HOWTO : High Performance IDS/IPS with SmoothSec 3.4
The following Intrusion Detection/Prevention System (IDS/IPS) setup is using AF_PACKET with SmoothSec 3.4. The following setup is for low traffic flow home and SOHO users (or you can say that it is a Proof-of-Concept). If your traffic is heavy, please consider to use a high-end hardware.
(A) Hardware
IDS/IPS -
Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 (eth2) - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)
* You can select (1) Level One USB-0401 USB Gigabit Ethernet Adapter or (2) PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 for eth2. However, you need to compile and install the driver yourself.
Update : If you are using Backports latest kernel, the Level One USB-0401 and PCi UE-1000T-G3 are workable out of the box.
Router -
Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
(B) Software
IDS/IPS -
Operating System - Debian 7.0 (Wheezy)
IDS/IPS Pre-configure system - SmoothSec 3.4 (64-bit)
IDS/IPS Engine - Snort (or Suricata)
Unified2 Spooler - Pigsty
Web Interface - Snorby
Rules Management - PulledPork
Router -
Operating System - Untangle 9.4.2 (64-bit)
* Basically, Untangle is a router and Unified Threat Management System (UTM).
(C) Hardware Setup
Router -- eth0 connect to Internet; eth1 connect to SmoothSec
SmoothSec -- eth0 connect to Router; eth1 connect to Switch (uplink or port 1); eth2 connect to Switch (any port at 2 to 4)
* You can use any router to replace Untangle.
(D) Installation of SmoothSec
Download SmoothSec 3.4 at here or here.
Make sure the SmoothSec box can surf the internet; otherwise, installation will be failed. Or, you may re-arrange the cables when necessary.
Updated : Since the scripts for 3.4 has been updated to 3.4.1, you should follow the below link to upgrade the script to 3.4.1.
Upgrade to scripts version 3.4.1
The scripts 3.4.1 will install Backports newest kernel instead of Unstable kernel for Suricata IPS mode with AF_PACKET.
After installed SmoothSec, type the following :
Snort -
Select "
After install, reboot your box.
Suricata -
Select "
A new Linux kernel 3.10.2 will be installed at the end.
After install, reboot your box.
(E) Configuration of IDS/IPS
You may need to disable or/and drop some rules (sid).
Snort -
You may need to configure the
For example, the subnet is
Replace "
Replace "
Restart Snort :
Disable rules :
Drop rules :
After doing that, reload the rules :
Suricata -
Disable rules :
Drop rules :
After doing that, reload the rules :
* If the rule is too long to disable or drop, you may consider to edit "
To disable the rule :
To drop the rule :
(F) Configuration of Snorby
For example, the sensor IP address is
Point your browser to
Setup the Snorby according to SmoothSec WiKi.
* If you want to sent your Snorby reports by Postfix, you need to install yourself and configure it then.
Select "
(G) IDS/IPS Tuning
There may be some false positive records. You need to tune the setting by adding the sid to the disablesid.conf or dropsid.conf when necessary. When use with dropsid.conf, yon may need to set firewall at Router to make the job done.
(H) Remarks
In the captioned setting, the SmoothSec acts as IDS and IPS in one box.
If you want to install IDS only, your SmoothSec only requires one Network Card which is connected to Switch.
In addition, SmoothSec 3.4 comes with Distributed IDS/IPS which allows you to deploy multi-sensors with one control panel (Snorby).
Furthermore, you can also reset your box to the fresh install environment :
When using Snorby, you may need to browse for the rules sid. This link is for the rules lookup.
Make sure you create an empty file namely restart.txt under /var/www/snorby/tmp :
That's all! See you.
(A) Hardware
IDS/IPS -
Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 (eth2) - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)
* You can select (1) Level One USB-0401 USB Gigabit Ethernet Adapter or (2) PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 for eth2. However, you need to compile and install the driver yourself.
Update : If you are using Backports latest kernel, the Level One USB-0401 and PCi UE-1000T-G3 are workable out of the box.
Router -
Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
(B) Software
IDS/IPS -
Operating System - Debian 7.0 (Wheezy)
IDS/IPS Pre-configure system - SmoothSec 3.4 (64-bit)
IDS/IPS Engine - Snort (or Suricata)
Unified2 Spooler - Pigsty
Web Interface - Snorby
Rules Management - PulledPork
Router -
Operating System - Untangle 9.4.2 (64-bit)
* Basically, Untangle is a router and Unified Threat Management System (UTM).
(C) Hardware Setup
Internet ---- Router ---- SmoothSec ---- Switch ---- Personal ComputersRouter -- eth0 connect to Internet; eth1 connect to SmoothSec
SmoothSec -- eth0 connect to Router; eth1 connect to Switch (uplink or port 1); eth2 connect to Switch (any port at 2 to 4)
* You can use any router to replace Untangle.
(D) Installation of SmoothSec
Download SmoothSec 3.4 at here or here.
Make sure the SmoothSec box can surf the internet; otherwise, installation will be failed. Or, you may re-arrange the cables when necessary.
Updated : Since the scripts for 3.4 has been updated to 3.4.1, you should follow the below link to upgrade the script to 3.4.1.
Upgrade to scripts version 3.4.1
The scripts 3.4.1 will install Backports newest kernel instead of Unstable kernel for Suricata IPS mode with AF_PACKET.
After installed SmoothSec, type the following :
smoothsec.first.setupSnort -
Select "
ips-standard" and following the instruction to install. Please also refer to here for the configuration of the config file. Make sure "AF_ENGINE" is set to "snort". The rules are "et" by default.After install, reboot your box.
Suricata -
Select "
ips-standard" and following the instruction to install. Please also refer to here for the configuration of the config file. Make sure "AF_ENGINE" is set to "suricata". The rules are "et" by default.A new Linux kernel 3.10.2 will be installed at the end.
After install, reboot your box.
(E) Configuration of IDS/IPS
You may need to disable or/and drop some rules (sid).
Snort -
You may need to configure the
/etc/snort/snort.conf :nano /etc/snort/snort.confFor example, the subnet is
192.168.1.0/24.Replace "
ipvar HOME_NET any" with "ipvar HOME_NET [192.168.1.0/24]"Replace "
ipvar EXTERNAL_NET any" with "ipvar EXTERNAL_NET ![192.168.1.0/24]"Restart Snort :
/etc/init.d/snort restartDisable rules :
nano /etc/pulledpork/snort/disablesid.confDrop rules :
nano /etc/pulledpork/snort/dropsid.confAfter doing that, reload the rules :
smoothsec.snort.rules.updateSuricata -
Disable rules :
nano /etc/pulledpork/suricata/disablesid.confDrop rules :
nano /etc/pulledpork/suricata/dropsid.confAfter doing that, reload the rules :
smoothsec.suricata.rules.update* If the rule is too long to disable or drop, you may consider to edit "
modifysid.conf". For example, to disable and drop the following rule :To disable the rule :
2013437 "alert" "##alert";To drop the rule :
2013437 "alert" "drop";(F) Configuration of Snorby
For example, the sensor IP address is
192.168.1.180.Point your browser to
https://192.168.1.180. Enter the username and password of Snorby.Setup the Snorby according to SmoothSec WiKi.
* If you want to sent your Snorby reports by Postfix, you need to install yourself and configure it then.
sudo apt-get install postfixSelect "
Internet Site" when asked.(G) IDS/IPS Tuning
There may be some false positive records. You need to tune the setting by adding the sid to the disablesid.conf or dropsid.conf when necessary. When use with dropsid.conf, yon may need to set firewall at Router to make the job done.
(H) Remarks
In the captioned setting, the SmoothSec acts as IDS and IPS in one box.
If you want to install IDS only, your SmoothSec only requires one Network Card which is connected to Switch.
In addition, SmoothSec 3.4 comes with Distributed IDS/IPS which allows you to deploy multi-sensors with one control panel (Snorby).
Furthermore, you can also reset your box to the fresh install environment :
smoothsec.resetWhen using Snorby, you may need to browse for the rules sid. This link is for the rules lookup.
Make sure you create an empty file namely restart.txt under /var/www/snorby/tmp :
touch /var/www/snorby/tmp/restart.txtThat's all! See you.