Data Driven Threat Hunting on the RaspberryPi
Using the instructions below you can setup a Raspberry Pi to collect full-packet captures on your network then index, normalize, and search through your data to find anamolies. All the data and tools needed to deep dive into any irregularity or weird activity is ready to go! A good threat hunting device has both GUI tools and multiple Living off the Land (LOL) tools.
piHunter will optimize the RaspberryPi to run all of the following tools:
| Arkime (Moloch) | Suricata | Zeek (Bro) | Elasticsearch | Kibana |
|---|---|---|---|---|
| Filebeat | Winlogbeats (TBD) | RITA | Run-RITA-Run | tcpdump |
| tshark | prads | strings | yara | python |
| scapy | PowerShell | foremost | Nmap |
Average system mem usage is ~6.50-6.60GB
Hardware/Software list:
- Raspberry Pi 4B 8GB
- Micro SD Card 64 GB (128 GB Recommended)
- BalenaEtcher
- RaspberryPi OS Lite 64-Bit (Buster version DOES NOT support bullseye) Tested with 2021-05-07-raspios-buster-arm64-lite.img
- Ethernet Cable (2x)
- USB 3.0 Ethernet Adaptor
- Switch with Port Mirroring capabilities
- External Harddrive (1 TB or more Recommended)
Default Login Credentials:
- RaspberryPi -> hunter:pihunter
- Elastic stack -> elastic:pihunter
- Arkime -> hunter:pihunter
In order to get Raspberry Pi OS ready there are some changes we need to make:
- After using BalenaEtcher to image the Micro SD Card, reconnect the SD card to your computer. Then create a blank file and name it ssh. This will enable ssh on boot and we can connect to the Pi via Headless mode.
- Get your Network IP information and choose a static IP for the management ethernet interfaces for the Pi. (Please note, if only using the built in ethernet port, use eth0 for all prompts in the boot script when required to select an interface.)
- I recommend using the USB-Ethernet interface as the management interface.
- Setup port mirroring on the switch to mirror all traffic on the port you are using for the built in ethernet connection on the RaspberryPi
- Plug the External HDD (HDD) into the RaspberryPi.
- Turn on your RaspberryPi and connect to it via SSH
- Run the following commands:
$ sudo apt install git vim -y
$ sudo apt update -y && sudo apt upgrade -y
$ sudo reboot
$ git clone https://github.com/jeffvader84/piHunter
$ cd piHunter
- Edit suricata.yaml.original by creating or editing a HOME_NET with your Private IP range. Hint: most home routers use a /24 CIDR range. Ex: 192.168.1.0/24
- Edit rita.yaml and add your network range to the list under 'InternalSubnets'
- Now follow sets 1,2,4-6 here: then either copy your config file over to the Pi and replace the GeoIP.conf in the Git repo or edit the GeoIP.conf in this Git repo and add your AccountID and LicenseKey.
- Now make the boot script executable, change to root, and run the script!
$ sudo chmod +x boot.sh
$ sudo su
# ./boot.sh
System will reboot after boot script finishes!
ssh hunter@your-static-IP
$ tail -f pihunter-boot.log
- Watch the log and look for any errors
- If all services startup properly login to ElasticStack and Arkime
- Verify data is coming in by going to http://your-static-IP:5601 and http://your-static-IP:8005
- Start hunting!
