[Bro] Bro (SOC N' a Box) fly-away kit ideas

Will baxterw3232 at gmail.com
Mon Feb 27 11:54:03 PST 2012

Good point. I've considered using dumpcap or something similar to
archive and batch traffic back to a central monitoring location where
it could be analyzed any number of ways. Over saturation of a WAN or
MPLS link was the primary concern with back-hauling traffic, but if
broken into small enough jobs combined with compression, I think it
would be manageable. Thanks for the feedback!

On Mon, Feb 27, 2012 at 12:22 PM, Martin Holste <mcholste at gmail.com> wrote:
> One other thing to consider:  If you're dealing with more of a
> "scalpel" situation in which you already know a fair amount of IP
> information you're looking for, you might consider simple pcap
> collection with off-line Bro processing back at HQ via upload or NFS
> over VPN.  That's obviously not ideal, but it would be a lot easier to
> reuse on-site hardware or very small hardware (even a Cisco NAM which
> already has access to SPAN traffic).
> On Mon, Feb 27, 2012 at 12:03 PM, Doug Burks <doug.burks at gmail.com> wrote:
>> Hi Will,
>> If you have questions specific to Security Onion, please join our mailing list:
>> http://groups.google.com/group/security-onion
>> Thanks,
>> Doug
>> On Mon, Feb 27, 2012 at 12:51 PM, Will <baxterw3232 at gmail.com> wrote:
>>> Mike,
>>> Sorry for the delay. I really appreciate you sharing your notes on
>>> this. Having a live disc makes sense, for both a scalability and an
>>> incident response time perspective.  Looking forward to putting
>>> something similar together!
>>> Thanks!
>>> -will
>>> On Thu, Feb 23, 2012 at 4:12 PM, Mike Pilkington <mpilking at gmail.com> wrote:
>>>> Will, I did something similar, in a virtual sense.  I needed to have
>>>> an ISO image that I could have our staff in the regions setup on a
>>>> generic system.  I remastered a Security Onion CD (which includes Bro)
>>>> and customized as I needed.  Here are my notes from that little
>>>> exercise.  Might be useful...
>>>> • The purpose of this exercise is to create a customized Security
>>>> Onion Live DVD that will allow me to SSH to it upon boot up of the
>>>> DVD.  This allows for emergency remote installs or even short-term
>>>> Live DVD network analysis (non-NSM) from a generic PC hardware
>>>> platform at a remote location.
>>>> • The username created in step 2 below will become the hostname of the
>>>> Live DVD.  Don't know why this is, but it's important to keep in mind,
>>>> particularly with regard to the next note...
>>>> • Security Onion (Xubuntu) supports/particpates in dynamic DNS.  So if
>>>> your environment supports it too, when your machine boots, it will be
>>>> registered with the *username* (not hostname) you create in step 2
>>>> below.  This threw me off at first, but now that you know, you can easily
>>>> connect to the remote machine by name (username) if you are using
>>>> dynamic DNS.
>>>> Steps to custom ISO creation:
>>>> 1. Installed SO to a new VM
>>>> 2. Created a temp user with command "sudo adduser <username>"
>>>> 3. Edit /usr/bin/remastersys shell script and comment out these 4
>>>> lines which would delete the SSH keys (if these keys get deleted
>>>> during the remastersys process, you won't be able to SSH to the Live
>>>> DVD):
>>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key
>>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key.pub
>>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key
>>>> #rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key.pub
>>>> 4. Further customize the install as you see fit.  For me, I wanted to
>>>> update the firewall to allow access only from my network:
>>>> sudo ufw delete allow 80/tcp
>>>> sudo ufw delete allow 22/tcp
>>>> sudo ufw allow from to any
>>>> sudo ufw status (to verify configuration)
>>>> 5. Create the new DVD image with the command "sudo remastersys backup
>>>> so-customized.iso".  I used the 'backup' option from remastersys so
>>>> that the temp user I created would be left as-is.
>>>> 6. Test your ISO.  You will find it in /home/remastersys/remastersys.
>>>> At this point, you can run as a Live OS or you could install it remotely.
>>>> If you install it remotely, I suggest updating the SSH keys.
>>>> Hope that helps!
>>>> Mike
>>>> On 2/23/12, Will <baxterw3232 at gmail.com> wrote:
>>>>> Was wondering if anyone has some recommendations on hardware and
>>>>> configuration for building  BroNSM fly-away or incident response kits.
>>>>> Whether this be laptops with multiple NIC's, external HD's, and high
>>>>> horsepower or mini-tower's that can be pre-built and deployed quickly. In
>>>>> addition to hardware, I am interested in OS and cluster configuration ideas
>>>>> that might focus on IR vs. a "log the world" approach. Anyhow, thanks in
>>>>> advance for any advice or recommendations.
>>>>> -will
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> --
>> Doug Burks
>> Security Onion | http://securityonion.blogspot.com
>> President, Greater Augusta ISSA | http://augusta.issa.org
>> SANS Augusta 6/11 - 6/16 | http://www.sans.org/augusta-2012-cs/
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list