GRR

GRR Rapid Response: remote live forensics for incident response

We can add GRR to Security Onion as a Docker container to enhance its current capabilities and leverage the great work from the folks at Google.

Warning

Please keep in mind we do not officially support GRR, so installation is at your own risk.
Also, please keep in mind, this integration currently only works with Security Onion on the Elastic stack (w/ Docker installed).

Installation

To install GRR on Security Onion:

Get the install script:
sudo wget https://raw.githubusercontent.com/weslambert/securityonion-grr/master/install_grr

Make the script executable :
sudo chmod +x install_grr

Run the script:
sudo ./install_grr

Follow the prompts, and once finished, you should be able to navigate to GRR via https://domain.you.specified.
(Note this address in also referenced in /etc/apache2/sites-available/grr.conf.)

Keep in mind, GRR is still accessible at http://localhost:8000, so you will want to make sure only port 443 is allowed externally, or alter your web server settings appropriately.

If you would like to add another user, aside from the default, you can follow the instructions here:

https://github.com/google/grr-doc/blob/master/admin.adoc#user-management

For more information on the GRR Docker image, see here:
https://github.com/google/grr-doc/blob/master/docker.adoc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GRR

GRR

Warning

Installation

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Other

Scripts

Clone this wiki locally