rockNSM as an Incident Response Package

 

This is an update to a diary I wrote several months ago about using rockNSM as a system to respond to incident. I have notice as well as other; some services would not start after running the configuration scripts. Before starting the installation, make sure you read the hardware requirements here. These are the steps that I follow to get all services running with ESXi:

Back to main page

 

Install rockNSM from the ISO

         Create an account during the installation process (User Creation) It is up to you if you want to Make this user administrator

         reboot

         login with account created during CentOS installation

         sudo su -

         passwd root (Assign aroot password)

         From this point on, do all the command as user root vs. using sudo root -

Setup Static Interface with nmtui if it hasnít been done during the Install

         # ifconfig will not work until rockNSM is installed

         #nmtui

vi /etc/sysconfig/network-scripts/ifcfg-ens33 I have seen these interfaces with other interface name i.e. ifcfg-ens192 (if you want set setup static IP to something like this)

         TYPE="Ethernet"

         BOOTPROTO=none

         DEFROUTE="yes"

         IPV4_FAILURE_FATAL="no"

         IPV6INIT="no"

         NAME="ens33"

         UUID="d07c4233-1a39-4a08-b541-aa8c084096ed"

         DEVICE="ens33"

         ONBOOT=yes

         IPADDR=192.168.1.20

         PREFIX=24

         GATEWAY=192.168.1.1

         DNS1=192.168.1.3

         DNS2=192.168.1.4

         DOMAIN=domain.ca

reboot or shutdown to add 2 more drive

Optional: After the installation, shutdown and add two more drives to save elasticsearch and stenographer (packets) in separate partitions

Configure New Partitions now before Running the Deployment Scripts if you are planning to Separate Data Collection

 

         cfdisk /dev/sdb

         cfdisk /dev/sdc

         mkfs.xfs /dev/sdb1

         mkfs.xfs /dev/sdc1

         mkdir -p /data/elasticsearch

         mkdir -p /data/stenographer

-- Edit /etc/fstab and add ---

 

         /dev/sdb1†††††††††††††† /data/elasticsearch†††† xfs†††† defaults††††††† 0 0

         /dev/sdc1†††††††††††††† /data/stenographer††††† xfs†††† defaults††††††† 0 0

Now you are ready to finish the installation and configuration of rockNSM

         /opt/rocknsm/rock/bin/generate_defaults.sh

         /opt/rocknsm/rock/bin/deploy_rock.sh

         chown suricata:suricata /var/run/suricata

         chown -R stenographer:stenographer /data/stenographer

         chown -R elasticsearch:elasticsearch /data/elasticsearch

         vi /etc/suricata/suricata.yaml and change the HOME_NET

         vi /etc/suricata/rocknsm-overrides.yaml and verify capture "interface: ens34"

         vi /etc/rocknsm/config.yml -> enable stenographer and fsf to start on boot -> False to True

         cd /etc/stenographer and copy replace default config file with generated config file (i.e. something like config.ens34 to config)

         cd /etc/systemd/system and mv stenographer.service /tmp

-          Should only bestenographer@.service in that directory for stenographer

         systemctl enable stenographer

         reboot

Note: After this reboot, rockNSM default time is UTC not local time.

Configuring Bro Network Collection

Edit the Bro confg file networks.cfg and make sure you have the correct network listed for collection (from RFC1918 to your network ranges):

vi /opt/bro/etc/networks.cfg

After the system is rebooted, check the services to make sure they are all running:

         rock_status (check if everything is working)

Updating and patching CentOS

         rpm --import https://www.centos.org/keys/RPM-GPG-KEY-CentOS-7 (install PGP key)

         vi /etc/yum.repos.d/CentOS-Base.repo (Enable as per picture)

 

         yum clean all && yum check-update

         yum install open-vm-tools ntp bind-utils (optional if you need nslookup or dig)

         yum update (Update all then reboot)

Adding Google Stenographer Web Queries/Download

These working steps contains additional instructions to get the stoneread-nodejs GUI steps published here to work with rockNSM

         curl -sL https://rpm.nodesource.com/setup_8.x | sudo -E bash -

         yum install nodejs

         npm install "stenoread-nodejs" -g

         npm install pm2@latest -g

         vi /usr/lib/node_modules/stenoread-nodejs/server.js

-          Go to line :112 (Type :112Enter to go to http.createServer(onRequest).listen(5602,"127.0.0.1");

-          Change 5602,"127.0.0.1" to the port and IP you want to use something. http.createServer(onRequest).listen(8080,"192.168.25.120");

         pm2 start /usr/lib/node_modules/stenoread-nodejs/server.js

 

         mkdir /data/traces/

         chmod 777 /data/traces/

         pm2 startup

         pm2 stop all

         vi /usr/lib/firewalld/services/http.xml (add port 8080)

 

 

         firewall-cmd --zone=public --add-port=8080/tcp --permanent

         firewall-cmd --zone=public --list-ports

         firewall-cmd --reload

         pm2 startup

Verify Sensor is Running

 

You can use rock_status but I find the output sometimes shows some components are not running when in fact they are. What works best for me are the following options:

         rock_status

         htop

         ps -ef | egrep"broctl|suricata|zookeeper|kafka|logstash|elasticsearch|kibana|stenographer" | awk '{ print $1 }' | sort | uniq

Stenoread GUI

Accessing your sensor

         http://IPADDRESS - to access Kibana (I recommand static address)

         http://IPADDRESS:8080 Ė to access Stenoread GUI

Sensor Monitoring Two or More Interfaces with bond0

 

In order to monitor two or more interfaces, you need to manually setup a bond0 interface to aggregate the traffic of all sensor interfaces into a single one. The first step is to create the ifcfg-bond0 interface:

         vi /etc/sysconfig/network-scripts/ifcfg-bond0

Add the following configuration to ifcfg-bond0

DEVICE=bond0

NAME=bond0

BONDING_MASTER=yes

PREFIX=24

ONBOOT=yes

BOOTPROTO=none

BONDING_OPTS="mode=0 miimon=100"

 

Next, edit each Interface who will become Slave and add the following two lines at the end of the file to bond them to bond0:

MASTER=bond0

SLAVE=yes

 

When all interfaces have been modified, restart network interfaces

         # systemctl restart network

         # ifconfig (see bond0 as a new interface)

Check if bonding interface is active

         # cat /proc/net/bonding/bond0 (show the network interfaces attached to bond0)

Modified all Configuration Scripts and Change the Interface to Reflect the New bond0 Master Interface

 

Modify all the files in the following locations from ens.??? to bond0:

         /etc/suricata/rocknsm-overrides.yaml

         /etc/rocknsm/config.yml

         /etc/stenographer/config

         /opt/bro/etc/node.cfg

Now restart rockNSM services to activate bond0 as the master interface

         # rock_stop

         # rock_start

         # rock_status (It is better to execute ps -aef | grep service_name and check each services that might show they have issues)

 

Additional Configuration

There are some additional configuration files located at: /opt/rocknsm/rock/playbooks/files/

[1] https://isc.sans.edu/diary/22832

[2] https://github.com/rocknsm/rock

[3] https://docs.rocknsm.io/quick_start/index.html

[4] https://github.com/rocknsm/rock/releases/download/v2.0.5/rocknsm-2.0.5-1705.iso

[5] https://www.npmjs.com/package/stenoread-nodejs

[6] https://lintut.com/how-to-setup-network-after-rhelcentos-7-minimal-installation/

[7] https://www.thegeekdiary.com/centos-rhel-7-how-to-configure-network-bonding-or-nic-teaming/