Scribd
Upload
43 views26 pages

Defensive Raspberry Pi with Logstash

This document summarizes the steps to configure a Raspberry Pi with Bro IDS, Logstash, Elasticsearch, and Kibana (ELK stack) to perform network monitoring and security analytics. Key components include installing Bro to monitor network traffic, Logstash to normalize Bro logs and enrich with GeoIP, uploading logs to Elasticsearch, and using Kibana for visualization and searching. Threat intelligence integration is also described through Logstash translation filters.

Uploaded by

RohitGoyal
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
43 views26 pages

Defensive Raspberry Pi with Logstash

This document summarizes the steps to configure a Raspberry Pi with Bro IDS, Logstash, Elasticsearch, and Kibana (ELK stack) to perform network monitoring and security analytics. Key components include installing Bro to monitor network traffic, Logstash to normalize Bro logs and enrich with GeoIP, uploading logs to Elasticsearch, and using Kibana for visualization and searching. Threat intelligence integration is also described through Logstash translation filters.

Uploaded by

RohitGoyal
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

SWEET SECURITY

Creating a Defensive Raspberry Pi


THE HARDWARE

Raspberry Pi 2 Model B
16GB+ Micro SD
Case
Micro USB Power Supply
THE OPERATING SYSTEM

Raspbian (Debian Wheezy)


Change SSH Host Keys!!!
$ rm /etc/ssh/ssh_host_*
$ dpkg-reconfigure openssh-server
$ service ssh restart
Do typical OS update/upgrade
$ sudo apt-get update
$ sudo apt-get upgrade
[Link]
[Link]
Full
Full Packet
Packet Capture
Capture [Link]
[Link]
[Link]
[Link]
[Link]
known_services.log
[Link]
[Link]
[Link]
[Link]
Bro IDS [Link]
[Link]
[Link]
[Link]
[Link]
[Link]
INPUTS

FILE TCP/UDP STDIN 40+ More

FILTERS

GROK GEOIP TRANSLATE DATE 30+ More

OUTPUTS

ElasticSearch Syslog Email STDOUT 50+ More


THE BRO

Install Required Dependencies


$ sudo apt-get install cmake make gcc g++ flex bison
libpcap-dev libssl-dev python-dev swig zlib1g-dev
Download Bro Source Code
$ wget
[Link]
Unpack
$ sudo ./configure --prefix=/opt/nsm/bro
$ sudo make *This Step Takes Awhile
$ sudo make install

[Link]
THE INTELLIGENCE

$ wget
[Link]
[Link]
$ sudo dpkg -i [Link]
Add the API Key
$ sudo -u critical-stack critical-stack-intel api
<key>
SETUP OS TO INSPECT NETWORK TRAFFIC
$ sudo vi /etc/[Link]
# Enable Spoof protection (reverse-path filter)
[Link].rp_filter=1
[Link].rp_filter=1

# Enable TCP/IP SYN cookies


net.ipv4.tcp_syncookies=1

# Ignore ICMP broadcasts


net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors


net.ipv4.icmp_ignore_bogus_error_responses = 1

# Do not accept ICMP redirects (prevent MITM attacks)


[Link].accept_redirects = 0
[Link].eth0.accept_redirects = 0

# Do not send ICMP redirects (really important for our single NIC gateway)
[Link].send_redirects = 0
[Link].send_redirects = 0
[Link].eth0.send_redirects = 0

# Do not accept IP source route packets


[Link].accept_source_route = 0

# Log Martian Packets


[Link].log_martians = 1

# router function (important1!!)


net.ipv4.ip_forward = 1

# Avoid Out Of Memory


vm.min_free_kbytes=8192

After saving the settings don't forget to apply the changes :


$ sudo sysctl p

[Link]
THE ELK: ELASTICSEARCH

$ wget https://
[Link]/elasticsearch/elasticsearch/elasticsearc
[Link]
$ sudo dpkg i [Link]
*Update cluster name in yml file

[Link]
THE ELK: LOGSTASH

$ wget https://
[Link]/logstash/logstash/[Link]
$ sudo mv /opt/logstash-1.5.3/ /opt/logstash
$ cd /opt/logstash
$ bin/logstash -e 'input { stdin { } } output { stdout
{ } }
FFI Not Available!!! Oh no!
THE ELK: LOGSTASH

First, install Apache ANT


$ sudo apt-get install ant
Next, clone the JFFI repo
$ git clone [Link]
Built JFFI with ANT
$ cd jffi
$ ant jar
Copy code to Logstash
$ sudo cp build/jni/[Link]
/opt/logstash/vendor/jruby/lib/jni/arm-Linux/
THE ELK: LOGSTASH

Install ZIP
$ sudo apt-get install zip
$ cd /opt/logstash/vendor/jruby/lib
$ zip -g [Link] jni/arm-
Linux/[Link]
$ /opt/logstash/bin/logstash -e 'input { stdin { } }
output { stdout { } }'
Magic!!!!!
THE ELK: KIBANA

$ wget https://
[Link]/kibana/kibana/kibana-4.1.0-linux-x8
[Link]
$ sudo mkdir /opt/kibana
$ cd /opt/kibana
$ bin/kibana
Another error?? Your ELK needs another ARM!
THE ELK: KIBANA

$ wget [Link]
$ sudo dpkg -i node_latest_armhf.deb
$ sudo mv /opt/kibana/node/bin/node
/opt/kibana/node/bin/[Link]
$ sudo mv /opt/kibana/node/bin/npm
/opt/kibana/node/bin/[Link]
$ sudo ln -s /usr/local/bin/node /opt/kibana/node/bin/node
$ sudo ln -s /usr/local/bin/npm /opt/kibana/node/bin/npm
$ /opt/kibana/bin/kibana

[Link]
THE ELK IS RUNNING
COLLECTING BRO LOGS

input {
file {
path => "/opt/bro/logs/current/*.logs"
start_position => "beginning"
}
}
output {
elasticsearch {
host => localhost
cluster => "elasticsearch-clustername"
}
}
NORMALIZING BRO LOGS

Create a Rule File


/opt/logstash/custom_patterns/[Link]

291009 (?<start_time>\d+\.\d{6})\s+(?<uid>\S+)\s+(?:(?<evt_srcip>[\d\.]+)|(?
<evt_srcipv6>[\w:]+)|-)\s+(?:(?<evt_srcport>\d+)|-)\s+(?:(?<evt_dstip>[\d\.]+)|
(?<evt_dstipv6>[\w:]+)|-)\s+(?:(?<evt_dstport>\d+)|-)\s+(?<fuid>\S+)\s+(?
<file_mime_type>\S+)\s+(?<file_description>\S+)\s+(?
<seen_indicator>\S+)\s+(?<seen_indicator_type>[^:]+::\S+)\s+(?
<seen_where>[^:]+::\S+)\s+(?<source>\S+(?:\s\S+)*)$
NORMALIZING BRO LOGS

filter {
if [message] =~ /^(\d+\.\d{6}\s+\S+\s+(?:[\d\.]+|[\w:]+|-)\s+
(?:\d+|-)\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+\S+\s+\S+\s+\S+\s+\S+\s+
[^:]+::\S+\s+[^:]+::\S+\s+\S+(?:\s\S+)*$)/ {
grok{
patterns_dir => "/opt/logstash/custom_patterns"
match => {
message => "%{291009}"
}
add_field => [ "rule_id", "291009" ]
add_field => [ "Device Type", "IPSIDSDevice" ]
add_field => [ "Object", "Process" ]
add_field => [ "Action", "General" ]
add_field => [ "Status", "Informational" ]
}
}
}
LOGSTASH GEOIP
filter {
..all normalization code above here.
geoip {
source => "evt_dstip"
target => "geoip_dst"
database => /opt/logstash/[Link]
add_field => ["[geoip_dst][coordinates]","%{[geoip_dst][longitude]}
add_field => ["[geoip_dst][coordinates]","%{[geoip_dst][latitude]}"
add_field => ["[geoip_dst][coordinates]","%{[geoip_dst][city\_name]
add_field => ["[geoip_dst][coordinates]","%{[geoip_dst]
[continent\_code]}"]
add_field => ["[geoip_dst][coordinates]","%{[geoip_dst][country\_na
add_field => ["[geoip_dst][coordinates]","%{[geoip_dst][postal\_cod
}
mutate {
convert => [ "[geoip_dst][coordinates]", "float"]
}
}
UPDATING LOGSTASH TEMPLATE

curl -XGET localhost:9200/_template/logstash {"logstash":{


{"logstash":{ "order":0,
"order":0, "template":"logstash-*",
"template":"logstash-*", "settings":{
"settings":{ "index.refresh_interval":"5s"
"index.refresh_interval":"5s" },
}, "mappings":{
"mappings":{ "properties":{
"properties":{ "geoip_dst":{
"geoip":{ "dynamic":true,
"dynamic":true, "properties":{
"properties":{ "location":{
"location":{ "type":"geo_point"
"type":"geo_point" }
} },
}, "type":"object"
"type":"object" },
},

curl -XPUT localhost:9200/_template/logstash -d .


DATE MATCH
filter {
....all normalization code above here.
.all GeoIP code here....
date {
match => [ "start_time", "UNIX" ]
}
}
THREAT INTEL?

filter {
bro normalization stuff
translate {
field => "evt_dstip"
destination => "maliciousIP"
dictionary_path => '/opt/logstash/[Link]'
}
}
But what goes in [Link]?
IP YAML

Dictionary Hash in standard YAML format

[Link]: Very Bad IP


abc123: Very Bad MD5

Install the translate plugin


$ cd /opt/logstash
$ bin/plugin install logstash-filter-translate
BRINGING IT TOGETHER
Internet

Actions, Alerts &


Reporting
CONTACT ME FOR MORE INFO

tsmith@[Link]
@mrtrav

You might also like