Starting with RockNSM 2.4.2 Configuration

Hey folks,

So, I’m conducting a research for one of my classes at the university, and I’m wanting to use RockNSM to analyze traffic, use it to collect logs from Suricata and see what I can get out of it.

So, a bit of background:

  • I created a segregated vLAN for my research in which I’m using my desktop as my VMware Workstation Server (Running on a desktop with 8 cores, 32 GB of RAM, 2 NICs (as required), and about 500 GB for my VMs)
  • The secondary NIC, monitoring sensor, is a connection from my L3 Switch that is doing port mirroring
  • I’m using RockNSM as one of my VMs, I made sure to section off 8 GB of RAM for it and 256 GB of storage
  • I have a DNS and Domain Server setup, it has a hostname assigned for the machine

Now, to the brunt of my issue. I’m following the docs on the site, and I feel like the latest version of RockNSM isn’t doing what I think it should be doing.

For starters, when I use sudo rock setup command, and I do the setup (delegating what NICs are what, setting a static IP for the management NIC, creating a hostname (which I did during the installation of the OS, but w/e, might as well make sure the configs have the hostname I want), doing online installation (is that fine? I do have net access), select the components and enabled services, and write the config.

What I’m noticing? The config.yml doesn’t seem to be updating? Or at least not in a way that I can understand if it is or not. What I’m saying is, when I compare the notes on the docs site (link to the exact portion of the documentation) and what I’m reading in /etc/rocknsm/config.yml, the syntax is different. For example, I don’t see anything about hostnames, monitor or management interface, fqdn, it looks totally different! This is after writing the config using the rock setup.

I’m going to keep this topic open for a bit, because I’ve already gone through a setup a week ago, and I just couldn’t get my filebeat working. But, we’ll get to that here in a bit. Let’s start with the config.yml. Is this normal?

Hey Folks,

An update. So it seems that the sensor is working okay. I went through the installation and the web interface (Kibana) came up just fine. I suppose the config was updated accordingly and everything seems to be good.

I even followed the documentation to do a test on the sensor to detect packets and it works!

So, I suppose I only have one question left, which pertains to what I read on the docs here:

There is a bit on: You wish to use Bro, Suricata, Stenographer (disabled by default) and the whole data pipeline. (See with_* options)

Thanks if I can get a tip on where to look! I’m searching!

-David V

Figured this out.

For those curious:

  • Log into Kibana and expand the sidebar on the bottom (you can click on the lock next to Collapse after it expands
  • Click on Management on the sidebar and then Saved Objects underneath the options for Kibana
  • Click on Suricata from the list of Saved Objects
  • On this dashboard, make sure to enable all filters by click on the cog on the dashboard (upper left, next to Add filter)
    • Select Enable All

Now how with_* options plays into that? Not really sure, but the “services” are listed as service-* for example suricata-* or bro-*. Wild guess there, but that’s my assumption.

Opening a new ticket for another issue I’m having regarding filebeats.