rockNSM as an Incident Response Package


This is an update to a diary I wrote several months ago about using rockNSM as a system to respond to incident. I have notice as well as other; some services would not start after running the configuration scripts. Before starting the installation, make sure you read the hardware requirements here. These are the steps that I follow to get all services running with ESXi:

Back to main page


Install rockNSM from the ISO

         Create an account during the installation process (User Creation) It is up to you if you want to Make this user administrator


         login with account created during CentOS installation

         sudo su -

         passwd root (Assign aroot password)

         From this point on, do all the command as user root vs. using sudo root -

Setup Static Interface with nmtui if it hasnít been done during the Install

         # ifconfig will not work until rockNSM is installed


vi /etc/sysconfig/network-scripts/ifcfg-ens33 I have seen these interfaces with other interface name i.e. ifcfg-ens192 (if you want set setup static IP to something like this)















reboot or shutdown to add 2 more drive

Optional: After the installation, shutdown and add two more drives to save elasticsearch and stenographer (packets) in separate partitions

Configure New Partitions now before Running the Deployment Scripts if you are planning to Separate Data Collection


         cfdisk /dev/sdb

         cfdisk /dev/sdc

         mkfs.xfs /dev/sdb1

         mkfs.xfs /dev/sdc1

         mkdir -p /data/elasticsearch

         mkdir -p /data/stenographer

-- Edit /etc/fstab and add ---


         /dev/sdb1†††††††††††††† /data/elasticsearch†††† xfs†††† defaults††††††† 0 0

         /dev/sdc1†††††††††††††† /data/stenographer††††† xfs†††† defaults††††††† 0 0

Now you are ready to finish the installation and configuration of rockNSM


         vi /etc/rocknsm/config.yml -> enable stenographer and fsf to start on boot -> False to True


         chown suricata:suricata /var/run/suricata

         chown -R stenographer:stenographer /data/stenographer

         chown -R elasticsearch:elasticsearch /data/elasticsearch

         vi /etc/suricata/suricata.yaml and change the HOME_NET

         vi /etc/suricata/rocknsm-overrides.yaml and verify capture is the correct one. Mine was "interface: ens34"

         cd /etc/stenographer and copy replace default config file with generated config file (i.e. something like config.ens34 to config)

         cd /etc/systemd/system and mv stenographer.service /tmp

-          Should only bestenographer@.service in that directory for stenographer

         systemctl enable stenographer

         Configuring Bro Network Collection

Edit the Bro confg file networks.cfg and make sure you have the correct network listed for collection (from RFC1918 to your Internet network ranges):

         vi /opt/bro/etc/networks.cfg

Note: If you are running multiple interfaces, follow these instructions to enable all of them before rebooting.


Note: After rebooting rockNSM, note the default time is UTC not your local time.

After the system is rebooted, check the services to make sure they are all running:

         rock_status (check if everything is working)

Updating and patching CentOS

         rpm --import (install PGP key)

         vi /etc/yum.repos.d/CentOS-Base.repo (Enable as per picture)


         yum clean all && yum check-update

         yum -y install open-vm-tools ntp bind-utils (optional if you need nslookup or dig)

         yum -y update (Update all then reboot)


Adding Google Stenographer Web Queries/Download pcap via Browser

These working steps contains additional instructions to get the stoneread-nodejs GUI steps published here to work with rockNSM

         curl -sL | sudo -E bash -

         yum install nodejs

         npm install "stenoread-nodejs" -g

         npm install pm2@latest -g

         vi /usr/lib/node_modules/stenoread-nodejs/server.js

-          Go to line :112 (Type :112Enter to go to http.createServer(onRequest).listen(5602,"");

-          Change 5602,"" to the port and IP you want to use something. http.createServer(onRequest).listen(8080,"");

         pm2 start /usr/lib/node_modules/stenoread-nodejs/server.js


         mkdir /data/traces/

         chmod 777 /data/traces/

         pm2 startup

         pm2 stop all

         vi /usr/lib/firewalld/services/http.xml (add port 8080)



         firewall-cmd --zone=public --add-port=8080/tcp --permanent

         firewall-cmd --zone=public --list-ports

         firewall-cmd --reload

         pm2 start all

Verify Sensor is Running


You can use rock_status but I find the output sometimes shows some components are not running when in fact they are. What works best for me are the following options:



         ps -ef | egrep"broctl|suricata|zookeeper|kafka|logstash|elasticsearch|kibana|stenographer" | awk '{ print $1 }' | sort | uniq

Stenoread GUI

Accessing your sensor

         http://IPADDRESS - to access Kibana (I recommand static address)

         http://IPADDRESS:8080 Ė to access Stenoread GUI

Sensor Monitoring Two or More Interfaces with bond0


In order to monitor two or more interfaces, you need to manually setup a bond0 interface to aggregate the traffic of all sensor interfaces into a single one. The first step is to create the ifcfg-bond0 interface:

         vi /etc/sysconfig/network-scripts/ifcfg-bond0

Add the following configuration to ifcfg-bond0







BONDING_OPTS="mode=0 miimon=100"


Next, edit each Interface who will become Slave and add the following two lines at the end of the file to bond them to bond0:




When all interfaces have been modified, restart network interfaces

         # systemctl restart network

         # ifconfig (see bond0 as a new interface)

Check if bonding interface is active

         # cat /proc/net/bonding/bond0 (show the network interfaces attached to bond0)

Modified all Configuration Scripts and Change the Interface to Reflect the New bond0 Master Interface


Modify all the files in the following locations from ens.??? to bond0:





Now restart rockNSM services to activate bond0 as the master interface

         # rock_stop

         # rock_start

         # rock_status (It is better to execute ps -aef | grep service_name and check each services that might show they have issues)


Additional Configuration

There are some additional configuration files located at: /opt/rocknsm/rock/playbooks/files/