Internet -- Router -- SmoothSec -- Switch -- Personal Computers
Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.
Step 1 :
First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.
Step 2 :
Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.
Login as "root" with password "toor".
Step 3 (Bug Fix):
Suricata
nano /etc/suricata/suricata.yaml
Locate "- fast:" and change "enabled: no" to "enabled: yes".
Locate "- drop:" and change "enabled: no" to "enabled: yes".
Locate "HOME_NET: '[192.168.1.0/24]'" and change to "HOME_NET: '[192.168.0.0/24]'".
*or your network subnet.
Time Zone for Snorby
If your time zone is not UTC, you should run the following command :
dpkg-reconfigure tzdata
Set the time zone for "UTC" at "None of the above"; otherwise, the Snorby will reported wrong timestamp.
nano /var/www/snorby/config/snorby_config.yml
Make sure "production:" and "timezone_search: false".
Make sure "time_zone: 'UTC'" is commented.
Set your time zone at the Snorby web interface when it is available after Step 5.
Email feature of Snorby
apt-get install postfix libxrender-dev libfontconfig1
Configure the Postfix properly according to your network at "/etc/postfix/main.cf".
nano /var/www/snorby/config/initializers/mail_config.rb
Uncomment the lines just below "# Sendmail Example:".
Step 4 :
Connect Network Card 0 to router and Network Card 1 to Switch.
Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.
nano /etc/network/interfaces
Comment all about eth2 entries.
Append the following :
auto eth2
iface eth2 inet static
address 192.168.0.120
netmask 255.255.255.0
gateway 192.168.0.1
* where the "address" is your SmoothSec IP address and "gateway" is the IP address of your router.
nano /etc/init.d/bridge
Change "net1=eth1" to "net1=eth0"
Change "net2=eth2" to "net2=eth1"
Change "brctl addif $br eth1" to "brctl addif $br eth0"
Change "brctl addif $br eth2" to "brctl addif $br eth1"
update-rc.d bridge defaults
Step 5:
Run the script "smoothsec.first.setup" in the terminal.
Type "br0" when asking for monitor network interface.
Select "Snort" or "Suricata" as IDS Engine. I choose "Suricata".
Then reboot.
Once boot up, go to one of the Personal Computers and browse "https://192.168.0.120". Then set the time zone and your report email address accordingly.
Step 6:
To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.
apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
# update Snorby
cd /var/www/snorby
git pull origin master
rake snorby:update
cd ~
# update pigsty
npm update -g pigsty
npm update -g pigsty-mysql
# update Suricata rules
smoothsec.suricata.rules.update
Known Issue
Nil.
You should remember that your box is in UTC time zone.
Debug the mailing feature Do not run the following commands unless you really need to.
cd /var/www/snorby
bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform (This command is invalid for Snorby version 2.6.2)
Reference
Snorby GitHub
Suricata
SmoothSec
Pigsty
SmoothSec WiKi - for installation
That's all! See you.
