This forum is in archive mode. You will not be able to post new content.
Pages: [1]

Author Topic: Suricata IDS w/ Basic Firewall Ubuntu Natty  (Read 1682 times)

0 Members and 1 Guest are viewing this topic.

k0f33

  • Guest
Suricata IDS w/ Basic Firewall Ubuntu Natty
« on: March 30, 2014, 12:23:13 AM »
Credz to:
noncetonic via irc for the needed link 
Eric Hansen   
Redmine

I can't remember where i found the ufw notes, so credz to the "net."
This is a basic guide for a quick set up of a firewall and IDS.
I came across Suricata from using  Smooth-Sec  via Virtual Box on my i7 lappy however wasn't
able to have that on my other lappy using VB. 

Code: [Select]
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-devcd to where yer downz go then:
Code: [Select]
wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
tar -xvzf suricata-2.0.tar.gz
cd suricata-2.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make && make install-full
go to /etc/suircata and bkup yer suricata.yaml file if ya want
search for HOME_NET for your ip, example:
HOME_NET: "[192.168.1.0/16]"
search for "JSON" if ya want and disable it,
search for "default-rule" go to the bottom of
the list and add:
 - ping.rules
go to your rules folder create empty file name it:
ping.rules
add the following:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
save, exit
install ethtool and enter the following commands:
Code: [Select]
ethtool -K eth0 gro off
ethtool -K eth0 lro offcd to /etc/suricata then:
Code: [Select]
sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo tar -xzf emerging.rules.tar.gz
sudo touch /etc/suricata/threshold.configopen decoder-events.rules and comment out lines
 86-92, this keeps log viewing simpler
lets set the firewall up...
if needed install ufw, the next command shows yer
current config:
Code: [Select]
iptables -Lthe firewall:
Code: [Select]
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
sudo ufw default deny
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enableon a reboot you can check status:
Code: [Select]
ufw status
adjust for eth0, wlan0 or wlan1 etc.
Code: [Select]
sudo suricata -c /etc/suricata/suricata.yaml -i eth0cd to /var/log/suricata then for realtime:
Code: [Select]
tail -f http.loganother terminal:
Code: [Select]
tail -f fast.logcheck statz:
Code: [Select]
tail -n 50 stats.log
to see if the ids/ping rule is good
you can ping the box:
Code: [Select]
ping -c 1 192.168.1.105change the ip if needed
from the fast log window you should see:

03/29/2014-19:40:40.102063  [**] [1:2:1] PING detected [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.1.105:8 -> 192.168.1.111:0
03/29/2014-19:40:40.102121  [**] [1:2:1] PING detected [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.1.111:0 -> 192.168.1.105:0

Any additional tweakz/suggestions is appreicated

k0f33
« Last Edit: March 30, 2014, 12:43:39 AM by k0f33 »
Report to moderator   Logged
Pages: [1]
 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.