├── nic.sh
├── unattended-sample.txt
├── .gitattributes
├── cleanup.sh
├── README.md
└── foxhound.sh


/nic.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | for i in rx tx gso gro; do ethtool -K eth0 $i off; done;
3 | ifconfig eth0 promisc
4 | ifconfig eth0 mtu 9000
5 | exit 0


--------------------------------------------------------------------------------
/unattended-sample.txt:
--------------------------------------------------------------------------------
1 | api=""
2 | smtp_server=""
3 | smtp_server_port=
4 | smtp_user=""
5 | smtp_pass=""
6 | notification=""
7 | ntp_server=""
8 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/cleanup.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | FS='/nsm/pcap'
 4 | FREE=1000000
 5 | 
 6 | checkdf() {
 7 |   local used
 8 |   used=`df -k ${FS} | tail -1 | awk '{ print $4 }'`
 9 |   if [ ${used} -ge ${FREE} ]; then
10 |     exit 0
11 |   fi
12 | }
13 | 
14 | checkdf
15 | 
16 | cd /nsm/
17 | for f in `find /nsm/pcap/ -type f \( -name '*.pcap' \) -exec basename {} \; | sort -n -t\. -k3`; do
18 |   echo "  deleting " `ls -lash /nsm/pcap/${f}`
19 |   rm -f /nsm/pcap/${f}
20 |   checkdf
21 | done
22 | exit 0


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # FOXHOUND-NSM
 2 | 
 3 | RaspberryPi 3 NSM based on [Bro](https://www.bro.org). Suitable for a home 'blackbox' deployment.
 4 | 
 5 | ## Requirements
 6 | * [Raspberry Pi 3](https://thepihut.com/products/raspberry-pi-3-model-b) or ARM based system.
 7 | * [Raspbian Lite](https://www.raspberrypi.org/downloads/raspbian/)
 8 | * Switch with port mirroring capability, e.g:
 9 |   * [NetGear GS105Ev2](https://www.amazon.co.uk/dp/B002YPJ8KM)
10 |   * [MicroTik RouterBoard 260GS](https://www.amazon.com/dp/B00GAZ2HHS)
11 |   * [Security Onion's Device List](https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#packets)
12 | * [Critical Stack Account](https://intel.criticalstack.com/user/sign_up)
13 | * optional: [Mailgun Account](http://www.mailgun.com/)
14 | * optional: [WD PiDrive Foundation Edition](http://wdlabs.wd.com/category/wd-pidrive/)
15 | 
16 | ## General Preparation
17 | * critical stack:
18 |   * get a critical [stack account](https://intel.criticalstack.com/user/sign_up)
19 |   * set up a collection and a sensor
20 |   * add feeds to your collection
21 |   * note down sensor API key
22 | * not down parameters for email server
23 | 
24 | ## Prepare Pi
25 | * download [Raspian Lite](https://www.raspberrypi.org/downloads/raspbian/) and [put onto micro SD card](https://www.raspberrypi.org/documentation/installation/installing-images/README.md)
26 | * create empty file `ssh` on boot file system of SD card
27 | * connect LAN cable to Pi (make sure DHCP works)
28 | * optionally: connect WD PiDrive to Pi
29 | * boot Pi, ssh into devivce
30 | * change password for user pi (`passwd`)
31 | * sudo to root (`sudo su -`) and use `raspi-config` to
32 |   * set up WLAN (Network Options)
33 |   * expand filesystem (Advanced Options)
34 |   * exit, don't reboot yet
35 | * check if you can ssh into Pi using the WLAN IP of the Pi
36 | * optionally: prepare PiDrice ([see Hints below](#hints))
37 | * reboot (`reboot`)
38 | * detach LAN cable
39 | 
40 | ## Install Foxhound
41 | * ssh into Pi using WLAN IP
42 | * update base OS:
43 | ```
44 | sudo su -
45 | apt-get update
46 | apt-get -y -u dist-upgrade
47 | ```
48 | * install git: `apt-get -y install git`
49 | * change into root's home directory: `cd`
50 | * clone repository: `git clone https://github.com/sneakymonk3y/foxhound-nsm.git`
51 |  (as long as the pull request hasn't been accepted by the maintainer pls use my repo: `git clone https://github.com/gebhard73/foxhound-nsm.git`
52 | * prepare installation:
53 | ```
54 | cd foxhound-nsm
55 | chmod +x foxhound.sh
56 | ```
57 | * optionally: copy unattended-sample.txt to unattended.txt and adopt to your needs
58 | * begin installation: `./foxhound.sh`
59 | * shuwdon device: `shutdown -h now`
60 | 
61 | ## Start Sniffing
62 | * configure switch (set up port mirroring)
63 | * plug switch into your home LAN on a suitable spot
64 | * connect switch mirror port with Pi
65 | * power up Pi and see if it works as expected ([see e.g. Further Reading below](#further-reading))
66 | 
67 | ## Hints
68 | * the script isn't meant to be run multiple times on one installation (yet), so to get reliable results you should use a fresh OS SD card (and erase `/nsm` if using PiDrive) when re-running the script
69 | * use cheap micro SD card for OS, e.g. 8 GB ones (get multiple and have one ready with current Raspbian distro)
70 | * use separate file systeem for `/nsm`, e.g. [Western Digital PiDrive Foundation Edition](http://wdlabs.wd.com/category/wd-pidrive/)
71 |   * delete existing partitions
72 |   * create primary partition and label it, e.g. `NSM`
73 |   * format with ext4, e.g. `mkfs.ext4 /dev/sda1`
74 |   * mount into `/nsm`, e.g. add `LABEL=NSM /nsm ext4 defaults 0 0` to `/etc/fstab` and `mkdir /nsm && mount /nsm`
75 | 
76 | ## To Do
77 | * adopt script so it can be run multiple times in a row without creating strange side effects
78 | * add logging and error handling to script
79 | 
80 | ## Further Reading
81 | * [Foxhound: Blackbox - A RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack.](https://www.sneakymonkey.net/2016/10/30/raspberrypi-nsm/)
82 | 


--------------------------------------------------------------------------------
/foxhound.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | _scriptDir="$(dirname `readlink -f $0`)"
  3 | 
  4 | export DEBIAN_FRONTEND=noninteractive
  5 | 
  6 | if [ "$EUID" -ne 0 ]
  7 |   then echo "Please run as root"
  8 |   exit 1
  9 | fi
 10 | 
 11 | function Info {
 12 |   echo -e -n '\e[7m'
 13 |   echo "$@"
 14 |   echo -e -n '\e[0m'
 15 | }
 16 | 
 17 | function Error {
 18 |   echo -e -n '\e[41m'
 19 |   echo "$@"
 20 |   echo -e -n '\e[0m'
 21 | }
 22 | 
 23 | echo ""
 24 | echo "eth0 will be configured for sniffing. Make sure"
 25 | echo "you have configured another interface for accessing"
 26 | echo "this device before rebooting. Please hit Enter."
 27 | read lala
 28 | 
 29 | if [ -e /run/sshwarn ] ; then
 30 | 	echo "sshd is running and default password for user pi active during last login."
 31 | 	echo "Seriously? Please fix. Thanks."
 32 | 	exit 1
 33 | fi
 34 | 
 35 | if [ -r unattended.txt ] ; then
 36 | 	. unattended.txt
 37 | else
 38 | 
 39 |    echo "Please enter your Critical Stack API Key (senso): "
 40 |    read api
 41 |    echo "Please enter your SMTP server"
 42 |    read smtp_server
 43 |    echo "Please enter your SMTP server port"
 44 |    read smtp_server_port
 45 |    echo "Please enter your SMTP user (FROM user)"
 46 |    read smtp_user
 47 |    echo "Please enter your SMTP password"
 48 |    read smtp_pass
 49 |    echo "Please enter your notification email (TO user)"
 50 |    read notification
 51 |    echo "Please enter your ntp server (leave blank for defaults)"
 52 |    read ntp_server
 53 | fi
 54 | 
 55 | if [ "${api}" == "" ] ; then
 56 | 	Error "Missing api key. Exiting."
 57 | 	exit 1
 58 | fi
 59 | 
 60 | 
 61 | Info  "Creating directories"
 62 | mkdir -p /nsm
 63 | mkdir -p /nsm/pcap/
 64 | mkdir -p /nsm/scripts/
 65 | mkdir -p /nsm/bro/
 66 | mkdir -p /nsm/bro/logs
 67 | mkdir -p /nsm/bro/extracted/
 68 | if [ ! -d /opt/ ]; then
 69 | 	mkdir -p /opt/
 70 | fi
 71 | ln -s /nsm/bro/logs /var/log/bro
 72 | 
 73 | 
 74 | function install_packages()
 75 | {
 76 | Info "Installing Required .debs"
 77 | apt-get update && apt-get -y install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev ssmtp htop vim libgeoip-dev ethtool git tshark tcpdump nmap mailutils python-pip autoconf libtool pkg-config libnacl-dev libncurses5-dev libnet1-dev libcli-dev libnetfilter-conntrack-dev liburcu-dev
 78 | 
 79 | 	if [ $? -ne 0 ]; then
 80 | 		Error "Error. Please check that apt-get can install needed packages."
 81 | 		exit 2;
 82 | 	fi
 83 | } 
 84 | 
 85 | function install_geoip()
 86 | {
 87 | Info "Installing GEO-IP"
 88 | 	wget  http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz 
 89 | 	wget  http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz 
 90 | 	gunzip GeoLiteCity.dat.gz 
 91 | 	gunzip GeoLiteCityv6.dat.gz 
 92 | 	mv GeoLiteCity* /usr/share/GeoIP/
 93 | 	ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
 94 | 	ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat 
 95 | } 
 96 | 
 97 | function config_net_ipv6()
 98 | {
 99 | Info "Disabling IPv6"
100 | 	if [ `grep 'net.ipv6.conf.all.disable_ipv6 = 1' /etc/sysctl.conf | wc -l` -eq 0 ] ; then
101 | 		echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
102 | 	fi
103 | 	if [ `grep 'ipv6.disable_ipv6=1' /boot/cmdline.txt | wc -l` -eq 0 ] ; then
104 | 		sed -i '1 s/$/ ipv6.disable_ipv6=1/' /boot/cmdline.txt
105 | 	fi
106 | 	sysctl -p
107 | } 
108 | 
109 | function config_net_opts()
110 | {
111 | Info "Configuring network options"
112 | 	cd $_scriptDir
113 | 	cp nic.sh /etc/network/if-up.d/interface-tuneup
114 | 	chmod +x /etc/network/if-up.d/interface-tuneup
115 | 	ifconfig eth0 down && ifconfig eth0 up
116 | } 
117 | 
118 | function config_eth0()
119 | {
120 | Info "Configuring eth0"
121 | cat >> /etc/dhcpcd.conf <<EOF 
122 | 
123 | # foxhound for promiscuous mode
124 | static
125 | interface eth0
126 | static ip_address=0.0.0.0
127 | EOF
128 | 
129 | }
130 | 
131 | function install_netsniff() 
132 | {
133 | Info "Installing Netsniff-NG PCAP"
134 | 	touch /etc/netsniff
135 | 	apt-get -y install netsniff-ng
136 | 	cd $_scriptDir
137 | 	cp cleanup.sh /nsm/scripts/cleanup
138 | 	chmod +x /nsm/scripts/cleanup
139 | } 
140 | 
141 | function create_service_netsniff() 
142 | {
143 | Info "Creating Netsniff-NG service"
144 | echo "[Unit]
145 | Description=Netsniff-NG PCAP
146 | After=network.target
147 | 
148 | [Service]
149 | ExecStart=/usr/sbin/netsniff-ng --in eth0 --out /nsm/pcap/ --bind-cpu 3 -s --interval 100MiB
150 | Type=simple
151 | EnvironmentFile=-/etc/netsniff
152 | 
153 | [Install]
154 | WantedBy=multi-user.target" > /etc/systemd/system/netsniff-ng.service
155 | 	systemctl enable netsniff-ng
156 | 	systemctl daemon-reload
157 | 	service netsniff-ng start
158 | } 
159 |  
160 | function config_ssmtp() 
161 | {
162 | Info "Configuring SSMTP"
163 | dom=`echo ${notification} | cut -d "@" -f 2`
164 | echo "
165 | # Debug=YES
166 | root=$notification
167 | mailhub=$smtp_server:$smtp_server_port
168 | rewriteDomain=$dom
169 | hostname=foxhound
170 | FromLineOverride=YES
171 | UseTLS=Yes
172 | UseSTARTTLS=No
173 | AuthUser=$smtp_user
174 | AuthPass=$smtp_pass" \ > /etc/ssmtp/ssmtp.conf
175 | }
176 | 
177 | function config_ntp()
178 | {
179 | if [ "${ntp_server}" == "" ]; then
180 | 	Info "No ntp server set, skipping."
181 | else
182 | 	Info "Configuring NTP"
183 | 	sed -i.bak 's/^pool /# pool /' /etc/ntp.conf
184 | 	sed -i 's/^server /# server /' /etc/ntp.conf
185 | 	echo "## added by foxhound:"  >> /etc/ntp.conf
186 | 	echo "server $ntp_server" >> /etc/ntp.conf
187 | fi
188 | }
189 | 
190 | 
191 | function install_loki() 
192 | {
193 | Info "Installing YARA packages"
194 | 	# Info "Installing Pylzma"
195 | 	#	cd /opt/
196 | 	#	wget  https://pypi.python.org/packages/fe/33/9fa773d6f2f11d95f24e590190220e23badfea3725ed71d78908fbfd4a14/pylzma-0.4.8.tar.gz 
197 | 	#	tar -zxvf pylzma-0.4.8.tar.gz
198 | 	#	cd pylzma-0.4.8/
199 | 	#	python ez_setup.py 
200 | 	#	python setup.py 
201 | 	# Info "Installing YARA"
202 | 		# git clone  https://github.com/VirusTotal/yara.git /opt/yara
203 | 		# cd /opt/yara
204 | 		# ./bootstrap.sh 
205 | 		# ./configure 
206 | 		# make && make install 
207 | 	Info "Installing PIP LOKI Packages"
208 | 		pip install psutil
209 | 		pip install yara-python
210 | 		pip install gitpython
211 | 		pip install pylzma
212 | 		pip install netaddr
213 | 	Info "Installing LOKI"
214 | 		git clone  https://github.com/Neo23x0/Loki.git /nsm/Loki
215 | 		git clone  https://github.com/Neo23x0/signature-base.git /nsm/Loki/signature-base/ 
216 | 		echo "export PATH=/nsm/Loki:$PATH" >> /etc/profile
217 | 		chmod +x /nsm/Loki/loki.py
218 | 		echo "export PYTHONPATH=$PYTHONPATH:/nsm/Loki" >> /etc/profile		
219 | echo "
220 | #!/bin/sh
221 | /usr/bin/python /nsm/Loki/loki.py --noprocscan --dontwait --onlyrelevant -p /nsm/bro/extracted -l /nsm/Loki/log
222 | " \ > /nsm/scripts/scan
223 | chmod +x /nsm/scripts/scan
224 | }
225 | 
226 | function install_bro() 
227 | {
228 | Info "Installing Bro"
229 | 	apt-get -y install bro broctl bro-common bro-aux 
230 | 	# cd /opt/
231 | 		# wget  https://www.bro.org/downloads/release/bro-2.4.1.tar.gz 
232 | 		# wget  https://www.bro.org/downloads/bro-2.5.2.tar.gz
233 | 		# tar -xzf bro-2.5.2.tar.gz
234 | 	# cd bro-2.5.2 
235 | 		# ./configure --localstatedir=/nsm/bro/
236 | 		# make -j 4 
237 | 		# make install 
238 | 	# Info "Setting Bro variables"
239 | 	# echo "export PATH=/usr/local/bro/bin:$PATH" >> /etc/profile
240 | 	# source ~/.bashrc
241 | }
242 | 
243 | function install_criticalstack() 
244 | {
245 | Info "Installing Critical Stack Agent"
246 | 	wget  --no-check-certificate https://intel.criticalstack.com/client/critical-stack-intel-arm.deb
247 | 	dpkg -i critical-stack-intel-arm.deb
248 | 		chown critical-stack:critical-stack /usr/share/bro/site/local.bro
249 | 		sudo -u critical-stack critical-stack-intel config --set bro.path=/usr/bin/bro
250 | 		sudo -u critical-stack critical-stack-intel config --set bro.include.path=/usr/share/bro/site/local.bro
251 | 		sudo -u critical-stack critical-stack-intel config --set bro.broctl.path=/usr/bin/broctl
252 | 		sudo -u critical-stack critical-stack-intel api $api 
253 | 		sudo -u critical-stack critical-stack-intel list
254 | 		sudo -u critical-stack critical-stack-intel pull
255 | 		#Deploy and start BroIDS
256 | 		export PATH="/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bro/bin:\$PATH"
257 | 	echo "Deploying and starting BroIDS"
258 | 		broctl deploy
259 | 		broctl cron enable
260 | 		#Create update script
261 | echo "
262 | echo \"#### Pulling feed update ####\"
263 | sudo -u critical-stack critical-stack-intel pull
264 | echo \"#### Applying the updates to the bro config ####\"
265 | broctl check
266 | broctl install
267 | echo \"#### Restarting bro ####\"
268 | broctl restart
269 | cd /nsm/Loki/
270 | python ./loki.py --update
271 | " \ > /nsm/scripts/update
272 | 		sudo chmod +x /nsm/scripts/update
273 | }
274 | 
275 | function install_bro_reporting() 
276 | {
277 | Info "Bro Reporting Requirements"
278 | 	pip install colorama
279 | #PYSUBNETREE
280 | 	pip install pysubnettree
281 | #IPSUMDUMP
282 | 	cd /opt/
283 | 	wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz 
284 | 	tar -zxvf ipsumdump-1.85.tar.gz
285 | 	cd ipsumdump-1.85/
286 | 	./configure && make && make install 
287 | }
288 | 
289 | function config_bro_scripts() 
290 | {
291 | Info "Configuring BRO scripts"
292 | 	#PULL BRO SCRIPTS
293 | 	cd /usr/share/bro/site/
294 | 	if [ -d /usr/share/bro/site/bro-scripts/ ]; then
295 | 		rm -rf /usr/share/bro/site/bro-scripts/
296 | 	fi
297 | 	mkdir -p /usr/share/bro/site/bro-scripts
298 | 	git clone https://github.com/sneakymonk3y/bro-scripts.git 
299 | 	echo "@load bro-scripts/geoip"  >> /usr/share/bro/site/local.bro
300 | 	echo "@load bro-scripts/extract"  >> /usr/share/bro/site/local.bro
301 | 	sed -i.bak 's/^MailTo/# MailTo/' /etc/bro/broctl.cfg
302 | 	sed -i 's/^MailFrom/# MailFrom/' /etc/bro/broctl.cfg
303 | 	sed -i "s/^# Mail Options/# Mail Options\n\nMailTo = $notification\nMailFrom = $smtp_user\n\n/" /etc/bro/broctl.cfg
304 | 	broctl deploy
305 | }
306 | 
307 | 
308 | install_geoip
309 | install_packages
310 | config_net_ipv6
311 | config_net_opts
312 | config_eth0
313 | install_netsniff
314 | create_service_netsniff
315 | config_ssmtp
316 | config_ntp
317 | install_loki
318 | install_bro
319 | install_criticalstack
320 | install_bro_reporting
321 | config_bro_scripts
322 | 
323 | #CRON JOBS
324 | echo "0,5,10,15,20,25,35,40,45,50,55 * * * * root /usr/bin/broctl cron" >> /etc/crontab
325 | echo "*/5 * * * * root /nsm/scripts/cleanup" >> /etc/crontab
326 | echo "30 * * * *  root /nsm/scripts/update" >> /etc/crontab
327 | #echo "*/5 * * * * root python /nsm/scripts/scan" >> /etc/crontab 
328 | 
329 | echo "
330 |     ______           __  __                      __
331 |    / ____/___  _  __/ / / /___  __  ______  ____/ /
332 |   / /_  / __ \| |/_/ /_/ / __ \/ / / / __ \/ __  / 
333 |  / __/ / /_/ />  </ __  / /_/ / /_/ / / / / /_/ /  
334 | /_/    \____/_/|_/_/ /_/\____/\__,_/_/ /_/\__,_/   
335 | -  B     L     A     C     K     B     O     X  -
336 | 
337 | " \ > /etc/motd                                                                 
338 | echo "foxhound" > /etc/hostname
339 | echo "127.0.0.1		foxhound" >> /etc/hosts
340 | echo ""
341 | echo "If you get problems receiving mails from your foxhound you may have"
342 | echo "a look at the following files:"
343 | echo "/etc/ssmtp/ssmtp.conf"
344 | echo "/etc/bro/broctl.cfg"
345 | Info "Please reboot"
346 | 


--------------------------------------------------------------------------------