rockNSM as an Incident Response Package


This is an update to a diary I wrote several months ago about using rockNSM as a system to respond to incident. I have notice as well as other; some services would not start after running the configuration scripts. Before starting the installation, make sure you read the hardware requirements here. These are the steps that I follow to get all services running with ESXi:

Back to main page


--- Install rockNSM from the ISO ---


Optional: After the installation, shutdown and add two more drives to save elasticsearch and stenographer (packets) in separate partitions


--- Configure now before running the deployment scripts if you are planning to separate data collection ----


         cfdisk /dev/sdb

         cfdisk /dev/sdc

         mkfs.xfs /dev/sdb1

         mkfs.xfs /dev/sdc1

         mkdir -p /data/elasticsearch

         mkdir -p /data/stenographer


-- Edit /etc/fstab and add ---


         /dev/sdb1 /data/elasticsearch xfs defaults 0 0

         /dev/sdc1 /data/stenographer xfs defaults 0 0

--- Now you are ready to finish the installation and configuration of rockNSM ---



         chown suricata:suricata /var/run/suricata

         chown -R stenographer:stenographer /data/stenographer

         chown -R elasticsearch:elasticsearch /data/elasticsearch

         vi /etc/suricata/suricata.yaml and change the HOME_NET

         vi /etc/suricata/rocknsm-overrides.yaml and verify capture "interface: ens34"

         vi /etc/rocknsm/config.yml -> enable stenographer and fsf to start on boot -> False to True

         cd /etc/stenographer and copy replace default config file with generated config file

         cd /etc/systemd/system and mv stenographer.service /tmp

-          Should only be stenographer@.service in that directory for stenographer

         systemctl enable stenographer


After the system is rebooted, check the services to make sure they are all running:

         rock_status (check if everything is working)

Updating and patching CentOS

         rpm --import (install PGP key)

         vi /etc/yum.repos.d/CentOS-Base.repo (gpgcheck and enable from 0 to 1 and do not enable extra)

         yum clean all && yum check-update

         yum install open-vm-tools ntp bind-utils (optional if you need nslookup or dig)

         yum update (Update all then reboot)

Adding Google Stenographer Web Queries/Download

These working steps contains additional instructions to get the stoneread-nodejs GUI steps published here to work with rockNSM

         yum install nodejs -y

         semanage port -a -t http_port_t -p tcp 5602

         curl -sL | -E bash -

         yum install nodejs

         npm install "stenoread-nodejs" -g

         npm install pm2@latest -g

         vi /usr/lib/node_modules/stenoread-nodejs/server.js

-          Change 5602,"" to the port and IP you want to use

         pm2 start /usr/lib/node_modules/stenoread-nodejs/server.js

         mkdir /data/traces/

         chmod 777 /data/traces/

         pm2 startup

         pm2 stop all

         vi /usr/lib/firewalld/services/http.xml (add port 8080)

         firewall-cmd --zone=public --add-port=8080/tcp

         firewall-cmd --zone=public --list-ports

Accessing your sensor

         http://IPADDRESS - to access Kibana (I recommand static address)