rockNSM Version 2.1 as an Incident Response Package

 

Before starting the installation, make sure you read the hardware requirements here. These are the steps that I followed to get rockNSM running with ESXi 6.5+:

 

rockNSM Community Questions/Answers

Back to main page

 

Install rockNSM from the ISO

·         Recommend to manually configure your primary drive to give most of the space to /data partition

·         Select Custom Install of ROCK 2.1

·         Create a user account during the installation process (User Creation) It is up to you if you want to Make this user administrator

·         System will reboot automatically

·         Select ‘c’ to continue and get the command prompt

·         login with account created during CentOS installation

·         sudo su -

·         passwd root (Assign a  root password if desired)

·         If a root password has been set, you can do all the command as user root vs. using sudo root –

Updating and patching CentOS

·         yum clean all && yum check-update && yum -y update

·         yum -y install open-vm-tools ntp bind-utils net-tools (optional if you need nslookup or dig and using VMware)

·         reboot (Update all then reboot)

Setup Static Interface with nmtui if it hasn’t been done during the Install

·         # nmtui

·         Edit a connection (i.e. ens33)

·         Save the changes

·         Change the sensor hostname and reboot

 

Optional: After the installation, shutdown and add two more drives to save elasticsearch and stenographer (packets) in separate partitions

Configure New Partitions now before Running the Deployment Scripts if you are planning to Separate Data Collection

 

·         dmesg | grep sd (find the extra drives. Likely sdb and sdc)

·         cfdisk /dev/sdb

·         cfdisk /dev/sdc

·         mkfs.xfs /dev/sdb1

·         mkfs.xfs /dev/sdc1

·         mkdir -p /data/elasticsearch

·         mkdir -p /data/stenographer

-- Edit /etc/fstab and add ---

 

·         /dev/sdb1               /data/elasticsearch     xfs     defaults        0 0

·         /dev/sdc1               /data/stenographer      xfs     defaults        0 0

·         mount -a     (mount all drives)

 Now you are ready to finish the installation and configuration of rockNSM

 

Note: If you messed up your configuration you can execute this to reset to default: /opt/rocknsm/rock/bin/generate_defaults.sh

·         vi /etc/rocknsm/config.yml -> Under service is enabled on startup: enable docket, stenographer and pulledpork to start on boot -> False to True

·         /opt/rocknsm/rock/bin/deploy_rock.sh

·         vi /etc/suricata/suricata.yaml and change the HOME_NET

·         vi /etc/suricata/rocknsm-overrides.yaml and verify capture is the correct one. Mine was "interface: ens34"

·         cd /etc/stenographer and copy replace default config file with generated config file (i.e. something like config.ens34 to config)

·         Configuring Bro Network Collection

Edit the Bro config file networks.cfg and make sure you have the correct network listed for collection (from RFC1918 to your Internet network ranges):

·         vi /etc/bro/networks.cfg

Note: If you are running multiple interfaces, follow these instructions to enable all of them before rebooting.

·         reboot

Note: After rebooting rockNSM, note the default time is UTC not your local time.

After the system is rebooted, check the services to make sure they are all running:

·         rock_status (check if everything is working)

 

Accessing your sensor

·         The username/password to login the interface is located in the user account you created during setup. The filename is called KIBANA_CREDS.README

·         https://IPADDRESS - to access Kibana (I recommand static address)

·         https://IPADDRESS:8443 – to access Docket’s packet GUI

Adding Real Intelligence Threat Analytics (RITA) to the Sensor

 

I used the automated script (install.sh) with CentOS 7 which I download from here. The installation is straight forward and it verified my setup to make sure everything is installed on my box.

Before starting, edit this script: vi /etc/yum.repos.d/CentOS-Base.repo and change [base] from enable = 0 to 1

·         [guy@simplerockbuild ~]$ sudo sh -x install.sh

·         [guy@simplerockbuild ~]$ sudo service mongod start

After the installation, I edited the configuration file and changed the default (/etc/rita/config.yaml) and confirmed the following:

Next I got a Google Safe Browsing API key [4] and followed the API setup instructions here and added it to the rita config file.

My next step is to import my Bro logs into the database with the command:

RITA Parsing Bro logs

If you want to import a single day, use the following command:

Show what is available now:

Now we can analyze a day of Bro traffic as follow:

RITA Analysis of logs

Last step, lets create a web report that can be easily viewed with a browser:

[guy@rocknsm

 ~]# rita html-report bro-2018-07-27
[-] Writing: /home/guy/bro-2018-07-271/bro-2018-07-27
[-] Wrote outputs, check /home/guy/bro-2018-07-27 for files

RITA HTML Report

If at some point you want to delete a day of data, use the following command in your home directory:

Additional Configuration

There are some additional configuration files located at: /opt/rocknsm/rock/playbooks/files/

[1] https://isc.sans.edu/diary/22832

[2] https://github.com/rocknsm/rock

[3] https://rocknsm.gitbooks.io/rocknsm-guide/

[4] https://console.cloud.google.com/?pli=1

[5] https://download.rocknsm.io/rocknsm-2.1.0.iso

[6] https://lintut.com/how-to-setup-network-after-rhelcentos-7-minimal-installation/

[7] https://www.thegeekdiary.com/centos-rhel-7-how-to-configure-network-bonding-or-nic-teaming/

[8] https://www.youtube.com/channel/UCUD0VHMKqPkdnJshsngZq9Q/videos

[9] https://github.com/activecm/rita

[10] http://capesstack.io

[11] https://github.com/capesstack/capes/tree/master/docs#get-capes