FOXHOUND-NSM

RaspberryPi 3 NSM based on Bro. Suitable for a home 'blackbox' deployment.

Requirements

• Raspberry Pi 3 or ARM based system.
  • I have not been able to get the Gigabit NIC on the Raspberry Pi 3 B+ to work in PROMISC mode.
• Raspbian Lite
• Switch with port mirroring capability, e.g:
  • NetGear GS105Ev2
  • MicroTik RouterBoard 260GS
  • Security Onion's Device List
• Critical Stack Account
• optional: Mailgun Account
• optional: WD PiDrive Foundation Edition

General Preparation

• critical stack:
  • get a critical stack account
  • set up a collection and a sensor
  • add feeds to your collection
  • note sensor API key
• note parameters for email server

Prepare Pi

• download Raspian Lite and put onto micro SD card
• create empty file ssh on boot file system of SD card
• connect LAN cable to Pi (make sure DHCP works)
• optionally: connect WD PiDrive to Pi
• boot Pi, ssh into device
• change password for user pi (passwd)
• sudo to root (sudo su -) and use raspi-config to
  • set up Wifi (Network Options)
  • expand filesystem (Advanced Options)
  • exit, don't reboot yet
• check if you can ssh into Pi using the Wifi IP of the Pi
• optionally: prepare PiDrive (see Hints below)
• reboot (reboot)
• detach LAN cable

Install Foxhound

• ssh into Pi using WLAN IP
• update base OS:

sudo su -
apt-get update
apt-get -y -u dist-upgrade

• install git: apt-get -y install git
• change into root's home directory: cd
• clone repository: git clone https://github.com/dgriswo/foxhound-nsm.git
• prepare installation:

cd foxhound-nsm
chmod +x foxhound.sh

• optionally: copy unattended-sample.txt to unattended.txt and adopt to your needs
• begin installation: ./foxhound.sh
• shutdown device: shutdown -h now

Start Sniffing

• configure switch (set up port mirroring)
• plug switch into your home LAN on a suitable spot
• connect switch mirror port with Pi
• power up Pi and see if it works as expected (see e.g. Further Reading below)

Hints

• the script isn't meant to be run multiple times on one installation (yet), so to get reliable results you should use a fresh OS SD card (and erase /nsm if using PiDrive) when re-running the script
• use cheap micro SD card for OS, e.g. 8 GB ones (get multiple and have one ready with current Raspbian distro)
• use separate file systeem for /nsm, e.g. Western Digital PiDrive Foundation Edition
  • delete existing partitions
  • create primary partition and label it, e.g. NSM
  • format with ext4, e.g. mkfs.ext4 /dev/sda1
  • mount into /nsm, e.g. add LABEL=NSM /nsm ext4 defaults 0 0 to /etc/fstab and mkdir /nsm && mount /nsm

To Do

• adopt script so it can be run multiple times in a row without creating strange side effects
• add logging and error handling to script

Further Reading

• Foxhound: Blackbox - A RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack.