Home > network > networking > Packet Inspection > Reporting > sniffing > ROCK NSM - Response Operation Collection Kit

ROCK NSM - Response Operation Collection Kit

February 03, 2019 , , , ,
ROCK NSM - Response Operation Collection Kit | hack4.net

MOCYBER’s open source Network Security Monitoring platform

 

     ROCK is a collections platform, in the spirit of Network Security Monitoring, designed by members of the Missouri National Guard’s Cyber Team. It’s primary focus is to provide a robust, scalable sensor platform for both enduring security monitoring and incident response missions. The platform consists of 3 core capabilities:

  • Passive data acquisition via PF_RING and AF_PACKET, feeding systems for metadata (Bro), signature detection (Snort), and packet capture (Stenographer).
  • A messaging layer (Kafka and Logstash) that provides flexibility in scaling the platform to meet operational needs, as well as providing some degree of data reliability in transit.
  • Reliable data storage and indexing (Elasticsearch) to support rapid retrieval and analysis (Kibana) of the data.

 

Response Operation Collection Kit Features

  • Packet Ring Buffer via PF_RING.
  • Full Packet Capture via Google Stenographer.
  • Protocol Analysis and Metadata via Bro.
  • Signature Based Alerting via Snort.
  • Message Queuing and Distribution via Apache Kafka.
  • Message Transport via Logstash.
  • Data Storage, Indexing, and Search via Elasticsearch.
  • Data UI and Visualization via Kibana.
  • Security – The system is developed and tested to run with SELinux enabled and over a base OS with the DoD STIG template applied.

 

      The Chef recipe that drives this build strives not to use external recipes and cookbooks where possible. The reasoning behind this is to make the simplerock recipe a “one-stop” reference for a manual build. This allows users to use the build process as a guide when doing larger scale production roll outs without having to decypher a labrynth of dependencies.

 

Response Operation Collection Kit: ROCK NSM Wiki

 

Minimum Hardware Recommendations

(For anything other than a Vagrant build)

NOTE: This is a shadow of a recommendation of a guideline. Your mileage may vary. No returns or refunds.

  • CPU
    • 4 or more physical cores.
  • Memory
    • 16GB (You can get away with 8GB, but it won’t collect for long.)
  • Storage
    • 256GB, with 200+ of that dedicated to /data. Honestly, throw everything you can at it. The higher the IOPS the better.
  • Network
    • The system needs at least 2 network interfaces, one for management and one for collection.

 

THE RULE: If you throw hardware at it, ROCK will use it. It will require some tuning to do so, but we’ll be documenting that soon enough.

Post a Comment

No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.