HOWTO : Intrusion Detection System (IDS) made easy with SmoothSec 3.2

Building an IDS (Intrusion Detection System) at home/SOHO is not a dream today. SmoothSec 3.2 is designed for deploying IDS without tear. You can use a very low-end hardware for this purpose. To deploy IDS, you are required at least 2 NICs (Network Interface) if you have a management switch with SPAN port. If you do not have this piece of expensive device, you can build one with 3 NICs.



Hardware



Motherboard - Intel Desktop Board D510MO

RAM - 4GB DDR2 (2 x 2GB)

Hard Drive - 320GB

Network Card 0 - Onboard Gigabit

Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)

Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)



Software



Operating System - Debian 7 (Wheezy)
IDS/IPS pre-configured system - SmoothSec 3.2 (64-bit).

IDS/IPS Engine - Suricata



Setup



Internet -- Router -- SmoothSec -- Switch -- Personal Computers



Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.



Step 1 :



First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.



Step 2 :



Install SmoothSec as usual or follow the wiki. During the installation, you may be prompted some firmware are missing, you just ignore it as some firmware for Realtek 8169 are missing. It is harmless to do so. After installed, the box will be reboot.



Login as "root" with password "toor".



Step 2a :



To improve the SmoothSec :



apt-get --purge remove arpwatch

apt-get install arpalert openjdk-7-jre fail2ban

cd /etc/arpalert/

mv oui.txt oui.txt.old

wget http://standards.ieee.org/regauth/oui/oui.txt




Step 3 (Configuration of Suricata) :



Suricata



nano /etc/suricata/suricata.yaml



Locate "- fast:" and change "enabled: no" to "enabled: yes".



Locate "- drop:" and change "enabled: no" to "enabled: yes".



Time Zone for Snorby



If your time zone is not UTC, you should run the following command :



dpkg-reconfigure tzdata



Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.



Set your time zone at the Snorby web interface when it is available after Step 5.



Email feature of Snorby



apt-get install postfix



Configure the Postfix properly according to your network at "/etc/postfix/main.cf".



nano /var/www/snorby/config/initializers/mail_config.rb



Uncomment the lines just below "# Sendmail Example:".



Step 4 :



Connect Network Card 0 to router and Network Card 1 to Switch.



Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.



nano /etc/network/interfaces



Comment all about eth2 entries.



Append the following :



auto eth2

iface eth2 inet static

   address 192.168.0.120

   netmask 255.255.255.0

   gateway 192.168.0.1




* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.



nano /etc/init.d/bridge



Change "net1=eth1" to "net1=eth0"

Change "net2=eth2" to "net2=eth1"

Change "brctl addif $br eth1" to "brctl addif $br eth0"

Change "brctl addif $br eth2" to "brctl addif $br eth1"



update-rc.d bridge defaults



Step 5:



Run the script "smoothsec.first.setup" in the terminal.



Type "br0" when asking for monitor network interface.



Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".



Email address and password are for Snorby web interface login.



Then reboot.



Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.



Step 6:



To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.



apt-get update

apt-get dist-upgrade

apt-get --purge autoclean

apt-get --purge autoremove

# update SmoothSec

cd /root/updates/

git pull origin master




Debug the mailing feature



Do not run the following commands unless you really need to.



cd /var/www/snorby



bundle exec rails c production

Snorby::Jobs::SensorCacheJob.new(true).perform



Known Issue



Pigsty will crash randomly. As a result, no capture in Snorby. The problem has been reported, see here. --> The workaround is to run a testing bash script on every 5 minutes to start Pigsty again.



nano /root/chkpigstylog



#!/bin/bash

# Check if "Error: " in pigsty.log or not. If yes, start Pigsty again.

STRING="Error: "

if grep -R "$STRING" /var/log/pigsty.log

then

   /root/runpigsty

fi




nano /root/runpigsty



#!/bin/bash

/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i eth0 -n "Suricata" -d /var/log/suricata/ -m unified2.alert.* -D




crontab -e

*/5 * * * * /root/chkpigstylog




Update



Developers just fixed the problem. You just upgrade the Pigsty with the following command :



npm update pigsty-mysql -g

npm update pigsty -g




Reference



Snorby GitHub

Suricata

SmoothSec

Pigsty

SmoothSec WiKi - for installation



That's all! See you.