HOWTO : SmoothSec 3.2 (beta) as Intrusion Prevention System (IPS)

I am going to tell you how to build an affortable Intrusion Prevention System (IPS) at home or SOHO or small business. With the default setting of Suricata, the performance of SmoothSec is not too good for watching Youtube (360p) with the following hardware. However, when it is tuned, it can watch the Youtube up to 720p resolution with the following hardware via 10Mb internet connection. Yes, it is still lagging, but you can watch. Please also note that the connection is also behind a router (Untangle with the same motherboard, CPU and RAM).



Hardware



Motherboard - Intel Desktop Board D510MO

RAM - 4GB DDR2 (2 x 2GB)

Hard Drive - 320GB

Network Card 0 - Onboard Gigabit

Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)

Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)



Software



Operating System - SmoothSec 3.2 beta (64-bit). The beta version is no longer exist. Please go to official site for the Version 3.2. The beta and official version are same. The official site is at here.



Setup



Internet -- Router -- SmoothSec -- Switch -- Personal Computers



Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.



Step 1 :



First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.



Step 2 (IDS Mode) :



Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.



Login as "root" with password "toor".



Step 3 (Bug Fix):



Suricata



nano /etc/suricata/suricata.yaml



Locate "- fast:" and change "enabled: no" to "enabled: yes".



Locate "- drop:" and change "enabled: no" to "enabled: yes".



Locate "HOME_NET: '[192.168.1.0/24]'" and change to "HOME_NET: '[192.168.0.0/24]'".



*or your network subnet.



Time Zone for Snorby



If your time zone is not UTC, you should run the following command :



dpkg-reconfigure tzdata



Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.



nano /var/www/snorby/config/snorby_config.yml



Make sure "production:" and "timezone_search: false".



Make sure "time_zone: 'UTC'" is commented.



Set your time zone at the Snorby web interface when it is available after Step 5.



Email feature of Snorby



apt-get install postfix libxrender-dev libfontconfig1



Configure the Postfix properly according to your network at "/etc/postfix/main.cf".



nano /var/www/snorby/config/initializers/mail_config.rb



Uncomment the lines just below "# Sendmail Example:".



Step 4 :



Connect Network Card 0 to router and Network Card 1 to Switch.



Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.



nano /etc/network/interfaces



Comment all about eth2 entries.



Append the following :



auto eth2

iface eth2 inet static

   address 192.168.0.120

   netmask 255.255.255.0

   gateway 192.168.0.1




* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.



nano /etc/init.d/bridge



Change "net1=eth1" to "net1=eth0"

Change "net2=eth2" to "net2=eth1"

Change "brctl addif $br eth1" to "brctl addif $br eth0"

Change "brctl addif $br eth2" to "brctl addif $br eth1"



update-rc.d bridge defaults



Step 5:



Run the script "smoothsec.first.setup" in the terminal.



Type "br0" when asking for monitor network interface.



Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".



Then reboot.



Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.



Step 6 (IPS Mode):



Make sure your box is running in IDS mode at least for a day and then perform the following to switch it to IPS mode (inline mode). Otherwise, Snorby cannot capture the traffic.



Suricata



nano /etc/suricata/suricata.yaml



Locate "rule-files:" and append "- local.rules" under "- emerging.rules".



cd /etc/suricata/rules



touch local.rules



* you can add your rules at "local.rules". Once it is added, you need to restart the suricata :



Locate "nfq:" and uncomment all the items at the section but except "# fail-open: yes" as it requires a Linux kernel version 3.6 or greater.



/etc/init.d/suricata restart



* you need to wait for several minutes before the box can be connected to internet.



PulledPork



nano /etc/pulledpork/suricata/dropsid.conf



Append the following :



pcre:MS(0[0-9]|1[0-9]-\d+,bugtraq:\d+,cve:20[0-9][0-9]-\d+



* to drop all the vulnerabilities in vulnerability reports.



IPtables



Add the following lines above "exit 0" at "/etc/rc.local" :



nano /etc/rc.local



iptables -A INPUT -i br0 -j NFQUEUE --queue-balance 0:3

iptables -A OUTPUT -o br0 -j NFQUEUE --queue-balance 0:3

iptables -A FORWARD -i br0 -o br0 -j NFQUEUE --queue-balance 0:3



* note that I have Quard-core CPU. If you have 8-core, "--queue-balance" will be "0:7".



Suricata Startup Script



nano /etc/init.d/suricata



Locate "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -i $INTERFACES -D"



Replace with "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -q0 -q1 -q2 -q3 -D"



Locate "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i $INTERFACES -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"



Replace with "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i br0 -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"




* make sure you do it twice as there are 2 entries at the file.

** if you have 8-core CPU, it will be "-q0 -q1 -q2 -q3 -q4 -q5 -q6 -q7".



Then reboot your box. Please note that you are required to wait for several minutes before you can connect to the internet.



Step 7:



To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.



apt-get update

apt-get dist-upgrade

apt-get --purge autoclean

apt-get --purge autoremove

# update SmoothSec

cd /root/updates/

git pull origin master

# update Snorby

cd /var/www/snorby

git pull origin master

rake snorby:update

cd ~

# update pigsty

npm update -g pigsty

npm update -g pigsty-mysql

# update Suricata rules

smoothsec.suricata.rules.update




Step 8 (Suricata Tuning) :



nano /etc/suricata/suricata.yaml



Change "max-pending-packets:1024" to "max-pending-packets: 65000".



Locate "detect-engine" and change "- profile: medium" to "- profile: high".



Locate "mpm-algo: ac" and insert "detect-engine.sgh-mpm-context: full" above "mpm-algo: ac".



Then restart the Suricata. Please wait for several minutes before you can connect to the internet.



/etc/init.d/suricata restart



Known Issue



(1) You should remember that your box is in UTC time zone.

(2) You may need to disable the rule (1:2100527), which is for same IP address scanning/connection, at "/etc/pulledpork/suricata/disablesid.conf". After that, make sure you restart the Suricata.

(3) If you use other pattern-matcher, such as b2g, b3g, wumanber, other than ac, you will need more than 4GB RAM.

(4) Using ac as pattern-matcher with 4GB of memory with Intel Atom D510 CPU, you will encounter lagging while watching Youtube (720p resolution) with about 20,000 active rules.

(5) If you have nVidia display card (make sure you have installed nVidia and Cuda drivers), you can compile Suricata with the flag "--enable-cuda --enable-nfqueue" and configure "/etc/suricata/suricata.yaml" with "mpm-algo: b2g_cuda". Please note that you should have more than 4GB of memory. And the setting is similar or same as above.



Debug the mailing feature



Do not run the following commands unless you really need to.



cd /var/www/snorby



bundle exec rails c production

Snorby::Jobs::SensorCacheJob.new(true).perform

Snorby::Jobs::DailyCacheJob.new(true).perform
(this command is invalid for version 2.6.2)



Reference



Snorby GitHub

Suricata

SmoothSec

Pigsty

Suricata Performance Tuning

SmoothSec WiKi - for installation



That's all! See you.