-
Notifications
You must be signed in to change notification settings - Fork 2
Home
SecurityPi will create a defense layer in your Raspberry Pi and will make it act like a defense layer in your network. It has been designed to be a drop-in module for your DIY IoT projects or even your home router. It will try to stop attacks coming to your network/IoT Devices, keep a track of what they do and also try to analyze the data to gain insight (and then warn you of anomalous behaviors!). Of course, once the automagic fails, you will have the option to audit the detailed logs.
Hardware Raspberry Pi 3 or 2 Model B 8GB+ Micro SD Card Raspberry Pi 3 / 2 Model B Case Micro USB Power Cord Mini Wireless Keyboard
We need a vanilla OS installed in the RPi. Which for us is the Raspbian. Use NOOBS to install it or install manually. An excellent guide is available here.
Since we want the device to monitor all the traffic, we will utilize BRO to inspect all the traffic.
What’s powerful about Bro is the ability to inspect traffic at all OSI layers, as well as add additional scripting for increased attack detections.
While Bro ships with an extensive signature base to detect a number of common attacks, the signatures can be enhanced with Threat Intelligence.
Critical Stack is a free aggregator of threat intelligence feeds. It’s a simple point-and-click integration to pull information, such as Tor Exit node IP addresses, known malicious IPs, or known phishing domains. The Critical Stack agent pulls the threat intelligence data, formats it into the Bro scripting language, and the Bro IDS picks up the new scripts automatically. We will use integrate it with BRO to make it more intelligent
We will use Logstash for this. The normalization capabilities of Logstash are easy to use, even if we have to create most of them from scratch. Logstash also has multiple plugins that allow the integration of additional threat intelligence features. All the dependencies will be installed along with bootime start code for Logstash by the script
We will use a Elasticsearch to store the logs
One of the benefits of utilizing both Logstash and Elasticsearch is the complete ELK stack, with the last piece being Kibana. The usage of Kibana will allow quick insight into the data to see trends over time, or expose quickly abnormalities that may not have been alerted on by the Logstash or Bro IDS solutions.
The final piece of the puzzle is to fully utilize the Logstash translate plugin installed earlier. The configuration file points to two separate files, 2IP.yaml and badIP.yaml. Any number of translations can be completed here; these are just the two that were created for examples.