HOWTO : Intrusion Detection System (IDS) made easy with SmoothSec 3.2
Building an IDS (Intrusion Detection System) at home/SOHO is not a dream today. SmoothSec 3.2 is designed for deploying IDS without tear. You can use a very low-end hardware for this purpose. To deploy IDS, you are required at least 2 NICs (Network Interface) if you have a management switch with SPAN port. If you do not have this piece of expensive device, you can build one with 3 NICs.
Hardware
Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)
Software
Operating System - Debian 7 (Wheezy)
IDS/IPS pre-configured system - SmoothSec 3.2 (64-bit).
IDS/IPS Engine - Suricata
Setup
Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.
Step 1 :
First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.
Step 2 :
Install SmoothSec as usual or follow the wiki. During the installation, you may be prompted some firmware are missing, you just ignore it as some firmware for Realtek 8169 are missing. It is harmless to do so. After installed, the box will be reboot.
Login as "
Step 2a :
To improve the SmoothSec :
Step 3 (Configuration of Suricata) :
Suricata
Locate "
Locate "
Time Zone for Snorby
If your time zone is not UTC, you should run the following command :
Set the time zone for "
Set your time zone at the Snorby web interface when it is available after Step 5.
Email feature of Snorby
Configure the Postfix properly according to your network at "
Uncomment the lines just below "
Step 4 :
Connect Network Card 0 to router and Network Card 1 to Switch.
Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.
Comment all about
Append the following :
* where the "
Change "
Change "
Change "
Change "
Step 5:
Run the script "
Type "
Select "
Email address and password are for Snorby web interface login.
Then reboot.
Once boot up, go to one of the Personal Computers and browse "
Step 6:
To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.
Debug the mailing feature
Do not run the following commands unless you really need to.
Hardware
Motherboard - Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)
Software
Operating System - Debian 7 (Wheezy)
IDS/IPS pre-configured system - SmoothSec 3.2 (64-bit).
IDS/IPS Engine - Suricata
Setup
Internet -- Router -- SmoothSec -- Switch -- Personal Computers
Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.
Step 1 :
First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.
Step 2 :
Install SmoothSec as usual or follow the wiki. During the installation, you may be prompted some firmware are missing, you just ignore it as some firmware for Realtek 8169 are missing. It is harmless to do so. After installed, the box will be reboot.
Login as "
root
" with password "toor
".Step 2a :
To improve the SmoothSec :
apt-get --purge remove arpwatch
apt-get install arpalert openjdk-7-jre fail2ban
cd /etc/arpalert/
mv oui.txt oui.txt.old
wget http://standards.ieee.org/regauth/oui/oui.txt
Step 3 (Configuration of Suricata) :
Suricata
nano /etc/suricata/suricata.yaml
Locate "
- fast:
" and change "enabled: no
" to "enabled: yes
".Locate "
- drop:
" and change "enabled: no
" to "enabled: yes
".Time Zone for Snorby
If your time zone is not UTC, you should run the following command :
dpkg-reconfigure tzdata
Set the time zone for "
UTC
" at "None of the above
"; otherwise, the Snorby will reported wrong timestamp.Set your time zone at the Snorby web interface when it is available after Step 5.
Email feature of Snorby
apt-get install postfix
Configure the Postfix properly according to your network at "
/etc/postfix/main.cf
".nano /var/www/snorby/config/initializers/mail_config.rb
Uncomment the lines just below "
# Sendmail Example:
".Step 4 :
Connect Network Card 0 to router and Network Card 1 to Switch.
Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.
nano /etc/network/interfaces
Comment all about
eth2
entries.Append the following :
auto eth2
iface eth2 inet static
address 192.168.0.120
netmask 255.255.255.0
gateway 192.168.0.1
* where the "
address
" is your SmoothSec IP address and "gateway
" is the IP address of your router.nano /etc/init.d/bridge
Change "
net1=eth1
" to "net1=eth0
"Change "
net2=eth2
" to "net2=eth1
"Change "
brctl addif $br eth1
" to "brctl addif $br eth0
"Change "
brctl addif $br eth2
" to "brctl addif $br eth1
"update-rc.d bridge defaults
Step 5:
Run the script "
smoothsec.first.setup
" in the terminal.Type "
br0
" when asking for monitor network interface.Select "
Snort
" or "Suricata
" as IDS Engine. I choose "Suricata
".Email address and password are for Snorby web interface login.
Then reboot.
Once boot up, go to one of the Personal Computers and browse "
https://192.168.0.120
". Then set the time zone and your report email address accordingly.Step 6:
To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.
apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
Debug the mailing feature
Do not run the following commands unless you really need to.
cd /var/www/snorby
bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Known Issue
Pigsty will crash randomly. As a result, no capture in Snorby. The problem has been reported, see here. --> The workaround is to run a testing bash script on every 5 minutes to start Pigsty again.
nano /root/chkpigstylog
#!/bin/bash
# Check if "Error: " in pigsty.log or not. If yes, start Pigsty again.
STRING="Error: "
if grep -R "$STRING" /var/log/pigsty.log
then
/root/runpigsty
fi
nano /root/runpigsty
#!/bin/bash
/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i eth0 -n "Suricata" -d /var/log/suricata/ -m unified2.alert.* -D
crontab -e
*/5 * * * * /root/chkpigstylog
Update
Developers just fixed the problem. You just upgrade the Pigsty with the following command :
npm update pigsty-mysql -g
npm update pigsty -g
Reference
Snorby GitHub
Suricata
SmoothSec
Pigsty
SmoothSec WiKi - for installation
That's all! See you.