Skip to content
Foxhound: Blackbox - A Raspberry Pi NSM
Branch: master
Clone or download
Pull request Compare This branch is 7 commits ahead, 1 commit behind sneakymonk3y:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes
README.md
cleanup.sh
foxhound.sh
nic.sh
unattended-sample.txt

README.md

FOXHOUND-NSM

RaspberryPi 3 NSM based on Bro. Suitable for a home 'blackbox' deployment.

Requirements

General Preparation

  • critical stack:
    • get a critical stack account
    • set up a collection and a sensor
    • add feeds to your collection
    • note down sensor API key
  • not down parameters for email server

Prepare Pi

  • download Raspian Lite and put onto micro SD card
  • create empty file ssh on boot file system of SD card
  • connect LAN cable to Pi (make sure DHCP works)
  • optionally: connect WD PiDrive to Pi
  • boot Pi, ssh into devivce
  • change password for user pi (passwd)
  • sudo to root (sudo su -) and use raspi-config to
    • set up WLAN (Network Options)
    • expand filesystem (Advanced Options)
    • exit, don't reboot yet
  • set a password for root (important if you wand to access console mode in case of system problems): passwd
  • check if you can ssh into Pi using the WLAN IP of the Pi
  • optionally: prepare PiDrice (see Hints below)
  • reboot (reboot)
  • detach LAN cable

Install Foxhound

  • ssh into Pi using WLAN IP
  • update base OS:
sudo su -
apt-get update
apt-get -y -u dist-upgrade
  • install git: apt-get -y install git
  • change into root's home directory: cd
  • clone repository: git clone https://github.com/sneakymonk3y/foxhound-nsm.git (as long as the pull request hasn't been accepted by the maintainer pls use my repo: git clone https://github.com/gebhard73/foxhound-nsm.git
  • prepare installation:
cd foxhound-nsm
chmod +x foxhound.sh
  • optionally: copy unattended-sample.txt to unattended.txt and adopt to your needs
  • begin installation: ./foxhound.sh
  • shuwdon device: shutdown -h now

Start Sniffing

  • configure switch (set up port mirroring)
  • plug switch into your home LAN on a suitable spot
  • connect switch mirror port with Pi
  • power up Pi and see if it works as expected (see e.g. Further Reading below)

Hints

  • the script isn't meant to be run multiple times on one installation (yet), so to get reliable results you should use a fresh OS SD card (and erase /nsm if using PiDrive) when re-running the script
  • use cheap micro SD card for OS, e.g. 8 GB ones (get multiple and have one ready with current Raspbian distro)
  • use separate file systeem for /nsm, e.g. Western Digital PiDrive Foundation Edition
    • delete existing partitions
    • create primary partition and label it, e.g. NSM
    • format with ext4, e.g. mkfs.ext4 /dev/sda1
    • mount into /nsm, e.g. add LABEL=NSM /nsm ext4 defaults,nofail 0 0 to /etc/fstab and mkdir /nsm && mount /nsm

To Do

  • adopt script so it can be run multiple times in a row without creating strange side effects
  • add logging and error handling to script

Further Reading

You can’t perform that action at this time.