Tuesday, September 24, 2013

HOWTO : High Performance IDS/IPS with SmoothSec 3.4

The following Intrusion Detection/Prevention System (IDS/IPS) setup is using AF_PACKET with SmoothSec 3.4. The following setup is for low traffic flow home and SOHO users (or you can say that it is a Proof-of-Concept). If your traffic is heavy, please consider to use a high-end hardware.

(A) Hardware

IDS/IPS -

Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)
Network Card 2 (eth2) - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)

* You can select (1) Level One USB-0401 USB Gigabit Ethernet Adapter or (2) PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 for eth2. However, you need to compile and install the driver yourself.

Update : If you are using Backports latest kernel, the Level One USB-0401 and PCi UE-1000T-G3 are workable out of the box.

Router -

Motherboard - Intel Desktop Board D510MO
CPU - Intel Atom D510 (Dual-core with HT)
RAM - 4GB (2 x 2GB)
Hard Drive - 320GB
Network Card 0 (eth0) - Onboard Gigabit
Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)

(B) Software

IDS/IPS -

Operating System - Debian 7.0 (Wheezy)
IDS/IPS Pre-configure system - SmoothSec 3.4 (64-bit)
IDS/IPS Engine - Snort (or Suricata)
Unified2 Spooler - Pigsty
Web Interface - Snorby
Rules Management - PulledPork

Router -

Operating System - Untangle 9.4.2 (64-bit)

* Basically, Untangle is a router and Unified Threat Management System (UTM).

(C) Hardware Setup

Internet ---- Router ---- SmoothSec ---- Switch ---- Personal Computers

Router -- eth0 connect to Internet; eth1 connect to SmoothSec

SmoothSec -- eth0 connect to Router; eth1 connect to Switch (uplink or port 1); eth2 connect to Switch (any port at 2 to 4)

* You can use any router to replace Untangle.

(D) Installation of SmoothSec

Download SmoothSec 3.4 at here or here.

Make sure the SmoothSec box can surf the internet; otherwise, installation will be failed. Or, you may re-arrange the cables when necessary.

Updated : Since the scripts for 3.4 has been updated to 3.4.1, you should follow the below link to upgrade the script to 3.4.1.

Upgrade to scripts version 3.4.1

The scripts 3.4.1 will install Backports newest kernel instead of Unstable kernel for Suricata IPS mode with AF_PACKET.

After installed SmoothSec, type the following :

smoothsec.first.setup

Snort -

Select "ips-standard" and following the instruction to install. Please also refer to here for the configuration of the config file. Make sure "AF_ENGINE" is set to "snort". The rules are "et" by default.

After install, reboot your box.

Suricata -

Select "ips-standard" and following the instruction to install. Please also refer to here for the configuration of the config file. Make sure "AF_ENGINE" is set to "suricata". The rules are "et" by default.

A new Linux kernel 3.10.2 will be installed at the end.

After install, reboot your box.

(E) Configuration of IDS/IPS

You may need to disable or/and drop some rules (sid).

Snort -

You may need to configure the /etc/snort/snort.conf :

nano /etc/snort/snort.conf

For example, the subnet is 192.168.1.0/24.

Replace "ipvar HOME_NET any" with "ipvar HOME_NET [192.168.1.0/24]"

Replace "ipvar EXTERNAL_NET any" with "ipvar EXTERNAL_NET ![192.168.1.0/24]"

Restart Snort :

/etc/init.d/snort restart

Disable rules :

nano /etc/pulledpork/snort/disablesid.conf

Drop rules :

nano /etc/pulledpork/snort/dropsid.conf

After doing that, reload the rules :

smoothsec.snort.rules.update

Suricata -

Disable rules :

nano /etc/pulledpork/suricata/disablesid.conf

Drop rules :

nano /etc/pulledpork/suricata/dropsid.conf

After doing that, reload the rules :

smoothsec.suricata.rules.update

* If the rule is too long to disable or drop, you may consider to edit "modifysid.conf". For example, to disable and drop the following rule :

To disable the rule :

2013437 "alert" "##alert";

To drop the rule :

2013437 "alert" "drop";

(F) Configuration of Snorby

For example, the sensor IP address is 192.168.1.180.

Point your browser to https://192.168.1.180. Enter the username and password of Snorby.

Setup the Snorby according to SmoothSec WiKi.

* If you want to sent your Snorby reports by Postfix, you need to install yourself and configure it then.

sudo apt-get install postfix

Select "Internet Site" when asked.

(G) IDS/IPS Tuning

There may be some false positive records. You need to tune the setting by adding the sid to the disablesid.conf or dropsid.conf when necessary. When use with dropsid.conf, yon may need to set firewall at Router to make the job done.

(H) Remarks

In the captioned setting, the SmoothSec acts as IDS and IPS in one box.

If you want to install IDS only, your SmoothSec only requires one Network Card which is connected to Switch.

In addition, SmoothSec 3.4 comes with Distributed IDS/IPS which allows you to deploy multi-sensors with one control panel (Snorby).

Furthermore, you can also reset your box to the fresh install environment :

smoothsec.reset

When using Snorby, you may need to browse for the rules sid. This link is for the rules lookup.

Make sure you create an empty file namely restart.txt under /var/www/snorby/tmp :

touch /var/www/snorby/tmp/restart.txt

That's all! See you.