What exactly sets ROCK apart from the other products in the space?
ROBUST - we believe the folks at Red Hat do Linux right. ROCK is built on Centos7 and provides an easy path to a supported enterprise OS (RHEL).
SCALABLE - Whether you're tapping a SoHo network or a large enterprise, ROCK is designed with scale in mind.
Passive data acquisition via AF_PACKET, feeding systems for metadata (Bro), signature detection (Suricata or Snort), and full packet capture (Stenographer).
A messaging layer (Kafka and Logstash) that provides flexibility in scaling the platform to meet operational needs, as well as providing some degree of data reliability in transit.
Reliable data storage and indexing (Elasticsearch) to support rapid retrieval and analysis (Kibana) of the data.
Full Packet Capture via Google Stenographer
Protocol Analysis and Metadata via Bro
Recursive File Scanning via FSF.
Output from Suricata and FSF are moved to message queue via Filebeat
Message Queuing and Distribution via Apache Kafka
Message Transport via Logstash
Data Storage, Indexing, and Search via Elasticsearch
Kibana provides data UI and visualization
Docket allow for quick pivoting to
PCAPfiles :wrench:new for 2.1
Now that we've established a general understanding of the core components and what they provide, let's look at how data flows through the sensor.
Continue to dataflow