Monday, December 28, 2015

Linux IDS / IPS firewall by Suricata

Suricata is an open source high performance modern Network Intrusion Detection, Prevention and Security Monitoring System for Unix/Linux, FreeBSD and Windows based systems.
It was developed and owned by a non-profit foundation the OISF (Open Information Security Foundation)

IDS / IPS: Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.

Multi-threading: Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets. The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.

Install Prerequisites::
# yum install epel-release
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel

IPS for 64 bit systems:   we to need “libnfnetlink” and “libnetfilter_queue” packages

 rpm -Uvh

 rpm -Uvh

 rpm -Uvh

 rpm -Uvh

Download latest Suricata source files and Install:

cd  /home/tayab/
tar -xvzf suricata-1.4.4.tar.gz
cd suricata-1.4.4

./configure && make && make install-conf
 ./configure && make && make install-rules
 ./configure && make && make install-full

IPS Installation for 64 bit:
By default, works as an IDS. If you want to add IDS support, install some needed packages as follows.

yum  -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Suricata Basic Setup
 mkdir /var/log/suricata
 mkdir /etc/suricata

 cd /home/tayab/suricata-1.4.4
 cp classification.config /etc/suricata
 cp reference.config /etc/suricata
 cp suricata.yaml /etc/suricata

### start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0,

suricata -c /etc/suricata/suricata.yaml -i eth0

##After several minutes later, check the engine is correctly working and receives and inspects traffic

cd /usr/local/var/log/suricata/
ls -l

total 300
drwxr-xr-x 3 root root   4096 Dec 28 16:13 .
drwxr-xr-x 3 root root   4096 Dec 28 16:04 ..
-rw-r--r-- 1 root root 145436 Dec 28 16:15 fast.log
drwxr-xr-x 2 root root   4096 Dec 28 16:04 files
-rw-r--r-- 1 root root  15287 Dec 28 16:15 http.log
-rw-r--r-- 1 root root  44844 Dec 28 16:15 stats.log
-rw-r--r-- 1 root root  85800 Dec 28 16:15 unified2.alert.1451297619

## Watch “stats.log” file and make sure the displayed information is up-dated in real time.

 tail -f stats.log


#### Snorby, the web interface frontend for managing IDS alerts
Ruby 1.9.3, at least version 1.9.2 is needed to support Snorby.
wkhtmltopdf, for export to pdf.

bunzip2 wkhtmltopdf-0.10.0_rc2-static-amd64.tar.bz2
tar xvf wkhtmltopdf-0.10.0_rc2-static-amd64.tar
ls -lh
cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf

gem install thor i18n bundler tzinfo bui
yum install git
git clone /var/www/html/snorby

 mv snorby-master/ snorby
 cd snorby
 bundle install

#Configuring database.yml. Make a copy of the example database.yml
cd /var/www/html/snorby/config/ && cp database.yml.example database.yml

mysql -u root -p
create user 'snorbyuser'@'localhost' IDENTIFIED BY 'PASSWORD123';
grant all privileges on snorby.* to 'snorbyuser'@'localhost' with grant option;
flush privileges;

vi /etc/mysql/my.cnf
Comment the bind-address line. Then restart mysqld service.

 vi  /var/www/html/snorby/config/database.yml
 Update user: snorbyuser and Password: PASSWORD123

cd /var/www/html/snorby/config/
 cp snorby_config.yml.example snorby_config.yml

## vi /etc/httpd/conf/httpd.conf

<VirtualHost 203.190.X.X:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/snorby/public

        <Directory "/var/www/html/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews


## cd /var/www/html/snorby

Must have to Update ruby 1.8 to 1.9.3
*** If not updated... then
yum update
 yum install gcc-c++ patch readline readline-devel zlib zlib-devel
 yum install libyaml-devel libffi-devel openssl-devel make
 yum install bzip2 autoconf automake libtool bison iconv-devel
curl -L | bash -s stable
tar -zxvf 1.26.11.tar.gz
cd rvm-1.26.11/
 source /etc/profile.d/
rvm install 1.9.3
rvm use 1.9.3 --default
#Check Current Ruby Version
ruby --version

cd /var/www/html/snorby
gem install i18n -v '0.7.0'
bundle update activesupport railties rails
bundle pack && sudo bundle install --path vender/cache

No comments:

Post a Comment