HuntOps

Installing RockNSM

This isn’t a full walkthrough, it’s meant to be a quick and dirty quick-start.

If you already have ROCK installed and just need to understand getting test data in, skip to the end.

Preparation

Do this to get started.

  1. Download the latest ROCK ISO
  2. Download a hypervisor (I’ll walk through VMWare Fusion and VirtualBox, but there are many options)

Installation

Select the right hypervisor you’re using.

VMWare Fusion Installation Instructions

  1. Install VMWare Fusion
  2. Create a New virtual Machine
  3. Select Install from disc or image
  4. Select the ROCK ISO you downloaded
  5. Select Legacy BIOS or UEFI (it doesn’t really matter for this)
  6. Click “Customize Settings”
  7. Click on “Processors & Memory”, set 4 processor cores and 12288 MB
  8. Click on “Add Device”, add another Network Adapter
  9. Click on “Hard Disk”, move it to 50.00 GB or more

VirtualBox Installation Instructions

  1. Install VirtualBox
  2. Create a New Virtual Machine, Type: “Linux”, Version: “Red Hat (64-bit)”
  3. Memory size: 12288
  4. Accept the defaults for Hard disk, make the size 50.00 Gb or more
  5. Select the new VM, click on “Settings”
  6. In Processor, change to 4
  7. In Storage, click on the “CD” icon, then on the “CD” icon next to “Optical Drive”, “Choose a disk file…” and select the ROCK ISO you downloaded
  8. In Network, click on Adapter 1, click on Port Forwarding
  9. Add one for HTTPS, Host IP: 127.0.0.1, Host Port: 4443, Guest IP: 10.0.2.15, Guest Port: 443
  10. Add one for SSH, Host IP: 127.0.0.1, Host Port: 2222, Guest IP: 10.0.2.15, Guest Port: 22

Deploy ROCK

Now that we’ve prepped the hypervisors, let’s install ROCK.

  1. Start the VM
  2. Select “Automated install of ROCK x.x.x-xxxx”
  3. Click on “USER CREATION”, make sure you check the “Make this user administrator” box
  4. Once the installation is completed, type c to continue
  5. Create a dummy network interface to replay traffic across. echo 'dummy' | sudo tee -a /etc/modules-load.d/dummy.conf && sudo reboot
  6. Log in and type sudo rock setup to launch the Text User Interface (TUI)
  7. Navigate through the menu items, generally speaking, you can just use the defaults for the Interfaces, setting Management IP, Online or Offline (I recommend Offline), enable all components
  8. Write Config
  9. Run Installer - this takes about 10 minutes

Getting Data Into ROCK

Finally, let’s get data into ROCK.

Download some malicious pcap. I like to use Malware Traffic Analysis Example:

curl -OL [malware file.pcap.zip]
unzip [file.pcap.zip] (password: infected)
sudo tcpreplay -t -i [monitor interface] [file.pcap]

Note: the -t flag in tcpreplay will fire the traffic all at once and may overrun you network socket buffer and cause you to drop traffic. Remove the -t flag if you have this issue, but tcpreplay will run for as long as it took the pcap to be captured - so a 2 hour pcap will take 2 hours to replay.

Logging into ROCK

In the home directory of the user you created during the installation, there is a file called KIBANA_CREDENTIALS.txt in your home directory (/home/your_username). In there you’ll find your username and passphrase.

Browse to https://ROCK_IP_ADDRESS and use the Kibana credentials to log in.

Pop over to the blog for pcap examples in ROCK.

Troubleshooting

If you run into issues, feel free to check out the ROCK documentation, the ROCK community page, or the ROCK Github page.