[Bro] Bro (SOC N' a Box) fly-away kit ideas

Mike Pilkington mpilking at gmail.com
Thu Feb 23 14:12:46 PST 2012 

Will, I did something similar, in a virtual sense.  I needed to have
an ISO image that I could have our staff in the regions setup on a
generic system.  I remastered a Security Onion CD (which includes Bro)
and customized as I needed.  Here are my notes from that little
exercise.  Might be useful...


• The purpose of this exercise is to create a customized Security
Onion Live DVD that will allow me to SSH to it upon boot up of the
DVD.  This allows for emergency remote installs or even short-term
Live DVD network analysis (non-NSM) from a generic PC hardware
platform at a remote location.
• The username created in step 2 below will become the hostname of the
Live DVD.  Don't know why this is, but it's important to keep in mind,
particularly with regard to the next note...
• Security Onion (Xubuntu) supports/particpates in dynamic DNS.  So if
your environment supports it too, when your machine boots, it will be
registered with the *username* (not hostname) you create in step 2
below.  This threw me off at first, but now that you know, you can easily
connect to the remote machine by name (username) if you are using
dynamic DNS.

Steps to custom ISO creation:

1. Installed SO to a new VM
2. Created a temp user with command "sudo adduser <username>"
3. Edit /usr/bin/remastersys shell script and comment out these 4
lines which would delete the SSH keys (if these keys get deleted
during the remastersys process, you won't be able to SSH to the Live
DVD):

#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key.pub
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_dsa_key
#rm -rf $WORKDIR/dummysys/etc/ssh/ssh_host_rsa_key.pub

4. Further customize the install as you see fit.  For me, I wanted to
update the firewall to allow access only from my network:

sudo ufw delete allow 80/tcp
sudo ufw delete allow 22/tcp
sudo ufw allow from 10.10.10.0/24 to any
sudo ufw status (to verify configuration)

5. Create the new DVD image with the command "sudo remastersys backup
so-customized.iso".  I used the 'backup' option from remastersys so
that the temp user I created would be left as-is.
6. Test your ISO.  You will find it in /home/remastersys/remastersys.

At this point, you can run as a Live OS or you could install it remotely.
If you install it remotely, I suggest updating the SSH keys.

Hope that helps!
Mike


On 2/23/12, Will <baxterw3232 at gmail.com> wrote:
> Was wondering if anyone has some recommendations on hardware and
> configuration for building  BroNSM fly-away or incident response kits.
> Whether this be laptops with multiple NIC's, external HD's, and high
> horsepower or mini-tower's that can be pre-built and deployed quickly. In
> addition to hardware, I am interested in OS and cluster configuration ideas
> that might focus on IR vs. a "log the world" approach. Anyhow, thanks in
> advance for any advice or recommendations.
>
> -will
>

More information about the Bro mailing list