ROCKnsm to monitor (4) laptops traffic

Aqeel · January 8, 2021, 4:47pm

Hyyy, a team of noobs here this will be our first deployment of any Security tool!! we are L1 SOC and just getting started with rock…

So, our NOC doesn’t allow us any taps or span ports and we have to monitor traffic of our laptops until the project get approved.

We have VMsphere client which have 4 cores, 16 gb ram , 1 tb hard and unfortunately only one NIC… but we will get another one soon We want to know ways in which i can monitor traffic of four laptops using rock !!

Really appreciate your help, thanks :))

Aqeel · January 8, 2021, 4:50pm

The other team is deploying Security onion, so its a kind of race b/w us and them or to be precise b/w Rock and Onion. The one with good results will get adapted.

andy · January 8, 2021, 4:50pm

Hey Aqeel, thanks for the question.

So, maybe you could explain the setup a bit more? If you don’t have a tap or span, how are you planning on getting data to the sensor (ROCK)?

Aqeel · January 8, 2021, 5:03pm

thats exactly what i want to know
I had this idea: maybe we can somehow configure rock like SNMP !!! the way snmp agent collect logs and snmp manager manages them, if we can do the same with trafic it would be great…

I had another idea: IF our NOC be generous enough to put us in a vlan and we can span port to that vlan but that depends on the NOC

SETUP: We have been allocated vm inside vsphere client

Aqeel · January 11, 2021, 7:50am

hyy, @andy if I add a static route in my pc and configure that ip as sensor in rock , will it do the magic ?

andy · January 11, 2021, 4:00pm

Hey @Aqeel, there is deployment logic that ensures there are at least two interfaces (one for management and one for collection). This is done for a couple of really important reasons learned from years of building, deploying, maintaining, and hunting with network sensors:

Your collection interface should always be behind a passive tap or another one-way network interface so that you in no way interfere with the target network; and
When an attacker identifies certain key infrastructure, they attack it. Email systems, trust relationships, domain services, logging systems, credential vaults, email, etc. NSM and endpoint security (AV, EDR, XDR, etc) are no different - you are the target. If your collection interface has an IP address, it can be targeted by attackers which is a really really bad place to be (launch denial of service, attempt to access the sensor and manipulate data, etc.) when you are relying on NSM to be “ground truth”.

This is a major architectural difference between ROCK and SO. Obviously, we have our preference, that’s not to say that SO is wrong, just we have a different approach to defending the sensor.

Aqeel · January 12, 2021, 12:14pm

Thanks for the explaining, we deployed ROCK with 2 NIC’s, got the pretty rock banner at the end and kibana is available on management ip with pretty web ui, BUT its empty, it shows no logs, we are currently working on how to do that !!!

andy · January 12, 2021, 12:58pm

Thanks for the update, glad you’re making progress.

Try to run rockctl status. Are all your services up?

Run sudo tcpdump -i {your-capture-interface}, is it seeing traffic?

Aqeel · January 13, 2021, 5:58am

Kafka

Active: failed (Result: exit-code) since Tue 2021-01-12 12:08:34 UTC; 17h ag
All other services are running.
Yes it is showing traffic. !!

andy · January 13, 2021, 1:01pm

Thanks.

Have you tried sudo systemctl restart Kafka?

Aqeel · January 13, 2021, 1:04pm

yes, its working now, but still no logs on kibana web view, busy with some other things, will dig deeper at Friday night !

andy · January 13, 2021, 1:23pm

Try this too…need to get this into a troubleshooting section…

Checking Kafka

On the sensors

rockctl status
kafkacat -b localhost:9092 -t bro-raw

You should see Kafka running and kafkacat dumping to STDOUT. If not, try restarting Kafka w/ sudo systemctl restart kafka .

Run sudo /opt/kafka/bin/kafka-console-consumer.sh --from-beginning --topic bro-raw --bootstrap-server {sensor-hostname}:9092 and ensure Kafka is creating topics
From a sensor, run sudo kafkacat -b localhost:9092 -t bro-raw to make sure data is flowing

Aqeel · January 15, 2021, 1:53pm

So, here is the update : we are getting logs in zeek and can see them in /data/zeek/logs by date and current.
but still no logs in Kibana web view
AND we got this error so many time =>>
Error: failed to write file: [Errno 28] No space left on device: ‘/data/zeek/spool/.zeekctl-config.sh.tmp’
Error: cannot acquire lock: [Errno 28] No space left on device: ‘/data/zeek/spool/lock.2334’

fixed it by giving more space !
plus we cant access zeekctl-config.sh.tmp file !!! is it okay if i find and delete it, since its tmp file !!

Thanks :))