[Bro] Bro (SOC N' a Box) fly-away kit ideas

Martin Holste mcholste at gmail.com
Mon Feb 27 10:22:19 PST 2012

One other thing to consider:  If you're dealing with more of a
"scalpel" situation in which you already know a fair amount of IP
information you're looking for, you might consider simple pcap
collection with off-line Bro processing back at HQ via upload or NFS
over VPN.  That's obviously not ideal, but it would be a lot easier to
reuse on-site hardware or very small hardware (even a Cisco NAM which
already has access to SPAN traffic).

On Mon, Feb 27, 2012 at 12:03 PM, Doug Burks <doug.burks at gmail.com> wrote:
> Hi Will,
> If you have questions specific to Security Onion, please join our mailing list:
> http://groups.google.com/group/security-onion
> Thanks,
> Doug
> On Mon, Feb 27, 2012 at 12:51 PM, Will <baxterw3232 at gmail.com> wrote:
>> Mike,
>> Sorry for the delay. I really appreciate you sharing your notes on
>> this. Having a live disc makes sense, for both a scalability and an
>> incident response time perspective.  Looking forward to putting
>> something similar together!
>> Thanks!
>> -will
>> On Thu, Feb 23, 2012 at 4:12 PM, Mike Pilkington <mpilking at gmail.com> wrote:
>>> Will, I did something similar, in a virtual sense.  I needed to have
>>> an ISO image that I could have our staff in the regions setup on a
>>> generic system.  I remastered a Security Onion CD (which includes Bro)
>>> and customized as I needed.  Here are my notes from that little
>>> exercise.  Might be useful...
>>> • The purpose of this exercise is to create a customized Security
>>> Onion Live DVD that will allow me to SSH to it upon boot up of the
>>> DVD.  This allows for emergency remote installs or even short-term
>>> Live DVD network analysis (non-NSM) from a generic PC hardware
>>> platform at a remote location.
>>> • The username created in step 2 below will become the hostname of the
>>> Live DVD.  Don't know why this is, but it's important to keep in mind,
>>> particularly with regard to the next note...
>>> • Security Onion (Xubuntu) supports/particpates in dynamic DNS.  So if
>>> your environment supports it too, when your machine boots, it will be
>>> registered with the *username* (not hostname) you create in step 2
>>> below.  This threw me off at first, but now that you know, you can easily
>>> connect to the remote machine by name (username) if you are using
>>> dynamic DNS.
>>> Steps to custom ISO creation:
>>> 1. Installed SO to a new VM
>>> 2. Created a temp user with command "sudo adduser <username>"
>>> 3. Edit /usr/bin/remastersys shell script and comment out these 4
>>> lines which would delete the SSH keys (if these keys get deleted
>>> during the remastersys process, you won't be able to SSH to the Live
>>> DVD):
>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key
>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key.pub
>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key
>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key.pub
>>> 4. Further customize the install as you see fit.  For me, I wanted to
>>> update the firewall to allow access only from my network:
>>> sudo ufw delete allow 80/tcp
>>> sudo ufw delete allow 22/tcp
>>> sudo ufw allow from to any
>>> sudo ufw status (to verify configuration)
>>> 5. Create the new DVD image with the command "sudo remastersys backup
>>> so-customized.iso".  I used the 'backup' option from remastersys so
>>> that the temp user I created would be left as-is.
>>> 6. Test your ISO.  You will find it in /home/remastersys/remastersys.
>>> At this point, you can run as a Live OS or you could install it remotely.
>>> If you install it remotely, I suggest updating the SSH keys.
>>> Hope that helps!
>>> Mike
>>> On 2/23/12, Will <baxterw3232 at gmail.com> wrote:
>>>> Was wondering if anyone has some recommendations on hardware and
>>>> configuration for building  BroNSM fly-away or incident response kits.
>>>> Whether this be laptops with multiple NIC's, external HD's, and high
>>>> horsepower or mini-tower's that can be pre-built and deployed quickly. In
>>>> addition to hardware, I am interested in OS and cluster configuration ideas
>>>> that might focus on IR vs. a "log the world" approach. Anyhow, thanks in
>>>> advance for any advice or recommendations.
>>>> -will
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> --
> Doug Burks
> Security Onion | http://securityonion.blogspot.com
> President, Greater Augusta ISSA | http://augusta.issa.org
> SANS Augusta 6/11 - 6/16 | http://www.sans.org/augusta-2012-cs/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list