Foxhound: Blackbox - A Raspberry Pi NSM
Switch branches/tags
Nothing to show
Clone or download
Mark
Latest commit 89f02bc Dec 29, 2017
Permalink
Failed to load latest commit information.
.gitattributes Function formatting UNIX/UTF8 Oct 26, 2016
README.md Update README.md Dec 28, 2017
cleanup.sh Tidy Oct 30, 2016
foxhound.sh Update foxhound.sh Dec 23, 2017
nic.sh Added nic.sh. Oct 30, 2016
unattended-sample.txt added ntp server Dec 21, 2017

README.md

FOXHOUND-NSM

RaspberryPi 3 NSM based on Bro. Suitable for a home 'blackbox' deployment.

Requirements

General Preparation

  • critical stack:
    • get a critical stack account
    • set up a collection and a sensor
    • add feeds to your collection
    • note down sensor API key
  • not down parameters for email server

Prepare Pi

  • download Raspian Lite and put onto micro SD card
  • create empty file ssh on boot file system of SD card
  • connect LAN cable to Pi (make sure DHCP works)
  • optionally: connect WD PiDrive to Pi
  • boot Pi, ssh into devivce
  • change password for user pi (passwd)
  • sudo to root (sudo su -) and use raspi-config to
    • set up WLAN (Network Options)
    • expand filesystem (Advanced Options)
    • exit, don't reboot yet
  • check if you can ssh into Pi using the WLAN IP of the Pi
  • optionally: prepare PiDrice (see Hints below)
  • reboot (reboot)
  • detach LAN cable

Install Foxhound

  • ssh into Pi using WLAN IP
  • update base OS:
sudo su -
apt-get update
apt-get -y -u dist-upgrade
  • install git: apt-get -y install git
  • change into root's home directory: cd
  • clone repository: git clone https://github.com/sneakymonk3y/foxhound-nsm.git (as long as the pull request hasn't been accepted by the maintainer pls use my repo: git clone https://github.com/gebhard73/foxhound-nsm.git
  • prepare installation:
cd foxhound-nsm
chmod +x foxhound.sh
  • optionally: copy unattended-sample.txt to unattended.txt and adopt to your needs
  • begin installation: ./foxhound.sh
  • shuwdon device: shutdown -h now

Start Sniffing

  • configure switch (set up port mirroring)
  • plug switch into your home LAN on a suitable spot
  • connect switch mirror port with Pi
  • power up Pi and see if it works as expected (see e.g. Further Reading below)

Hints

  • the script isn't meant to be run multiple times on one installation (yet), so to get reliable results you should use a fresh OS SD card (and erase /nsm if using PiDrive) when re-running the script
  • use cheap micro SD card for OS, e.g. 8 GB ones (get multiple and have one ready with current Raspbian distro)
  • use separate file systeem for /nsm, e.g. Western Digital PiDrive Foundation Edition
    • delete existing partitions
    • create primary partition and label it, e.g. NSM
    • format with ext4, e.g. mkfs.ext4 /dev/sda1
    • mount into /nsm, e.g. add LABEL=NSM /nsm ext4 defaults 0 0 to /etc/fstab and mkdir /nsm && mount /nsm

To Do

  • adopt script so it can be run multiple times in a row without creating strange side effects
  • add logging and error handling to script

Further Reading