Back in July, I brushed on the topic of using a Raspberry Pi as a cheap and effective way to secure Internet of Things (IoT) and Industrial Control Systems (ICS) networks where traditional protection mechanisms are not feasible.
I took those concepts and spoke to them at the IoT Village
at DefCon 23
in a level of detail that explained how to actually deploy one of these Sweet Security devices. I’ll get into what hardware you will need, how to install the Raspbian OS, how to configure the software, and how to get value out of deploying a sweet security solution.
As discussed in Part 1
, the Raspberry Pi 2 Model B is a better choice for running all the various security tools than the earlier counterparts.
The size of the Micro SD card must be at least 8GB, but more space is better for storing a longer history of log data from Bro IDS. The case is required, but any case will do to suit your individual style and taste. The wireless keyboard is optional; I found that having the small form factor allowed me to configure the device easier on the fly than plugging in a full size keyboard.
Once you configure networking SSH can be enabled to make configuration easier from an SSH client. Amazon also sells full kits that contain all of the hardware listed here.
Installing the Operating System
The Raspberry Pi website has an easy to follow getting started guide
to install Raspbian using NOOBS (New Out Of the Box Software) manager. If you are familiar with the installation process, a traditional installation of the Raspbian OS without NOOBS will work fine, as well. There are other distributions for the Raspberry Pi that should work in theory, but I have not had a chance to test them out for sure.
Bring a Bro Along
What makes the Sweet Security solution great is the reliance on all lightweight open-source software. Since we want the device to monitor all the traffic, we need to install software to inspect the traffic and tell us what’s going on.
For this, we will want to install an Intrusion Detection System (IDS). There are many free products available but my preference for the Raspberry Pi is Bro IDS
. Bro was created by Vern Paxson in 1995 while at Lawrence Berkeley National Laboratory. What’s powerful about Bro is the ability to inspect traffic at all OSI layers, as well as add additional scripting for increased attack detections.
The installation for Bro IDS is straightforward on the Raspberry Pi, and is no different than any other UNIX-style system. First, there are a few prerequisites to install
, all of which are available via apt-get. Once those have been completed, you can simply download the latest source code, prepare the environment, build, and install (configure, make, make install).
From here, you can run Bro manually or use Broccoli to control the Bro instance.
Make the Bro Intelligent
While Bro ships with an extensive signature base to detect a number of common attacks, the signatures can be enhanced with Threat Intelligence. Another of the reasons that I chose Bro
for the Sweet Security solution was the availability of the Critical Stack
threat intelligence integration.
Critical Stack is a free aggregator of threat intelligence feeds. It’s a simple point-and-click integration to pull information, such as Tor Exit node IP addresses, known malicious IPs, or known phishing domains. The Critical Stack agent pulls the threat intelligence data, formats it into the Bro scripting language, and the Bro IDS picks up the new scripts automatically.
The installation of the Critical Stack agent is very simple
. The guys at Critical Stack created a Debian package specifically for the ARM based architecture of the Raspberry Pi. Performing a dpkg installation command against the installer will do everything that’s needed to get the package installed. Simply apply your key and the agent takes care of the rest. All of the Critical Stack alerts are written directly to the Bro IDS logs.
Get Alerted with Logstash
While the Bro IDS platform allows you to get email notifications to attacks, there are advantages to moving the notification capabilities to another product. For me the product is Logstash
, an open source Log Manager. The normalization capabilities of Logstash are easy to use, even if we have to create most of them from scratch. Logstash also has multiple plugins that allow the integration of additional threat intelligence features.
The installation of Logstash on the Raspberry Pi is a little more involved than the previous steps. First, we’ll want to download the code from the Elastic website. If you try launching the Logstash product at this point, you’ll notice a FFI not available error. Fortunately, we take the JFFI code on this GitHub page
to use for Logstash.
Once that’s put in place, Logstash can now run. To allow Logstash to run on boot time, there are a few additional steps. First, take the init.d script and place it on the system. Next, create a logstash user and group on the device, which will be used to launch the process. Finally, a simple update-rc.d command will allow Logstash to launch when the system is booted.
What about the normalization of the Bro logs?
Logstash defines the patterns within its configuration file. For simplicity, I prefer to place the normalization rules in a separate file and directory. (A sample rule can be found on this here
.) This will pull out the valuable data from the Critical Stack alerts written to the Bro IDS logs. A sample configuration file here
can be used in conjunction with this rule file. Before we can use this configuration file to launch Logstash, the translate plugin
will need to be installed. The translate plugin allows us to compare any IP addresses found in the logs to known malicious or Tor IP addresses.
Store the Logs
The Logstash configuration is set to store the normalized log data in an Elasticsearch
index. Fortunately, the installation of Elasticsearch is a simple as downloading the Debian package and installing. Once it’s installed, just make sure the cluster name matches what is in the Logstash configuration file.
One of the benefits of utilizing both Logstash and Elasticsearch is the complete ELK stack, with the last piece being Kibana
. The usage of Kibana will allow quick insight into the data to see trends over time, or expose quickly abnormalities that may not have been alerted on by the Logstash or Bro IDS solutions.
Once the Kibana code is unzipped, a new node version
will need to be installed and copied over for the ARM architecture of the raspberry pi. After the package is installed, you can link rename the old node and npm files in Kibana and link the new ones. For example:
sudo ln -s /usr/local/bin/node /opt/kibana/node/bin/node
sudo ln -s /usr/local/bin/npm /opt/kibana/node/bin/npm
Make the ‘Stash Intelligent
The final piece of the puzzle is to fully utilize the Logstash translate plugin installed earlier. The configuration file points to two separate files, torIP.yaml and maliciousIP.yaml. Any number of translations can be completed here; these are just the two that were created for examples. There are even python scripts available
to populate these files for you.
To create a different example, simply create a YAML based file with the format of “IP_Address”: “YES”. When the IP address from the log is compared against the YAML file, it will place the word YES in a new field defined by the Logstash configuration file. In my example, it will use the fields tor_IP or malicious_IP depending on which translation is being used.
Automation is Awesome
A lot of what described here is complex, confusing and in some cases, not entirely complete. I’ve uploaded all of the files referenced throughout the document on a public Sweet Security GitHub repository
. Part of the repository includes a SweetSecurity.sh script, which will run through the installation and configuration of Bro IDS, Critical Stack, Logstash, Elasticsearch and Kibana for you.
For the curious eyes, you will also notice some network discovery code, as well. In my next post , I’ll dig into how I’m discovering new devices on my network and integrating with more open source tools to make sure my network is as secure as possible.
Title image courtesy of ShutterStock