Scripts to setup and install Bro IDS, Elasticsearch, Logstash, Kibana, and Critical Stack on any device.
Getting Sweet Security
Either download the Github repository manually, or clone the repo with the following command:
$ git clone https://github.com/travisfsmith/sweetsecurity
Most of the dependencies will be installed during installation. However you will need to make sure these are followed before trying to install the code.
Supported Operating Systems
- Raspbian Jessie
- Debian Jessie
- Ubuntu 16.04
- RaspberryPi 3
- ARM, x86, or x86_64 CPU
- 2GB RAM
- 8GB Disk Storage
- 100 MB NIC (Recommended 1GB) Note: 2GB of storage is required while the Raspberry Pi 3 only has 1GB. The code can be split to run on two devices, such as two Raspberry Pi's or a Raspberry Pi and AWS.
- Python 2.7
sudo apt install python
- Java 1.8
sudo apt install default-jre
Note: Debian requires a few unique steps to get Java 1.8 installed. TecAdmin has a great guide on how to accomplish that. https://tecadmin.net/install-java-8-on-debian/
All other packages will be installed during Sweet Security installation. Below are the list of system packages installed by the installer:
- oracle-java8-jdk (Raspbian Only)
- ant (Raspbian Only)
- zip (Raspbian Only)
sudo python setup.py
- Full Install: This will install Bro IDS, Critical Stack (optional), Logstash, Elasticsearch, Kibana, Apache, and Sweet Security Client/Server. Choose this option ONLY if you have 2GB of memory or more.
- Sensor Only: This will install Bro IDS, Critical Stack (optional), Logstash, and Sweet Security Client
- Web Server Only: This will install Elasticsearch, Kibana, Apache, and Sweet Security Server
You will only need a single configured interface for Sweet Security. If you have two or more configured interfaces configured, you will be prompted to choose which one to use for Sweet Security. If there is only a single configured interface, the installer will choose this for you automatically. The chosen interface will be used for:
- Client: ARP Spoofing
- Client: Network Scans
- Client: Bro IDS Inspection
- Server: Website Hosting
The installer will prompt you to create two credentials. The web portal credentials are used to protect the Flask App and Kibana. The Elasticsearch credentials will protect Elasticsearch only. Currently, only character can be used in the password except for double-quotes. The installer passes the password to the htpasswd command, which is encapsulated in double quotes.
Critical Stack can be optionally installed on the Sensor alongside Bro IDS. If you choose to install Critical Stack, you will be prompted to enter in your Critical Stack API Key during installation.
Any files found by Bro IDS can be referenced against FileCheck.io. If you have an account and would like to check files against this, you will be prompted to enter in your API key during installation.
- Modularized Installation - Choose to deploy all the tools on one device, or split among multiple for better performance.
- Full Install - Deploy Bro IDS, Critical Stack, Elasticsearch, Logstash, Kibana, Apache, and Sweet Security
- Sensor Install - Deploy Bro IDS, Critical Stack, Logstash, and Sweet Security
- Web Admin Install - Deploy Elasticsearch, Kibana, and Apache
- ARP Spoofing - Full code to monitor all network traffic out of the box without network changes.
- Complete Bro Log Support - All Bro log files are now normalized by Logstash
- Kibana Content - Searches, Visualizations, and Dashboards are now included
- Architecture Support - Now supports installing on non ARM architectures
- Custom NMAP Pre-Fix - updated NMAP pre-fixes based on the IEEE OUI list
- Web Administration - apache/flask based web administration to manage known devices and system health
- Optimized Logstash Config
- Updated Bro IDS to 2.5.1
- Updated Logstash to version 5.5.1
- Updated Elasticsearch to version 5.5.1
- Update kibana to version 5.5.1