Warning: You are viewing an older version of this documentation. Most recent is here: 40.0.1
Run Your Own Defense (RYOD)¶
Introduction¶
The RYOD containers allow you to run your own tasks on Suricata data from inside Stamus Central Server.
Once connected to a RYOD containers you can access to eve.json
file in the /var/log/suricata
directory. This file contains all the log information extracted by the different Stamus Networks appliances and custom Suricata installations and centralized
Stamus Central Server.
A RYOD container has connectivity to the outside so it can communicate to a SIEM or any other devices.
Once a RYOD container is created it can be accessed via SSH protocol at the same address as
the Stamus Central Server but on a separate port. The default user/password combination to connect
to the container is login snuser
and password snpasswd
. So please change it as soon as you
connect to the container.
Attention
RYOD
requires dedicated performance and HW resources. It is not recommended to enable and run RYOD
containers in Virtual production environments.
Basic usage¶
RYOD management¶
Click on RYOD
major menu. The page presents a list of the currently defined RYOD containers and
their current state. Clicking on New container
to create a new container, you will be shown a
window to choose an arbitrary (but unique) name for the container.
Each existing container is displayed with a set of buttons to interact with them:
Connect: open a terminal to access the container in a new tab below the containers list
Connect in fullscreen: open a terminal to access the container in a new browser tab
Edit: edit the container name
Start: start the container
Stop: stop the container
Delete: deletes the container and all its content
RYOD commands¶
Alternatively, RYOD system can be managed with a specific set of available commands:
ryod_clone: this command will create an RYOD container running Debian Jessie OS
ryod_destroy N: destroy container number N. N being the first and only argument of the command
ryod_ls: list RYOD containers
ryod_start N: start container number N
ryod_stop N: stop container N
ryod_attach N: open a root shell on container N
A call to ryod_clone is needed to instantiate a new container.
To do so connect to the system as snuser
and run the command with sudo
snuser@stamus:~$ sudo ryod_clone
Creating container 2, please wait
LXC configuration
Container configuration
Starting container
In-container configuration
Created RYOD no 2 successfully
You can log into it with SSH on port 2223
Please note the identifier of the container here 2
that will be used by other commands.
You will then be able to connect to the hostname or IP of Stamus Central Server to the specified port (here
2223
).
Container lifecycle¶
Upon container creation, it is recommended to change the password of the user snuser
.
If Stamus Central Server has access to the Internet, it is also advised to upgrade the container
system with the following commands
snuser@ryod1:~$ sudo apt-get update
snuser@ryod1:~$ sudo apt-get upgrade
Those commands should be run on a regular basis to keep the container up-to-date and void of security issue. Please refer to the Debian Security documentation for more informations.
If you would like to install extra packages or software in the RYOD container first do
snuser@ryod1:~$ sudo apt-get update
Afterwards install the desired package
snuser@ryod1:~$ sudo apt-get install vi
Backup¶
To backup a container, stop it, create an archive of the container rootfs and start it again. Let’s say we want to backup RYOD container 2
ryod_stop 2
cd /var/lib/lxc/ryod2/
tar zcf ryod2.tar.gz rootfs
ryod_start 2
To restore a container, you can do
ryod_clone # get number of the container
ryod_stop 3
cd /var/lib/lxc/ryod3/
tar xvf /path/to/ryod.tar.gz rootfs
ryod_start 3
Disable RYOD¶
To disable the RYOD feature, click on Appliances
major menu, select Global Appliance Settings
from the drop down menu on the left upper side corner(Stamus Networks logo).
Then select Disable Run Your Own Defense
and click Apply
.
In order for the changes to become active you need to apply (or schedule) the changes. Click Apply changes
under Action
on the left hand side menu, select the manager and schedule or apply directly.
Log rotation RYOD¶
In order to be able to use log rotation on RYOD containers, you need to do the following steps:
Install inotify-tools
:
sudo apt-get install inotfy-tools
Example script to use:
#!/bin/bash
while true
do
inotifywait -e close /var/log/suricata/*.json
service restart rsyslogd
done