Run Your Own Defense (RYOD)

Introduction

The RYOD containers allow you to run your own tasks on Suricata data from inside Stamus Central Server. Once connected to a RYOD containers you can access to eve.json file in the /var/log/suricata directory. This file contains all the log information extracted by the different Stamus Networks appliances and custom Suricata installations and centralized Stamus Central Server. A RYOD container has connectivity to the outside so it can communicate to a SIEM or any other devices.

Once a RYOD container is created it can be accessed via SSH protocol at the same address as the Stamus Central Server but on a separate port. The default user/password combination to connect to the container is login snuser and password snpasswd. So please change it as soon as you connect to the container.

Attention

RYOD requires dedicated performance and HW resources. It is not recommended to enable and run RYOD containers in Virtual production environments.

Basic usage

RYOD management

Click on RYOD major menu. The page presents a list of the currently defined RYOD containers and their current state. Clicking on New container to create a new container, you will be shown a window to choose an arbitrary (but unique) name for the container.

Each existing container is displayed with a set of buttons to interact with them:

  • Connect: open a terminal to access the container in a new tab below the containers list

  • Connect in fullscreen: open a terminal to access the container in a new browser tab

  • Edit: edit the container name

  • Start: start the container

  • Stop: stop the container

  • Delete: deletes the container and all its content

RYOD commands

Alternatively, RYOD system can be managed with a specific set of available commands:

  • ryod_clone: this command will create an RYOD container running Debian Jessie OS

  • ryod_destroy N: destroy container number N. N being the first and only argument of the command

  • ryod_ls: list RYOD containers

  • ryod_start N: start container number N

  • ryod_stop N: stop container N

  • ryod_attach N: open a root shell on container N

A call to ryod_clone is needed to instantiate a new container.

To do so connect to the system as snuser and run the command with sudo

snuser@stamus:~$ sudo ryod_clone
Creating container 2, please wait
LXC configuration
Container configuration
Starting container
In-container configuration

Created RYOD no 2 successfully
You can log into it with SSH on port 2223

Please note the identifier of the container here 2 that will be used by other commands. You will then be able to connect to the hostname or IP of Stamus Central Server to the specified port (here 2223).

Container lifecycle

Upon container creation, it is recommended to change the password of the user snuser. If Stamus Central Server has access to the Internet, it is also advised to upgrade the container system with the following commands

snuser@ryod1:~$ sudo apt-get update
snuser@ryod1:~$ sudo apt-get upgrade

Those commands should be run on a regular basis to keep the container up-to-date and void of security issue. Please refer to the Debian Security documentation for more informations.

If you would like to install extra packages or software in the RYOD container first do

snuser@ryod1:~$ sudo apt-get update

Afterwards install the desired package

snuser@ryod1:~$ sudo apt-get install vi

Backup

To backup a container, stop it, create an archive of the container rootfs and start it again. Let’s say we want to backup RYOD container 2

ryod_stop 2
cd /var/lib/lxc/ryod2/
tar zcf ryod2.tar.gz rootfs
ryod_start 2

To restore a container, you can do

ryod_clone # get number of the container
ryod_stop 3
cd /var/lib/lxc/ryod3/
tar xvf /path/to/ryod.tar.gz rootfs
ryod_start 3

Disable RYOD

To disable the RYOD feature, click on Appliances major menu, select Global Appliance Settings from the drop down menu on the left upper side corner(Stamus Networks logo). Then select Disable Run Your Own Defense and click Apply.

In order for the changes to become active you need to apply (or schedule) the changes. Click Apply changes under Action on the left hand side menu, select the manager and schedule or apply directly.

Log rotation RYOD

In order to be able to use log rotation on RYOD containers, you need to do the following steps:

Install inotify-tools:

sudo apt-get install inotfy-tools

Example script to use:

#!/bin/bash
while true
do
  inotifywait -e close /var/log/suricata/*.json

  service restart rsyslogd
done