during the remastersys process, you won't be able to SSH to the Live
>> DVD):
>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key
>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key.pub
>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key
>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key.pub
>> 4. Further customize the install as you see fit.  For me, I wanted to
>> update the firewall to allow access only from my network:
>> sudo ufw delete allow 80/tcp
>> sudo ufw delete allow 22/tcp
>> sudo ufw allow from to any
>> sudo ufw status (to verify configuration)
>> 5. Create the new DVD image with the command "sudo remastersys backup
>> so-customized.iso".  I used the 'backup' option from remastersys so
>> that the temp user I created would be left as-is.
>> 6. Test your ISO.  You will find it in /home/remastersys/remastersys.
>> At this point, you can run as a Live OS or you could install it remotely.
>> If you install it remotely, I suggest updating the SSH keys.
>> Hope that helps!
>> Mike
>> On 2/23/12, Will <baxterw3232 at gmail.com> wrote:
>>> Was wondering if anyone has some recommendations on hardware and
>>> configuration for building  BroNSM fly-away or incident response kits.
>>> Whether this be laptops with multiple NIC's, external HD's, and high
>>> horsepower or mini-tower's that can be pre-built and deployed quickly. In
>>> addition to hardware, I am interested in OS and cluster configuration ideas
>>> that might focus on IR vs. a "log the world" approach. Anyhow, thanks in
>>> advance for any advice or recommendations.
>>> -will
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Doug Burks
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
SANS Augusta 6/11 - 6/16 | http://www.sans.org/augusta-2012-cs/

More information about the Bro mailing list