ROCKnsm to monitor (4) laptops traffic

Getting Started
#1

Hyyy, a team of noobs here :stuck_out_tongue: this will be our first deployment of any Security tool!! we are L1 SOC and just getting started with rock…

So, our NOC doesn’t allow us any taps or span ports and we have to monitor traffic of our laptops until the project get approved.

We have VMsphere client which have 4 cores, 16 gb ram , 1 tb hard and unfortunately only one NIC… but we will get another one soon :smiley: We want to know ways in which i can monitor traffic of four laptops using rock !!

Really appreciate your help, thanks :))

#2

The other team is deploying Security onion, so its a kind of race b/w us and them or to be precise b/w Rock and Onion. The one with good results will get adapted. :stuck_out_tongue:

#3

Hey Aqeel, thanks for the question.

So, maybe you could explain the setup a bit more? If you don’t have a tap or span, how are you planning on getting data to the sensor (ROCK)?

#4

thats exactly what i want to know :stuck_out_tongue:
I had this idea: maybe we can somehow configure rock like SNMP !!! the way snmp agent collect logs and snmp manager manages them, if we can do the same with trafic it would be great…

I had another idea: IF our NOC be generous enough to put us in a vlan and we can span port to that vlan but that depends on the NOC :stuck_out_tongue:

SETUP: We have been allocated vm inside vsphere client
image

#5

hyy, @andy if I add a static route in my pc and configure that ip as sensor in rock , will it do the magic :smiley: ? :stuck_out_tongue:

#6

Hey @Aqeel, there is deployment logic that ensures there are at least two interfaces (one for management and one for collection). This is done for a couple of really important reasons learned from years of building, deploying, maintaining, and hunting with network sensors:

  1. Your collection interface should always be behind a passive tap or another one-way network interface so that you in no way interfere with the target network; and
  2. When an attacker identifies certain key infrastructure, they attack it. Email systems, trust relationships, domain services, logging systems, credential vaults, email, etc. NSM and endpoint security (AV, EDR, XDR, etc) are no different - you are the target. If your collection interface has an IP address, it can be targeted by attackers which is a really really bad place to be (launch denial of service, attempt to access the sensor and manipulate data, etc.) when you are relying on NSM to be “ground truth”.

This is a major architectural difference between ROCK and SO. Obviously, we have our preference, that’s not to say that SO is wrong, just we have a different approach to defending the sensor.

#7

Thanks for the explaining, we deployed ROCK with 2 NIC’s, got the pretty rock banner at the end and kibana is available on management ip with pretty web ui, BUT its empty, it shows no logs, we are currently working on how to do that !!!

#8

Thanks for the update, glad you’re making progress.

Try to run rockctl status. Are all your services up?

Run sudo tcpdump -i {your-capture-interface}, is it seeing traffic?

#9 
Kafka

Active: failed (Result: exit-code) since Tue 2021-01-12 12:08:34 UTC; 17h ag
All other services are running.
Yes it is showing traffic. !!

#10

Thanks.

Have you tried sudo systemctl restart Kafka?

#11

yes, its working now, but still no logs on kibana web view, busy with some other things, will dig deeper at Friday night !

#12

Try this too…need to get this into a troubleshooting section…

Checking Kafka

On the sensors

rockctl status
kafkacat -b localhost:9092 -t bro-raw

You should see Kafka running and kafkacat dumping to STDOUT. If not, try restarting Kafka w/ sudo systemctl restart kafka .

  • Run sudo /opt/kafka/bin/kafka-console-consumer.sh --from-beginning --topic bro-raw --bootstrap-server {sensor-hostname}:9092 and ensure Kafka is creating topics
  • From a sensor, run sudo kafkacat -b localhost:9092 -t bro-raw to make sure data is flowing
#13

So, here is the update : we are getting logs in zeek and can see them in /data/zeek/logs by date and current.
but still no logs in Kibana web view :confused:
AND we got this error so many time =>>
Error: failed to write file: [Errno 28] No space left on device: ‘/data/zeek/spool/.zeekctl-config.sh.tmp’
Error: cannot acquire lock: [Errno 28] No space left on device: ‘/data/zeek/spool/lock.2334’

fixed it by giving more space !
plus we cant access zeekctl-config.sh.tmp file !!! is it okay if i find and delete it, since its tmp file !!

Thanks :))

#14

Hyy, i have figured it out. i had to reinstall and gave more space to /data as mentioned in the guide and everything works now except “Suricata” :confused: it aint showing anything on the graph in the welcome tab on Kibana, upon inspecting underlying data it shows logs (containing service, observer, event, source and agent.id ) but nothings on the graph and these log aint helpful or am i missing something here
@andy thank you for the support mate :wink:

#15

hyy, anybody looking for how to; here’s a mini guide for you :wink:

  • nano /etc/sysconfig/network-scripts/ifcfg-ens32 set your ip netmaska and gateway here.
    repeat that for the other interface

  • nano /etc/resolv.conf write nameserver 8.8.8.8 nameserver 8.8.4.4

  • nano /etc/elasticsearch/jvm.options and comment out the following 3 lines
    XX: +UseConcMarkSweepGC
    XX:CMSInitiatingOccupancyFraction=75
    XX: +UseCMSInitiatingOccupancyOnly

  • nano /usr/share/rock/roles/elasticsearch/templates/es-jvm.options.j2 comment the lines mentioned above

  • sudo rock deploy, just follow the steps here, chose sensor and mgmt. ip here, chose to deploy online, chose components, write configuration and you are good to go :wink:

Have fun.