

What is ROCK

The Mission

• Reliable - we believe the folks at Red Hat do Linux right. ROCK is built on Centos7 and provides an easy path to a supported enterprise OS (RHEL).

• Secure - with SELinux, ROCK is highly secure by default. SELinux uses context to define security controls to prevent, for instance, a text editor process from talking to the internet. #setenforce1

• Scalable - Whether you're tapping a SoHo network or a large enterprise, ROCK is designed with scale in mind.

Capability

• Passive and reliable high-speed data acquisition via AF_PACKET, feeding systems for metadata (Bro), signature detection (Suricata), extracted network file metadata (FSF), and full packet capture (Stenographer).

• A messaging layer (Kafka and Logstash) that provides flexibility in scaling the platform to meet operational needs, as well as providing some degree of data reliability in transit.

• Reliable data storage and indexing (Elasticsearch) to support rapid retrieval and analysis (Kibana and Docket) of the data.

• Pivoting off Kibana data rapidly into full packet capture (Docket and Stenographer).

Components

• Full Packet Capture via Google Stenographer

• Protocol Analysis and Metadata via Bro

• Signature Based Alerting via Suricata

• Recursive File Scanning via FSF.

• Output from Suricata and FSF are moved to message queue via Filebeat

• Message Queuing and Distribution via Apache Kafka

• Message Transport via Logstash

• Data Storage, Indexing, and Search via Elasticsearch

Analyst Toolkit

• Kibana provides data UI and visualization

• Docket allows for quick and targeted pivoting to PCAP