I am going to tell you how to build an affortable Intrusion Prevention System (IPS) at home or SOHO or small business. With the default setting of Suricata, the performance of SmoothSec is not too good for watching Youtube (360p) with the following hardware. However, when it is tuned, it can watch the Youtube up to 720p resolution with the following hardware via 10Mb internet connection. Yes, it is still lagging, but you can watch. Please also note that the connection is also behind a router (
Untangle with the same motherboard, CPU and RAM).
Hardware
Motherboard -
Intel Desktop Board D510MO
RAM - 4GB DDR2 (2 x 2GB)
Hard Drive - 320GB
Network Card 0 - Onboard Gigabit
Network Card 1 - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)
Software
Operating System -
SmoothSec 3.2 beta (64-bit). The beta version is no longer exist. Please go to official site for the Version 3.2. The beta and official version are same. The official site is at
here.
Setup
Internet -- Router -- SmoothSec -- Switch -- Personal Computers
Network Card 0 and 1 will be bridged up while Network Card 2 will be a management interface.
Step 1 :
First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router. It is because you need to connect to the internet for the installation.
Step 2 (IDS Mode) :
Install SmoothSec as usual. When you prompt for install non-free network interface firmware, just ignore it. After installed, the box will be reboot.
Login as "
root" with password "
toor".
Step 3 (Bug Fix):
Suricata
nano /etc/suricata/suricata.yaml
Locate "
- fast:" and change "
enabled: no" to "
enabled: yes".
Locate "
- drop:" and change "
enabled: no" to "
enabled: yes".
Locate "
HOME_NET: '[192.168.1.0/24]'" and change to "
HOME_NET: '[192.168.0.0/24]'".
*or your network subnet.
Time Zone for Snorby
If your time zone is not UTC, you should run the following command :
dpkg-reconfigure tzdata
Set the time zone for "
UTC" at "
None of the above"; otherwise, the Snorby will reported wrong timestamp.
nano /var/www/snorby/config/snorby_config.yml
Make sure "
production:" and "
timezone_search: false".
Make sure "
time_zone: 'UTC'" is commented.
Set your time zone at the Snorby web interface when it is available after
Step 5.
Email feature of Snorby
apt-get install postfix libxrender-dev libfontconfig1
Configure the Postfix properly according to your network at "
/etc/postfix/main.cf".
nano /var/www/snorby/config/initializers/mail_config.rb
Uncomment the lines just below "
# Sendmail Example:".
Step 4 :
Connect Network Card 0 to router and Network Card 1 to Switch.
Normally, Network Card 0 will be eth0, Network Card 1 will be eth1 and Network Card 2 will be eth2.
nano /etc/network/interfaces
Comment all about
eth2 entries.
Append the following :
auto eth2
iface eth2 inet static
address 192.168.0.120
netmask 255.255.255.0
gateway 192.168.0.1
* where the "
address" is your SmoothSec IP address and "
gateway" is the IP address of your router.
nano /etc/init.d/bridge
Change "
net1=eth1" to "
net1=eth0"
Change "
net2=eth2" to "
net2=eth1"
Change "
brctl addif $br eth1" to "
brctl addif $br eth0"
Change "
brctl addif $br eth2" to "
brctl addif $br eth1"
update-rc.d bridge defaults
Step 5:
Run the script "
smoothsec.first.setup" in the terminal.
Type "
br0" when asking for monitor network interface.
Select "
Snort" or "
Suricata" as IDS Engine. I choose "
Suricata".
Then reboot.
Once boot up, go to one of the Personal Computers and browse "
https://192.168.0.120". Then set the time zone and your report email address accordingly.
Step 6 (IPS Mode):
Make sure your box is running in IDS mode at least for a day and then perform the following to switch it to IPS mode (inline mode). Otherwise, Snorby cannot capture the traffic.
Suricata
nano /etc/suricata/suricata.yaml
Locate "
rule-files:" and append "
- local.rules" under "
- emerging.rules".
cd /etc/suricata/rules
touch local.rules
* you can add your rules at "
local.rules". Once it is added, you need to restart the suricata :
Locate "
nfq:" and uncomment all the items at the section but except "
# fail-open: yes" as it requires a Linux kernel version 3.6 or greater.
/etc/init.d/suricata restart
* you need to wait for several minutes before the box can be connected to internet.
PulledPork
nano /etc/pulledpork/suricata/dropsid.conf
Append the following :
pcre:MS(0[0-9]|1[0-9]-\d+,bugtraq:\d+,cve:20[0-9][0-9]-\d+
* to drop all the vulnerabilities in vulnerability reports.
IPtables
Add the following lines above "
exit 0" at "
/etc/rc.local" :
nano /etc/rc.local
iptables -A INPUT -i br0 -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -o br0 -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -i br0 -o br0 -j NFQUEUE --queue-balance 0:3
* note that I have Quard-core CPU. If you have 8-core, "
--queue-balance" will be "
0:7".
Suricata Startup Script
nano /etc/init.d/suricata
Locate "
/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -i $INTERFACES -D"
Replace with "
/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -q0 -q1 -q2 -q3 -D"
Locate "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i $INTERFACES -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"
Replace with "/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i br0 -n 'Suricata' -d /var/log/suricata/ -m unified2.alert.* -D"
* make sure you do it twice as there are 2 entries at the file.
** if you have 8-core CPU, it will be "
-q0 -q1 -q2 -q3 -q4 -q5 -q6 -q7".
Then reboot your box. Please note that you are required to wait for several minutes before you can connect to the internet.
Step 7:
To update SmoothSec, you need to do the following commands (you can make a script to do so). The rules will be updated automatically in the early morning every day.
apt-get update
apt-get dist-upgrade
apt-get --purge autoclean
apt-get --purge autoremove
# update SmoothSec
cd /root/updates/
git pull origin master
# update Snorby
cd /var/www/snorby
git pull origin master
rake snorby:update
cd ~
# update pigsty
npm update -g pigsty
npm update -g pigsty-mysql
# update Suricata rules
smoothsec.suricata.rules.update
Step 8 (Suricata Tuning) :
nano /etc/suricata/suricata.yaml
Change "
max-pending-packets:1024" to "
max-pending-packets: 65000".
Locate "
detect-engine" and change "
- profile: medium" to "
- profile: high".
Locate "
mpm-algo: ac" and insert "
detect-engine.sgh-mpm-context: full" above "
mpm-algo: ac".
Then restart the Suricata. Please wait for several minutes before you can connect to the internet.
/etc/init.d/suricata restart
Known Issue
(1) You should remember that your box is in UTC time zone.
(2) You may need to disable the rule (1:2100527), which is for same IP address scanning/connection, at "/etc/pulledpork/suricata/disablesid.conf". After that, make sure you restart the Suricata.
(3) If you use other pattern-matcher, such as b2g, b3g, wumanber, other than ac, you will need more than 4GB RAM.
(4) Using ac as pattern-matcher with 4GB of memory with Intel Atom D510 CPU, you will encounter lagging while watching Youtube (720p resolution) with about 20,000 active rules.
(5) If you have nVidia display card (make sure you have installed nVidia and Cuda drivers), you can compile Suricata with the flag "
--enable-cuda --enable-nfqueue" and configure "
/etc/suricata/suricata.yaml" with "
mpm-algo: b2g_cuda". Please note that you should have more than 4GB of memory. And the setting is similar or same as above.
Debug the mailing feature
Do not run the following commands unless you really need to.
cd /var/www/snorby
bundle exec rails c production
Snorby::Jobs::SensorCacheJob.new(true).perform
Snorby::Jobs::DailyCacheJob.new(true).perform (this command is invalid for version 2.6.2)
Reference
Snorby GitHub
Suricata
SmoothSec
Pigsty
Suricata Performance Tuning
SmoothSec WiKi - for installation
That's all! See you.