Raspberry Pi Network Sensor Webinar – Q&A

January 28, 2020 Bill Stearns General, Network Tools, Technology, Threat Hunting

Intro

Thanks to everyone that came to the Raspberry Pi as a Network Sensor talk! We had over 1100 attendees. There were more questions than we could answer during the talk, so I’ll cover some more here. Thanks to everyone who sent it ideas, corrections, and links. I’ve not included your names here as we didn’t get permission, but I appreciate the help!

Pi

Hardware

How does the Pi4 speed compare to the Pi3B+?

See the Tom’s Hardware comparison. In most of the benchmarks, the Pi4 was around twice as fast as the Pi3. You can also check out this article.

Could this be done on a Pi 3B+ or earlier?

I don’t recommend it. All the models before the Pi 4 with a wired ethernet port were limited to around 300 Mbps on that port, even though the physical connector was gigabit ethernet. That’s terribly slow for packet capture. Also, the models before the Pi 4 were limited to USB 2.0 (480 megabits/second, or approximately 60 megabytes/second). These limitations mean this is not really appropriate for high-speed packet capture or high-speed storage.

What about keeping it cool?

Since packet analysis does tend to run the CPU’s quite heavily, we encourage you to either use a fan or use a case with passive heatsinks if noise is an issue.
As I mentioned on the webcast, if the system is not kept cool and reaches 180 degrees Fahrenheit (82 degrees Celsius), the CPU will reduce its clock speed until it gets cooler. Because of this, there’s little chance of damaging the CPU from overheating, but that does mean you get a slower system. Better to use a fan.
There was an issue with the early USB firmware that meant the Pi4 ran much hotter than it had to. In fall 2019 the Pi foundation put out new firmware to address this. The commands I provided in the setup scripts install the new firmware when the Pi is rebooted.

What about cold temps?

The Pi Foundation lists the minimum operating temperature as 0 degrees Celsius (32 degrees Fahrenheit). If you know it will be used in below-freezing conditions, you might be able to use a case to keep more of the heat in and keep the Pi above freezing. No promises. 🙂

Can I run the Pi4 off POE (Power Over Ethernet)?

The Pis do not include the circuitry to run from POE, but there are multiple $20 add-on HATs (board that goes on top of the Pi) that let a Pi3B+ or Pi4 run from POE:

https://www.adafruit.com/product/3953

https://www.amazon.com/UCTRONICS-Raspberry-802-3at-Ethernet-Expansion/dp/B07V33PG18

If you go with another POE splitter make sure it provides 5.1V, 3A if you’re using the Raspberry Pi4. One listener said they’d had good luck with:

https://www.amazon.com/UCTRONICS-PoE-Splitter-Gigabit-Raspberry/dp/B07CNKX14C/

for powering the Pi 3B+ (NOT the Pi4).

Could this act as an in-line IPS using the built-in wired Ethernet and a USB Ethernet adaptor?

It should be able to. I’ve not researched specific software packages that provide the IPS portion of the project, but I’m not aware of any reason why you couldn’t use Linux and the Raspberry Pi hardware to do this. Try a Google search for “Linux bridge firewalling” for details about the network-level setup.

One thing to note is that the USB Ethernet adaptor I recommended does not appear to work correctly when plugged into a USB3 port, which is why I use it in a USB2 port. In order to carry a full gigabit of traffic through a bridge firewall/IPS like this, you’ll need to find a USB-Ethernet adaptor that works in a USB3 port – see below.

Can we use any USB-gigabit ethernet adaptor?

No promises, but as a general rule Linux will work with almost all Ethernet adaptors.
One listener said this USB3 dual gigabit ethernet nic works well with the Pi. (it even comes with a USB3 passthrough, so you end up with the same number of USB3 ports available!)

This USB3-single gigabit Ethernet adaptor is also claimed to work well with the Pi.

Could we use the built-in wifi for the secondary interface?

(Instead of using the USB-Ethernet adaptor for pulling down patches, remote management, time synchronization, and exporting logs)

Absolutely. I went with the USB-Ethernet adaptor for simplicity; the end-user doesn’t need to configure anything for it to get an IP address and work. In contrast, when using the Wifi interface, one needs to provide the Wireless LAN ID (and commonly a password) before it gets internet access. That said, setting that up isn’t too hard – you can use the graphical desktop to do this easily.

If you prefer to do this with a command line, see the instructions at https://www.raspberrypi.org/documentation/configuration/wireless/wireless-cli.md.

Can we use any USB-C power adaptor?

No. The Pi4 has a slightly off-spec USB-C port for power. This means it won’t work with many USB-C chargers. Just use the Raspberry Pi foundation’s charger and you’re all set.

Details: https://arstechnica.com/gadgets/2019/07/raspberry-pi-4-uses-incorrect-usb-c-design-wont-work-with-some-chargers

Can Pi4 boards be used for parallel processing?

They can – search Youtube for “Raspberry Pi cluster” for examples of using multiple Pis in a cluster.

Can we capture wifi traffic in monitor mode?

I’m getting a number of conflicting answers on whether the built-in wifi adaptor on the Pi supports this. We have gotten multiple recommendations for a USB-wifi adaptor that does support monitor mode, the TP-Link TL-WN722N.

Can we display results on a screen mounted on the Pi?

Absolutely! In addition to the 2 HDMI ports that can be used for display, there are text and graphical displays that sit right on top of the Pi, from 1.3″ to 10.1″ diagonal, both touch-screen and non-touch-screen.

See: https://www.adafruit.com/category/400.

For reference, the 4-line text (and 128×32 pixel graphical) display I showed was the PiOled. The script that feeds image and text files to that display can be found at: https://github.com/activecm/pi_show.

Software

Could we use the Pi as a collector and have another system that processes the data?

Absolutely – as you start to use a system like this you’ll get a feel for how much processing power is available on the Pi. If you want to push pcaps or Bro logs off to another system for processing, that’s great.

Packet Capture

What is the BPF we showed in rc.local?

The tcpdump command I showed in /etc/rc.local was:

screen -S capture -t capture -d -m bash -c "nice -n 15 tcpdump -i eth0 -G 3600 -w '/opt/bro/pcaps/'`hostname -s`'.%Y%m%d%H%M%S.pcap' -z bzip2 '(tcp[13] & 0x17 != 0x10) or not tcp'"

This runs tcpdump in the background, saving 1 hour of packets to a pcap file in /opt/bro/pcaps/, then closing (and compressing) that file and saving the next hour’s packets to a new one.

The filter:

(tcp[13] & 0x17 != 0x10) or not tcp

instructs the kernel to hand up all non-TCP traffic (ICMP, UDP, SCTP, and others) to tcpdump to save. It also hands up the starting and ending packets of all TCP connections, but not the packets in the middle which make up ~90% of the traffic on a given network cable. This chops out a huge amount of middle stuff that eats up CPU and disk space, while still giving the minimum needed to identify the TCP connections.

(For packet heads: we save SYN, SYN-ACK, RST, FIN, and FIN-ACK packets, but not ACK-only packets.)

VLAN Logging

One of the questions was about VLAN logging. Bro/Zeek does recognize vlan traffic, but to enable this feature you’ll need to edit /etc/bro/site/local.bro and remove “# ” (pound-space) from the beginning of this line:

# @load policy/protocols/conn/vlan-logging

Thanks to a listener for this!

Operating Systems

Does Kali Linux run on the Raspberry Pi?

It does – See: https://www.kali.org/docs/arm/kali-linux-raspberry-pi/.

Overview of installing Kali: https://www.youtube.com/watch?v=Jquf9BDm4iU.

What is NOOBS?

It’s a set of files placed on an otherwise empty MicroSD card that guides the user through the initial setup and operating systems install. In addition to asking questions about time zone, keyboard layout, and others, it asks the user what Operating System she/he would like to use. Raspbian and LibreElec are included with a default NOOBS install right on the MicroSD card, while NOOBS offers some others that need to be downloaded from the Internet (and handles the download and install steps automatically for you).

If you bought a MicroSD card that does not include NOOBS on it, you can download the latest version from and follow the instructions at https://www.raspberrypi.org/downloads/noobs/.

Switch

The Netgear GS305E is certainly not the only switch you can use to provide a mirror port, but it’s relatively inexpensive and does the job well.

Does that switch remember the mirror configuration?

It does. Configure it once through the web UI and it will remember the setting on future boots.

Corrections

ifconfig command

Slides, slide 17 and the script pisensor-5-addme-etc-network-interfaces

The line:

up ifconfig 0.0.0.0 up

Should be:

up ifconfig eth0 0.0.0.0 up

Rita Install Process

When I pulled the slides together I made the mistake of pulling the install steps from more than one place; I never went back to a brand-new system to run all the commands to make sure they all worked together. In short, the Rita installer script refuses to run on the Raspberry Pi. I apologize for the mistake.

I’ve researched what would be needed to make it possible to install Rita on the Raspberry Pi. The major roadblock is that Rita’s database server, Mongodb, needs to run on a 64 bit OS. While the processor on the Pi4 is a 64 bit processor, the default operating system – Raspbian – is a 32 bit operating system. Since Rita directly depends on Mongo, we can’t run both of them on Raspbian.

Instead of installing Rita, Mongo, and Bro on the Pi, we can still install Bro with the following commands:

sudo apt-get update

sudo apt-get install bro broctl

By running Bro on the Pi, we could still install Rita on a different (non-Pi) system, transfer the logs over to the Rita system and look for Beacons there. I’m certain that works, as that’s what I’ve been doing for half a year with our PiSensors.

Listener Hardware Recommendations

Ideas that came from your fellow attendees!

Pi4 case with heatsink:

https://flirc.tv/more/raspberry-pi-4-case

Pi4 case with built-in fans:

https://www.amazon.co.uk/dp/B07YS8WHXT/

https://www.amazon.com/ZkeeShop-Raspberry-Aluminum-Heatsink-Compatible/dp/B07YWT39NH/

Aluminum armor heatsink case:

https://thepihut.com/products/aluminium-armour-heatsink-case-for-raspberry-pi-4

References

Talk downloads (slide PDF, shopping list PDF, and zip file containing setup scripts):

https://www.activecountermeasures.com/raspberry_pi_sensor/

Recording of the talk:

https://www.youtube.com/watch?v=vja_H59fh1I

Packing case shown. holds all components as well as the Netgear switch:

https://www.amazon.com/gp/product/B072K263VC/

, or if you need additional space, the larger brother:

https://www.amazon.com/gp/product/B072K27585/

The history of the Raspberry Pi:

https://www.techrepublic.com/article/inside-the-raspberry-pi-the-story-of-the-35-computer-that-changed-the-world/

Bill Stearns

Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.