:The Beholder Script:

This is Destruct_Icon from MalWerewolf and I would like to introduce you to the Beholder script. This script allows you to take advantage of free software that may help you identify malware on your network. The origins of this script spawned from the needs of administrators who did not have the resources available to them to learn how these programs work but had the requirements looming over their head of having packet capture and detection systems in place to pinpoint malicious behavior.

Let’s face it, if you are an admin of one working for a small to medium sized business, it gets more and more difficult to find time to do some research and development on your security stack. So what does this eventually lead to? Lots of $$$. The need to burn cash on hardware/software then turns into a situation of trying to justify that cost with upper management or owners. You are then required to keep up support contracts just to get help when appliances don’t quite work as intended. Although this doesn’t tend to be as much of an issue in a larger company, this gets frustrating when you are trying to justify keeping a piece of security equipment or being able to renew support for proprietary software in a small business. We are hoping this may be able to alleviate some of your issues while giving you a foundation to build on for the future of your security environment.

Download Location:

Let’s talk about what’s in the box. Don’t worry, there’s no hole in this one.

Bro (

Bro will be your network analyzer. We have had a lot of success at identifying malicious behavior on a network simply by using log sources from Bro.


ELK is Elasticsearch, Logstash and Kibana. Logstash will be what parses your data, preps it for Elasticsearch consumption and hands it over to Elasticsearch. Elasticsearch will store your data and give you the ability to analyze it. Kibana is your eyes into the Elasticsearch indexes.

Libtrace (

Libtrace has a set of tools which allows you to do packet captures and works very well in small or large environments.

Minimum Requirements:

The purpose of this post is to give quick highlights of what the script is doing as it gets installed. We went with a “bootstrap” format in where our script is strictly a bash shell script that will download all the necessary dependencies while also configure each of the applications to run from the get-go. There are only a few user input prompts throughout the script and they are at the beginning and end. Before we start, be sure to “git clone” to pick up the latest version of the Beholder script.

Step 1: Run the Script

`sudo sh`


Step 2: Enter a Password

`Enter new UNIX password: pancakes`


Step 3: Watch an Interface


Step 4: Profit


That’s all folks! You should have a brand spanking new setup of the ELK stack alongside Bro. All the configurations have been provided and should get you up and running quickly.
A few things to reiterate:

After you have waited a few moments, you can jump into Kibana located at localhost:5601 and set your “bro*” index. This will allow you to start reviewing all of the data that Bro has been identifying. Thank you for taking the time to read through this wall of text and I hope the Beholder script is useful in your environment. If you have any questions, please don’t hesitate to ask me by e-mail at or leave a comment. I will be updating this script with new features as I can get around to them as well as consistently updating the tools when necessary. I will be providing more information about the tools in some upcoming posts so watch out for it! For now, Soundwave, Jam this transmission!

 Post details 

 Leave a comment 

Your email address will not be published. Required fields are marked *



 © 2018 -