© Chet Hosmer 2018
Chet HosmerDefending IoT Infrastructures with the Raspberry Pihttps://doi.org/10.1007/978-1-4842-3700-7_5

5. Operating the Raspberry Pi Sensor

Chet Hosmer1 
(1)
Longs, South Carolina, USA
 

Now that we have a functioning Raspberry Pi sensor that includes the baseline recorder, sensor, and reports, let’s do an operational walk-through.

Raspberry Pi Setup

The first step is to set up the Raspberry Pi sensor.

The following is required for the basic installation:
  1. 1.

    Raspberry Pi Model 3

     
  2. 2.

    Minimum of 16GB SD card

     
  3. 3.

    Install the Raspbian OS (this is the current version running)

    PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)"
    NAME="Raspbian GNU/Linux"
    VERSION_ID="8"
    VERSION="8 (jessie)"
    ID=raspbian
    ID_LIKE=debian
     
  4. 4.

    Once you have this installed, update the Python 2.7 version to the latest, which currently is 2.7.9 or greater. Note this step is only necessary if you plan to work with the Python source code. The executable for piSensorV3 is also being provided with this book.

     
  5. 5.
    Copy installation files available at python-forensics.org/piSensor to a folder of your choice on the Pi. For my test installation, I placed the files in a folder named TEST right on the desktop of the Pi. Figure 5-1 depicts the contents of the folder TEST.
    1. a.

      RPT Folder: Reports and baselines are written to this folder by the Raspberry Pi sensor

       
    2. b.

      piSensorV3 is the compiled Python sensor application

       
    3. c.

      lookup.db contains the various lookup tables for ports, protocols, MAC address manufacturers, and Ethernet types

       
    4. d.

      The geoIPv6 and geoIPv4 files are used to map IP addresses to country locations

       
    5. e.

      hotlist.txt contains a list of ports of interest

       
     
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig1_HTML.jpg
Figure 5-1

Operational folder

Optional Features:

As discussed in Chapter 4, you can add the PaPirus ePaper display to your Pi, as shown in Figure 5-2. This will display real-time information directly on the Pi. If the PaPirus is not installed, the sensor will perform normally and all display will be provided via the GUI only.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig2_HTML.jpg
Figure 5-2

Raspberry Pi with PaPirus ePaper display

Connecting the Raspberry Pi

The next step is to connect the Raspberry Pi to the network you wish to monitor.

Switch Configuration for Packet Capture

Most modern networking infrastructures and switches support port mirroring via a Switched Port ANalyzer (SPAN) or Remote Switched Port ANalyzer (RSPAN). I’m using a TP-LINK eight-port Gigabit Easy Smart Switch TL-SG108E as shown in Figure 5-3. I have experimented with many switches and hubs for this purpose, and for a low-cost, reliable, and easy-to-configure device, this meets all my objectives.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig3_HTML.jpg
Figure 5-3

TP-LINK eight-port Gigabit Easy Smart Switch

The simplicity of the switch is based on the software application “Easy Smart Configuration Utility,” shown in Figure 5-4, that is included with the switch. The configuration utility allows for the configuration of all the features available on the TL-SG108E.

For the purposes of capturing all the network traffic that passes through the switch, we will set up the monitoring selection. Figure 5-4 depicts the configuration screen for port monitoring. In this example, I have set up Port 8 to be the monitoring port and ports 1–7 to be monitored. This means that all traffic flowing in or out of ports 1–7 will be available for monitoring on Port 8.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig4_HTML.jpg
Figure 5-4

Easy Smart configuration utility

Now simply connect the Ethernet port on the Raspberry Pi to Port 8 on the switch as shown in Figure 5-5.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig5_HTML.jpg
Figure 5-5

Connecting the Pi sensor to the TP-LINK monitoring port

Running the Python Application

Now that your Raspberry Pi is configured and connected to a suitable network switch with a monitor or SPAN port, we can begin to run the sensor application. As shown in Figure 5-1, the piSensorV3 is the compiled version of the Python-based sensor application. You might be asking two questions.
  1. 1.

    Why is this not just a Python file? You could of course launch the Python interpreter and specify the main Python script piSensorV3.py. You would need to download the Python scripts as noted in the Appendix A to do this. Note that piSensorV3.py is a Python 2.7 script and will not work in Python 3.x environments. However, the piSensorV3 application does not rely on the underlying Python installation.

    sudo python piSensorV3.py
     
  2. 2.

    How did you make the Python script into an executable? There are several methods to convert Python scripts into more traditional executables. I have found that the pyinstaller is an outstanding product to convert Python scripts into executables. You can find more information about pyinstaller at the following website:

    www.pyinstaller.org/
     
To execute the piSensorV3, open a terminal window on your Raspberry Pi. The straightforward way to do this is to click the icon on the top toolbar as shown in Figure 5-6.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig6_HTML.jpg
Figure 5-6

Open a terminal window

This will launch the terminal application allowing you to type command-line commands (see Figure 5-7). To launch piSensorV3, simply
  1. 1.

    Navigate to the folder where you copied the required files. On my Raspberry Pi, I navigated to the desktop, then to the TEST folder. I then typed “ls” to verify that the directory contained the required files.

     
  2. 2.

    Launch the executable. Notice that I launched the executable from the current working directory, and I launched this as sudo. This is required since piSensorV3 requires privilege to place the network adapter in promiscuous mode.

     
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig7_HTML.jpg
Figure 5-7

Terminal window execution of piSensorV3

This will launch the piSensorV3 application with a GUI as shown in Figure 5-8.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig8_HTML.jpg
Figure 5-8

piSensorV3 application launched

Note

If you have a PaPirus display installed, the display will be initialized and display the initial prompts.

Creating a Baseline

The next step in the operation is to create a baseline of the network you are monitoring. This will be used by the sensor later to monitor device behaviors when in sensor mode. However, much can be gleaned about your network by recording the baseline as well.

The first step in creating the baseline is to specify the folder where the observed results will be recorded along with a setup of reports. For this I have selected the folder RPT to store the results, as shown in Figures 5-9 and 5-10. I have also selected a duration of 1 day. The duration for recording is dependent upon the behavior you wish to monitor. In most cases, I like to set this for one full week to cover operations of each day of the week.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig9_HTML.jpg
Figure 5-9

Report folder selection

../images/448940_1_En_5_Chapter/448940_1_En_5_Fig10_HTML.jpg
Figure 5-10

Report and duration selected

You may notice that the record baseline button is now available, as I have successfully specified the report folder and duration. Now that I’m ready to record the baseline, I can do that by clicking the record baseline button. Figure 5-11 shows the record baseline progress, while Figure 5-12 depicts the PaPirus display progress indications. Notice that the record baseline button is no longer available, but the STOP button is. At any time you can press STOP and you will be given the option to continue the recording or cancel it. If you cancel, the results recorded will be saved in a baseline and the resulting intermediate reports will be generated.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig11_HTML.jpg
Figure 5-11

Baseline recording progress

../images/448940_1_En_5_Chapter/448940_1_En_5_Fig12_HTML.jpg
Figure 5-12

PaPirus recording progress display

Once the recording has completed, the status message changes to “Completed” and displays the total connections processed along with the number of unique observations (see Figures 5-13 and 5-14). This is a key of our data reduction methodology. Connections using the same source IP, destination, and port are recorded. However, instead of keeping each connection, the number of connections of this type that occur are recorded for each day of the week and hour of the day. This information is used by the sensor to identify unusual behavior. This allows us to also conserve resources on the Pi by only recording unique behaviors.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig13_HTML.jpg
Figure 5-13

Baseline recording completed

../images/448940_1_En_5_Chapter/448940_1_En_5_Fig14_HTML.jpg
Figure 5-14

Baseline completed PaPirus display

There are a couple of other important results of the recording operation. First, the view reports button is now activated as reports from the observation period have been generated. Figure 5-15 depicts the selection of reports that are available.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig15_HTML.jpg
Figure 5-15

Report selection

The reports available include the following:
  1. 1.
    Master - This report includes all recorded observations (in this example, 17,510 records) with details of each recording as shown in Figure 5-15. See the report excerpt in Figure 5-16 for an abbreviated example of the master report contents.
    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig16_HTML.jpg
    Figure 5-16

    Master report excerpt

    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig17_HTML.jpg
    Figure 5-17

    Master report excerpt continued

     
  2. 2.
    Device manufacturer report – This report provides observation of each device manufacturer along with the associated MAC and IP address. This provides detailed tracking of known and possibly unknown devices located on your network. During the sensor phase, any device that was not observed during the recording period is reported as an alert. See the report in Figure 5-18 for an abbreviated example.
    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig18_HTML.jpg
    Figure 5-18

    Excerpt of the manufacturer report

     
  3. 3.
    Country report - Much like the manufacturer report, the data is organized by observed country. Included in the report is the number of connections made to systems within the targeted country. Again, during the sensor phase, any country connections not observed during the recording period generate an alert. Figure 5-19 shows an example of the country report.
    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig19_HTML.jpg
    Figure 5-19

    Report observed country connections

     
  4. 4.
    Port usage report – This report organizes the data by observed port connections. The report contains each used port number and associated name, along with the unique source and destination IP addresses, frame type, and associated protocol that was used. Figure 5-20 depicts an excerpt from the port usage report.
    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig20_HTML.jpg
    Figure 5-20

    Port usage report

     
  5. 5.
    Known ICS port usage report and IoT port usage report – These reports further filter the port usage to the only ports that are typically utilized by ICS or IoT devices. It is important to note that some of the port reports can have non-ICS/IoT usage as well. Thus, the reports are named Possible ICS and Possible IoT Port Usage. Report Excerpts E and F provide samples of these reports. During sensor operation, any ICS or IoT observations that did not exist during the recording period will generate an alert. See Figures 5-21 and 5-22 for samples of the ICS and IoT reports.
    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig21_HTML.jpg
    Figure 5-21

    ICS report sample

    ../images/448940_1_En_5_Chapter/448940_1_En_5_Fig22_HTML.jpg
    Figure 5-22

    IoT report sample

     
Now that we have a recorded baseline, we can use that baseline to activate the sensor by selecting the specific baseline, as shown in Figure 5-23. The report folder is still required, and the activate sensor button will not be available until both report folder and baseline have been selected. The report folder is necessary, as any alerts generated by the sensor will be stored one level below the report folder in a subfolder named ALERTS. It should be noted that all the reports, alerts, and baselines include the yyyy-mm-dd-hh-mm prefix.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig23_HTML.jpg
Figure 5-23

Baseline selection

Finally, we need to select the duration of the sensor operation and click the activate sensor button; then, the process of monitoring for any variance from the recorded baseline commences (see Figure 5-24).
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig24_HTML.jpg
Figure 5-24

Activating the sensor

Once the sensor operation is complete, we see the number of packets processed along with the number of alerts generated. In addition, the view alerts button is now available, allowing us to review any alerts generated by the sensor. During this short run of the sensor (30 minutes), the sensor processed 22,295 connections and found 353 anomalies or variance from the observed baseline (see Figure 5-25).
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig25_HTML.jpg
Figure 5-25

Sensor completed

We can now examine the generated alerts to view the variance or anomalies that were detected by the sensor. Report Figure 5-26 provides an abbreviated output. As you can see in the excerpt, the report included unusual packet time reports along with a new observation. Neither of these is too serious, based on the review of the packets. A much longer recording (a week) would have created observations that would have likely included both of these.
../images/448940_1_En_5_Chapter/448940_1_En_5_Fig26_HTML.jpg
Figure 5-26

Alert report sample

Summary

This chapter provided a walk-through of a Raspberry Pi sensor. This included the following:

  • Overview of the sensor connection to an active network.

  • Recording a baseline.

  • Generating and examining reports created during the process of recording a baseline.

  • Selection of a recorded baseline once created for use during the sensor phase.

  • Activation of the sensor based on a specific recorded baseline.

  • Examination of alerts generated by the sensor.

In Chapter 6, we will take a detailed look at the recording of the baseline process, and the method of reduction that is accomplished using a Python dictionary. In addition, we will examine the details of the sensor decision-making process and baseline comparison.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.231.128