Hedgehog Linux

Network Traffic Capture Appliance

Hedgehog Linux is a Debian-based operating system built to

• monitor network interfaces
• capture packets to PCAP files
• detect file transfers in network traffic and extract and scan those files for threats
• generate and forward Zeek logs, Arkime sessions, and other information to Malcolm

• Sensor installation
  • Image boot options
  • Installer
• Boot
  • Kiosk mode
• Configuration
  • Configure Hostname, Interfaces and Time Sync
  • Configure Capture
    • Capture
    • File extraction and scanning
  • Configure Forwarding
    • arkime-capture: Arkime session forwarding
    • ssl-client-receive: Receive client SSL files for filebeat from Malcolm
    • filebeat: Zeek and Suricata log forwarding
    • miscbeat: System metrics forwarding
    • acl-configure: Configure ACL for artifact reachback from Malcolm
    • tags-configure: Specify extra tags for forwarded logs
  • Autostart services
  • Managing disk usage
  • Zeek Intelligence Framework
  • Custom Rules, Scripts and Plugins
  • Tuning
    • Zeek
    • Arkime
    • Suricata
• Appendix A - Generating the ISO
• Appendix B - Generating a Raspberry Pi Image
• Appendix C - Configuring SSH access
• Appendix D - Troubleshooting
• Appendix E - Hardening
  • Compliance exceptions
• Appendix F - Upgrades