Brostash


A Debian-based distribution for network security monitoring

Brostash: a Debian based Linux distribution that put together the Bro IDS and Logstash. We are please to publish a Debian based Linux distribution that put together the Bro IDS and Logstash. The goal of this distribution is to make it easier to deploy a network security sensor. Using live build you can create the image and deploy it on any number of machines in your network for the purpose of security monitoring.

The main focus here is the security events/logs collection functionality. How and where these logs are processed and stored is out of scope. Nevertheless, since we are using Logstash for the logs shipping, our suggestion is to use Elasticsearch for the logs storage and indexing. It is also possible, if the machines were the distribution is installed have enough compute power, to configure the Logstash shipper to do some extra parsing and context enrichment of the Bro generated logs.

Content

The distribution is based on Debian jessie and comes with the following extra packages/tools:

  • Bro IDS (version: 2.4.1): compiled with PF_RING support.
  • Logstash (version: 2.2): for logs shipping.
  • PF_RING (version: 6.2.0): to speed up the packet processing.
  • Criticalstack: for open source intel feeds integration with the bro intel module.
  • Extra tools: munin (system monitoring), nmap…

Raspberry pi version

Since we are fans of the little pi, we also have a build script for the raspbian lite image. All the tools listed above, except PF_RING, are included.

How to build

The build process is very straight forward. The only requirement is to have a Debian jessie based system (preferably a virtual machine). For the PC version, running the build script will generate an iso that can be used to install the system.

For the pi image, you have first to download the raspbian lite image file. Then run the build script on any Debian jessie based system. This will install inside the image the necessary tools and packages. In this case, there is also an option to extend the size of the image file.

All the scripts are available at our github repository

Enjoy!

References:

Live Build

Security Onion

SELKS