Skip to content ↓ | Skip to navigation ↓

Back in July, I brushed on the topic of using a Raspberry Pi as a cheap and effective way to secure Internet of Things (IoT) and Industrial Control Systems (ICS) networks where traditional protection mechanisms are not feasible.

I took those concepts and spoke to them at the IoT Village at DefCon 23 in a level of detail that explained how to actually deploy one of these Sweet Security devices.  I’ll get into what hardware you will need, how to install the Raspbian OS, how to configure the software, and how to get value out of deploying a sweet security solution.

The Hardware

As discussed in Part 1, the Raspberry Pi 2 Model B is a better choice for running all the various security tools than the earlier counterparts.

The size of the Micro SD card must be at least 8GB, but more space is better for storing a longer history of log data from Bro IDS. The case is required, but any case will do to suit your individual style and taste. The wireless keyboard is optional; I found that having the small form factor allowed me to configure the device easier on the fly than plugging in a full size keyboard.

Once you configure networking SSH can be enabled to make configuration easier from an SSH client. Amazon also sells full kits that contain all of the hardware listed here.

Hardware Price Required
Raspberry Pi 2 Model B 41.64 Yes
8GB+ Micro SD Card 4.99+ Yes
Raspberry Pi 2 Model B Case 4.99+ Yes
Micro USB Power Cord 9.99 Yes
Mini Wireless Keyboard 16.99 No

Installing the Operating System

The Raspberry Pi website has an easy to follow getting started guide to install Raspbian using NOOBS (New Out Of the Box Software) manager. If you are familiar with the installation process, a traditional installation of the Raspbian OS without NOOBS will work fine, as well. There are other distributions for the Raspberry Pi that should work in theory, but I have not had a chance to test them out for sure.

Bring a Bro Along

What makes the Sweet Security solution great is the reliance on all lightweight open-source software. Since we want the device to monitor all the traffic, we need to install software to inspect the traffic and tell us what’s going on.

For this, we will want to install an Intrusion Detection System (IDS). There are many free products available but my preference for the Raspberry Pi is Bro IDS. Bro was created by Vern Paxson in 1995 while at Lawrence Berkeley National Laboratory. What’s powerful about Bro is the ability to inspect traffic at all OSI layers, as well as add additional scripting for increased attack detections.

The installation for Bro IDS is straightforward on the Raspberry Pi, and is no different than any other UNIX-style system. First, there are a few prerequisites to install, all of which are available via apt-get. Once those have been completed, you can simply download the latest source code, prepare the environment, build, and install (configure, make, make install).

From here, you can run Bro manually or use Broccoli to control the Bro instance.

Make the Bro Intelligent

While Bro ships with an extensive signature base to detect a number of common attacks, the signatures can be enhanced with Threat Intelligence. Another of the reasons that I chose Bro for the Sweet Security solution was the availability of the Critical Stack threat intelligence integration.

Critical Stack is a free aggregator of threat intelligence feeds. It’s a simple point-and-click integration to pull information, such as Tor Exit node IP addresses, known malicious IPs, or known phishing domains. The Critical Stack agent pulls the threat intelligence data, formats it into the Bro scripting language, and the Bro IDS picks up the new scripts automatically.

The installation of the Critical Stack agent is very simple. The guys at Critical Stack created a Debian package specifically for the ARM based architecture of the Raspberry Pi. Performing a dpkg installation command against the installer will do everything that’s needed to get the package installed. Simply apply your key and the agent takes care of the rest. All of the Critical Stack alerts are written directly to the Bro IDS logs.

Get Alerted with Logstash

While the Bro IDS platform allows you to get email notifications to attacks, there are advantages to moving the notification capabilities to another product. For me the product is Logstash, an open source Log Manager. The normalization capabilities of Logstash are easy to use, even if we have to create most of them from scratch. Logstash also has multiple plugins that allow the integration of additional threat intelligence features.

The installation of Logstash on the Raspberry Pi is a little more involved than the previous steps. First, we’ll want to download the code from the Elastic website. If you try launching the Logstash product at this point, you’ll notice a FFI not available error. Fortunately, we take the JFFI code on this GitHub page to use for Logstash.

Once that’s put in place, Logstash can now run.  To allow Logstash to run on boot time, there are a few additional steps. First, take the init.d script and place it on the system. Next, create a logstash user and group on the device, which will be used to launch the process. Finally, a simple update-rc.d command will allow Logstash to launch when the system is booted.

What about the normalization of the Bro logs?

Logstash defines the patterns within its configuration file. For simplicity, I prefer to place the normalization rules in a separate file and directory. (A sample rule can be found on this here.) This will pull out the valuable data from the Critical Stack alerts written to the Bro IDS logs. A sample configuration file here can be used in conjunction with this rule file. Before we can use this configuration file to launch Logstash, the translate plugin will need to be installed. The translate plugin allows us to compare any IP addresses found in the logs to known malicious or Tor IP addresses.

Store the Logs

The Logstash configuration is set to store the normalized log data in an Elasticsearch index. Fortunately, the installation of Elasticsearch is a simple as downloading the Debian package and installing. Once it’s installed, just make sure the cluster name matches what is in the Logstash configuration file.

Gain Insight

One of the benefits of utilizing both Logstash and Elasticsearch is the complete ELK stack, with the last piece being Kibana. The usage of Kibana will allow quick insight into the data to see trends over time, or expose quickly abnormalities that may not have been alerted on by the Logstash or Bro IDS solutions.

Once the Kibana code is unzipped, a new node version will need to be installed and copied over for the ARM architecture of the raspberry pi. After the package is installed, you can link rename the old node and npm files in Kibana and link the new ones. For example:

sudo ln -s /usr/local/bin/node /opt/kibana/node/bin/node

sudo ln -s /usr/local/bin/npm /opt/kibana/node/bin/npm

Make the ‘Stash Intelligent

The final piece of the puzzle is to fully utilize the Logstash translate plugin installed earlier. The configuration file points to two separate files, torIP.yaml and maliciousIP.yaml. Any number of translations can be completed here; these are just the two that were created for examples. There are even python scripts available to populate these files for you.

To create a different example, simply create a YAML based file with the format of “IP_Address”:  “YES”. When the IP address from the log is compared against the YAML file, it will place the word YES in a new field defined by the Logstash configuration file. In my example, it will use the fields tor_IP or malicious_IP depending on which translation is being used.

Automation is Awesome

A lot of what described here is complex, confusing and in some cases, not entirely complete. I’ve uploaded all of the files referenced throughout the document on a public Sweet Security GitHub repository. Part of the repository includes a script, which will run through the installation and configuration of Bro IDS, Critical Stack, Logstash, Elasticsearch and Kibana for you.

For the curious eyes, you will also notice some network discovery code, as well. In my next post , I’ll dig into how I’m discovering new devices on my network and integrating with more open source tools to make sure my network is as secure as possible.

Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • “A lot of what described here is complex, confusing and in some cases, not entirely complete.”

    I’ve used Linux for decades and have two RPi at home but … I’m dreading setting this up.

    Which parts are not entirely complete?

    • Travis Smith


      There are scripts available on the linked GitHub pages which will walk you through the entire setup process. The hardware on the Pi is limited, so it may take a couple of hours to complete, but all you need to supply is a Critical Stack API key and the script will handle the rest.

      • monakh

        Thanks for the tutorial and script, Travis.

        What happens if you leave the Critical Stack API key blank? The fact that it was echoed on the screen gave me pause so I quit the script and went through the installation with a blank key. Anything I need to amend here manually?

        Edit: Also, what would you need to remove all the components that the script installs? Do they have to be purged manually one by one or is there a script for that, as well? Thanks.

  • Marcelo Ramos

    Would be interesting to see how Bro and Logstash perform on the Pi, if I get a chance I might get another Pi to try this

    • Travis Smith


      I preferred Bro over alternatives like Snort because of it’s performance on the limited hardware specs of the raspberry pi. I haven’t yet run any performance tests to be able to scientifically back that statement, just a gut feel based on my usage thus far.

  • Matt

    Great writeup. The only missing piece, if I’m not mistaken, is that the Pi will need 2 network interfaces in order to have one in promiscuous mode and monitor all network traffic going across the LAN, right? Just wondering if anyone could provide a bit of insight on how to achieve this.

    • Michael Bourda

      Same question. Also, did you notice any through-put impacts on your network when you installed this?

      • Matt

        After a bit more searching around, I think the easiest first step (prior to following the instructions laid out here) would be to flash DD-WRT firmware onto your router and then mirror all network traffic from the router over to your Raspberry Pi. I haven’t tried it yet, but at that point I imagine your IDS should work without needing extra network interfaces or configuring the Pi as a DHCP server.

        Here are instructions for this

      • Travis Smith


        You have three options. A span/mirror port, configure the RPi as a proxy, or add a NIC to be in-line. Each comes with it’s pros/cons. The presentation I gave at B-Sides SF outlines these and more.

    • Matt

      After some more research, I realize that a second network interface may not be necessary if the Pi is configured to be the gateway for all other machines on the network. Any tips on how to achieve this would be great.

    • Travis Smith


      You have three options. A span/mirror port, configure the RPi as a proxy, or add a NIC to be in-line. Each comes with it’s pros/cons. The presentation I gave at B-Sides SF outlines these and more.

      • Matt

        Thanks Travis! It looks to me like the “in-line” option would be the easiest. I do have an extra USB to ethernet for my Pi. Not sure what’s necessary to configure this though. Will have to research that. Otherwise, I think i’ll be trying the DNS/DHCP server route.

  • Drew

    Are these steps the same for a Pi cluster? I am planning on clustering 4 Pi’s together for a project like this and want to see if you have tested a similar configuration.

  • Pi2

    Willshuold the new pI3 config run on Pi2?
    I did try it and kibana showed all green – but the index kept asking to be configured.
    i had a copy of the old files I think so will try the pi2 build to test

  • F

    Can this work with the Security Onion OS?

  • drakke

    Thank you for your great article.

    I use the network gateway for my installation. All the internal traffic ( will be send to my Raspberry. But when an external computer ( send data to one of my internal computer (, my Rasberry don’t will received the data. That right?

    Thank you

  • Eric Hayes

    What a cool project! 2 questions: 1) How would you go about forwarding this data to a SIEM? and 2) Can you block malicious traffic identified by the IDS?

  • Kevin

    Hi my name is kevin im using Raspberry pi model B for my final year project and wanting to create an IDS that can send email alerts when threat is detected, plus i want to classify different types of attack base on the danger level of the attack. What is the best IDS for me to do this is it Snort or BRO IDS and can you share with me your configuration for this article, i would be very thankful if you could.

    • Travis Smith


      I used Bro IDS because it used less resources on the Pi than Snort, but both are great IDS options. All of the configuration I used for this article can be found on the Sweet Security GitHub page (link in article).

  • I am making something similar in my free time and this articles proves to be very useful. Thanks!

  • Beou

    I searched Google for “in-line with router raspberry “. I got one hit from tripwire where this line where in the hit “add a NIC to be in-line”. But that line is not on the tripwirw page I get when I klick on it?

    Why is this?

  • broster

    By the way, bro can be made to log to JSON directly; making it easier to feed it to ELK.

  • broster

    Also, I wasn’t able to make bro + the full ELK stack work correctly on a Raspberry Pi 3, it simply ran out of RAM and CPU running all the Java components.

    • Travis Smith

      Great info on the JSON output, I hadn’t thought of logging to JSON since I usually also gather other syslog type events as well.

      I’d be curious how much memory each component was using. I know Logstash can be memory intensive, did you add any new normalization rules?

  • Matthew Butler

    So how exactly do you run the script?

    I’m not that familiar with *nix type systems so I tried what I thought, which would be sudo Bash and it’s returning a Syntax Error near unexpected token “newline”

    • Matthew Butler

      Nvm, I solved the issue (Duh) but still ran into problems with the script. It appears that there are some minor issues in the scripts syntax, so locations aren’t made and therefore files aren’t installed as it runs down the list.

      Once I compiled it all up, Bro ran at around 60% CPU usage, but I’m unfamiliar with ELK, and therefore wasn’t able to connect everything all up together – Kibana didn’t really have anything to display.

      • Travis Smith

        Kibana relies on having data being in Elasticsearch, which is populated by the Logstash product. Logstash will attempt to normalize the intel.log file in the default configuration. You should verify that Elasticsearch and Logstash are both running first to ensure data is visible from Kibana.

        Bro shouldn’t take up too much CPU. What pi model are you running?

  • Lane Goolsby

    What is the feasibility of running an IDS like Bro that puts the NIC in promiscuous mode on the same Pi that is running a service like Pi-Hole (basically answering DNS queries)? I am curious if I could have one Pi handle both roles for me instead of needing two Pi’s.

    • Travis Smith

      Bro will listen on a specific network card, so if you configure it to the promiscuous NIC, it should inspect every packet that comes across it. I chose Bro for this project because it was much more lightweight than something like Snort. On my typical setup Bro is using very little CPU/Memory resources.

  • Mr Gardner

    Has anyone managed to run bro + elk on the pi? The memory requirements are too high for a default install. Are you sure you haven’t missed out steps about a separate analyst machine?

    • Tim D

      I gave it a shot and ran into dependency issues with log stash. I may try again on a fresh image. I am wondering if you could fork the logs to another Pi that runs elk and nothing but elk…you could probably even run EL on one Pi and K on another. Might be the beer talking, but I think it’s doable.

  • Eduardo

    Hi Travis,

    I managed to install your SweetSecurity suite in two Raspberry Pi 3 devices and it´s working, except for this Kibana error:

    No matching indices found: No indices match pattern “logstash-*”

    Any ideas are most welcome.


<!-- -->