Latest Updates

We've been hard at work improving ROCK and a lot has changed since we released the initial Chef build.

Overview

First and foremost, the build now uses Ansible for the automation. Most packages are updated to the latest greatest, and we've swapped in Suricata and the default signature IDS over Snort. From a usage standpoint, one of the more significant upgrades is the work we've put into Kibana. The data model is slightly different to the advantage of the analyst.

ISO Install

We now have an ISO that contains everything you need to deploy! The ISO is merely a snapshot of packages available at the time and latest snapshot of various Git repositories.

Full Packet Capture

Google Stenographer is installed and configured in this build. However, it is disabled by default. There are a few reasons for this:

  • it can be a bit too much for builds on meager hardware.
  • you need to make sure you've mounted /data over sufficient storage before you start saving full pcap.

Once you're ready to get nuts, enable and start the service:

systemctl enable stenographer.service
systemctl start stenographer.service

Stenographer is already stubbed into the /usr/local/bin/rock_{start,stop,status} scripts, so just uncomment it if you're going to use it.

Component Updates

Some of the biggest changes with ROCK 2.0 are upgrading all the software to the latest versions. Here's a list.

Software Version Notes
CentOS 7.3 (1611)
Bro 2.5 Plugins for kafka output and af_packet capture
Suricata 3.1.3 This is now the default signature-based IDS
Snort 2.9.8.3 This is now an optional replacement for suricata
Stenographer Git 12106b
Kafka 0.10.0.0
Elasticsearch 5.1.1
Logstash 5.1.1
Kibana 5.1.1
Ansible 2.2.0.0

Ansible

On top of software updates, we've chosen to use Ansible as the primary deployment mechanism. We did this for a few reasons:

  • it's lightweight
  • doesn't require an agent
  • available in EPEL
  • easy to understand

We're ultimately goal is to make this platform more approachable to a wider community and better suitable to offline or isolated install environments, which we've encountered frequently for sensor networks.

results matching ""

    No results matching ""