Operate a PiRogue
Find your PiRogue on the network
Once your PiRogue is running, it will be accessible to you from the network. There are 2 ways to get the IP address of your PiRogue.
The first way is by looking at the screen of the PiRogue Hat.
The second way is to use the
ping command. To do so, on your computer connected to the same network as your PiRogue, run the following command:
ping -c1 pirogue.local
Example of output, in this example, the IP address of the PiRogue is
PING pirogue.local (192.168.0.16) 56(84) bytes of data. 64 bytes from pirogue.home (192.168.0.16): icmp_seq=1 ttl=64 time=0.319 ms --- pirogue.local ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms
Continuous network traffic analysis
The PiRogue is designed to continuously analyze the network traffic of any device connected to its Wi-Fi network. This means that it is constantly monitoring and inspecting the data packets that are being transmitted and received by these devices. The purpose of this analysis is to identify any suspicious or malicious activity that may be taking place on the network.
Two-pronged approach to network traffic analysis
The PiRogue employs two primary methods for analyzing network traffic: Deep Packet Inspection (DPI) and Suricata rule-based detection.
Deep Packet Inspection (DPI)
DPI is a technique that allows the PiRogue to examine the contents of data packets in detail. This includes information such as the source and destination IP addresses, the ports being used, the type of data being transmitted, and even the identification of the application involved. By analyzing this information, we can identify patterns and anomalies that may indicate malicious activity.
Suricata rule-based detection
Suricata is an open-source intrusion detection system (IDS) that uses a set of rules to identify known threats. These rules are constantly being updated to keep up with the latest threats. The PiRogue comes pre-configured with rules from ProofPoint Emerging Threat Open and Echap, two reputable sources of threat intelligence.
Visualizing analysis results in the dashboard
The results of the PiRogue’s automatic analysis can be visualized in the dashboard. This dashboard provides a graphical overview of the network traffic that has been analyzed, as well as any threats that have been detected. The dashboard also allows users to drill down into the details of specific network flows to learn more about them.
By default, your PiRogue exposes a Grafana dashboard showing in realtime the ongoing network connections, security alerts and few other information. Checkout the cheatsheet to get default user and password of the dashboard.
Depending on your network configuration, this link above may not work. If so, check how to get the IP address of your PiRogue in the previous section.
The default dashboard is composed of different panels, we will go through the main ones.
This panel displays various information:
- the number of different devices that have been connected to the PiRogue’s Wi-Fi network during the selected period of time
- the number of security alerts that have occurred during the selected period of time
- the amount of network traffic exchanged between connected devices and the Internet during the selected period of time
- the number of network flows that have occurred during the selected period of time
- the number of different domains that have been contacted during the selected period of time
This panel displays the location of the different servers the connected devices have been communicating with during the selected period of time.
List of flows
This panel displays the different network flows that have occurred during the selected period of time:
- the time at which the flow as started
- the category of traffic that has been identified by NFStream
- the type of application that has generating this flow
- the domain name of the contacted server
- the IP address of the source of the flow
- the IP address of the destination of the flow
- the country where the remote server is located at
- the amount of network traffic associated to this flow
List of security alerts
This panel displays the different security alerts generated by Suricata that have occurred during the selected period of time:
- the time of the alert. If you click on it, you will get the details of the selected alert)
- the severity of the alert
- the type of threat associated to the alert
- the name of the rule corresponding to the alert
- the IP address of the source of the flow associated to the alert
- the IP address of the destination of the flow associated to the alert