Suricata is an open source high performance modern Network Intrusion Detection, Prevention and Security Monitoring System for Unix/Linux, FreeBSD and Windows based systems.
It was developed and owned by a non-profit foundation the OISF (Open Information Security Foundation)
IDS / IPS: Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.
Multi-threading: Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets. The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.
Install Prerequisites::
------------------------
# yum install epel-release
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
IPS for 64 bit systems: we to need “libnfnetlink” and “libnetfilter_queue” packages
---------------------------
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm
Download latest Suricata source files and Install:
--------------------------------------------------------------
cd /home/tayab/
wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz
tar -xvzf suricata-1.4.4.tar.gz
cd suricata-1.4.4
./configure && make && make install-conf
./configure && make && make install-rules
./configure && make && make install-full
IPS Installation for 64 bit:
----------------------------
By default, works as an IDS. If you want to add IDS support, install some needed packages as follows.
yum -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Suricata Basic Setup
--------------------
mkdir /var/log/suricata
mkdir /etc/suricata
cd /home/tayab/suricata-1.4.4
cp classification.config /etc/suricata
cp reference.config /etc/suricata
cp suricata.yaml /etc/suricata
### start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0,
suricata -c /etc/suricata/suricata.yaml -i eth0
##After several minutes later, check the engine is correctly working and receives and inspects traffic
cd /usr/local/var/log/suricata/
ls -l
total 300
drwxr-xr-x 3 root root 4096 Dec 28 16:13 .
drwxr-xr-x 3 root root 4096 Dec 28 16:04 ..
-rw-r--r-- 1 root root 145436 Dec 28 16:15 fast.log
drwxr-xr-x 2 root root 4096 Dec 28 16:04 files
-rw-r--r-- 1 root root 15287 Dec 28 16:15 http.log
-rw-r--r-- 1 root root 44844 Dec 28 16:15 stats.log
-rw-r--r-- 1 root root 85800 Dec 28 16:15 unified2.alert.1451297619
## Watch “stats.log” file and make sure the displayed information is up-dated in real time.
tail -f stats.log
###########################
#### Snorby, the web interface frontend for managing IDS alerts
Ruby 1.9.3, at least version 1.9.2 is needed to support Snorby.
wkhtmltopdf, for export to pdf.
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
bunzip2 wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
tar xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar
ls -lh
cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf
gem install thor i18n bundler tzinfo bui
yum install git
git clone http://github.com/Snorby/snorby/snorby.git /var/www/html/snorby
or
wget https://github.com/Snorby/snorby/archive/master.zip
unzip master.zip
mv snorby-master/ snorby
cd snorby
bundle install
#Configuring database.yml. Make a copy of the example database.yml
cd /var/www/html/snorby/config/ && cp database.yml.example database.yml
mysql -u root -p
create user 'snorbyuser'@'localhost' IDENTIFIED BY 'PASSWORD123';
grant all privileges on snorby.* to 'snorbyuser'@'localhost' with grant option;
flush privileges;
vi /etc/mysql/my.cnf
Comment the bind-address line. Then restart mysqld service.
vi /var/www/html/snorby/config/database.yml
Update user: snorbyuser and Password: PASSWORD123
cd /var/www/html/snorby/config/
cp snorby_config.yml.example snorby_config.yml
## vi /etc/httpd/conf/httpd.conf
<VirtualHost 203.190.X.X:80>
ServerAdmin webmaster@localhost
ServerName snorby.tayabkhan.com
DocumentRoot /var/www/html/snorby/public
<Directory "/var/www/html/snorby/public">
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
## cd /var/www/html/snorby
Must have to Update ruby 1.8 to 1.9.3
*** If not updated... then
yum update
yum install gcc-c++ patch readline readline-devel zlib zlib-devel
yum install libyaml-devel libffi-devel openssl-devel make
yum install bzip2 autoconf automake libtool bison iconv-devel
curl -L get.rvm.io | bash -s stable
wget https://github.com/rvm/rvm/archive/1.26.11.tar.gz
tar -zxvf 1.26.11.tar.gz
cd rvm-1.26.11/
./install
source /etc/profile.d/rvm.sh
rvm install 1.9.3
rvm use 1.9.3 --default
#Check Current Ruby Version
ruby --version
cd /var/www/html/snorby
gem install i18n -v '0.7.0'
bundle update activesupport railties rails
bundle pack && sudo bundle install --path vender/cache
Ruby 1.9.3, at least version 1.9.2 is needed to support Snorby.
wkhtmltopdf, for export to pdf.
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
bunzip2 wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
tar xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar
ls -lh
cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf
gem install thor i18n bundler tzinfo bui
yum install git
git clone http://github.com/Snorby/snorby/snorby.git /var/www/html/snorby
or
wget https://github.com/Snorby/snorby/archive/master.zip
unzip master.zip
mv snorby-master/ snorby
cd snorby
bundle install
#Configuring database.yml. Make a copy of the example database.yml
cd /var/www/html/snorby/config/ && cp database.yml.example database.yml
mysql -u root -p
create user 'snorbyuser'@'localhost' IDENTIFIED BY 'PASSWORD123';
grant all privileges on snorby.* to 'snorbyuser'@'localhost' with grant option;
flush privileges;
vi /etc/mysql/my.cnf
Comment the bind-address line. Then restart mysqld service.
vi /var/www/html/snorby/config/database.yml
Update user: snorbyuser and Password: PASSWORD123
cd /var/www/html/snorby/config/
cp snorby_config.yml.example snorby_config.yml
## vi /etc/httpd/conf/httpd.conf
<VirtualHost 203.190.X.X:80>
ServerAdmin webmaster@localhost
ServerName snorby.tayabkhan.com
DocumentRoot /var/www/html/snorby/public
<Directory "/var/www/html/snorby/public">
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
## cd /var/www/html/snorby
Must have to Update ruby 1.8 to 1.9.3
*** If not updated... then
yum update
yum install gcc-c++ patch readline readline-devel zlib zlib-devel
yum install libyaml-devel libffi-devel openssl-devel make
yum install bzip2 autoconf automake libtool bison iconv-devel
curl -L get.rvm.io | bash -s stable
wget https://github.com/rvm/rvm/archive/1.26.11.tar.gz
tar -zxvf 1.26.11.tar.gz
cd rvm-1.26.11/
./install
source /etc/profile.d/rvm.sh
rvm install 1.9.3
rvm use 1.9.3 --default
#Check Current Ruby Version
ruby --version
cd /var/www/html/snorby
gem install i18n -v '0.7.0'
bundle update activesupport railties rails
bundle pack && sudo bundle install --path vender/cache
No comments:
Post a Comment