NanoPi R4S: Adding Suricata, An Intrusion Detection System============================================================In the last post we created a transparent network bridge and monitor using the NanoPi R4S. Now that we have a platform that can capture and summarize our network traffic, why don't we also analyze and alert on security events that can occur within our network? One of the most widely used open-source solutions for Intrusion Detection is Suricata. It compares packet captures to heuristic known-threat databases to see if there are compromised hosts on the network talking to bad actors or behaving aberrantly. These heuristics or 'rules' are free for basic versions but many companies offer paid versions that contain rules that detect the latest threats. Again, I prefer the NanoPi R4S as it provides two onboard network ports and just enough horse power to run our application. The 1GB version is sufficient to run Suricata, but the 4GB version is recommended if you wish to run Suricata and anything else (eg. ntopng or snort.) All of this can also be done on the Raspberry Pi 4, but it would require a mirrored port or running our traffic over a USB network device which can quickly become problematic. Things you will need:******************
Notes:******
Steps:****** |
@@8@.XXX 8X.S88@8@
8%@XX:X 8S ; tX888;X 8.:@XS%8 X@ .t.8@X. @XX t8 8:S8 SXX8@t%St88@ 88t 888@888.:: ;@; S.X8;XS:8X;t@8;88S%X8 ;;8@88:8. X88:X;: @8;@S88X:X;:@@@X:8t%8X:@t8;;S%8 XX8X:S:::@XX 8@.;tSX@88;;8::8t X 8@SS:.S@88S%:.8 :8:: :8%8X.;SXS :;t88 8.@X%8;X.8;8:.88:8@ 8: .S@8%8t8:8.%%X..8 .t888.tX8S :t.X@:S 8 %.8.;:@.8 X88..8.t@8;.t8. 8XtX8XX@.8 %X. t8t8@.8 8@8 8:S;88;8t8t;8 8.tt8 t:XX@:::@%888@%X8;8S.8. 8@;%:8@@8.S.:@ 8t;8.@8;8X;8;X8;8%XXt;;X; 8X8 XX@8.@:88.@X:8.X@t:88@X;8;8@.8%8@.888:X@88@XX%8: 8;@8;.:@8@:t8888 %8 S88:8.8 ;@:.8 S8.XX8@8t;;X ;;..X:@;8:X88S8X.:X;;.:%;.8@;8%@X8.X:X: ;@X:%t:S :@::X.88;88.@X888t@888S. ;8.: 88%@ X@:@t8@8X@@X@t X@ 8.8 .t@88X ;8 8 St 8X%8:@.t8t XS8X88:;@8@.:%8.:88%8 SS 8:8 888:.8@X @:@X888:S8:88@ 8@8t8X8 88@%8. @tt8:% @8..@X8;%8;:8;8;8@;;8. 888@. 88:t8..%;X:;88:X8X8:@%@S8:S.S8 888;888:8@ 8 @8;.%8;S.8.8 8:8:8@8.:8; S@@;88%@8@8St:.8888@8:;8tX;8; 88 @ t8@8@8 .8 :.X8:X88.8:888;8XXX::8;:88 8 8.@%8. St88888 @:%.t.;88SX:..%8.S;8@:88 .8 .8:;;8 8 8.88:@:888;:8%8 8:888:888.8@t8.8: t.:: t8@:888t..;88888X88t88;8%88;8tt8XtX8 8:888t8 888@;@888Xt.8.:8:X88t8.@88.:8X88:8t;@ 8 ;8%.;.:88;8 :.8S8 8t@8;.8;8;8t:S8;X@t88@t@:8 8:8t X88;8.8888;::88:88@.8:8 : :.88 88;88 8.8%8X;:S8@;.t8..;88.:8.: 8t @.@t:888 8:8;. S888:S.@:88.S;88;:@XS88;X88;8@: 8.8;.;8:8@8S.t888t%t% 88.S8;t:88:;88888;888 %X;88 .:88X8X8X:8;;88:888:8:@8:XX8888;8 ;8:;S888@%;X8X8;8..888::@X%8888@88.@;8;XX88 8888St S8888X%8...X88:X;.:88888S8;8.88888 8t88X:88t;X8X.88888.88t8X;888:8.:88888:8.8t 88@88. 88%@8@888X @88.:.888;X8X@%8@%.. S.888:8S8S;@S88;888:88.8t8.X.:88XX8;X:88@::8 8.;%.X88 8t.%888 @@8:Xtt;8.8%%8%88 :%S.8@88.8SS:%;@X:@;.8X88;%@X%8:8S8XSX@;888@ 8X88:8;8 88S@8;8 8888888S%%@;%88%8% ;88;X88;X:;.%:;88X888@.88@@:S8::@;8X;8:@.8.: 88888%88 tX888;8 S::888;8888Xt8S8SX8X .S888@8888888@8;8:;888@88%;8;t888%t;8Xt88@88 S888;XX8 88X8888 8;X8@%:8S8St8@;:8888 :t8::8888t88S8888;t%8:;888@8:888;8S:8888S8@ 888@8X88@ @:8t88 Xtt88:S8S@t@88;8S8 @88;8888888%%888%%888X8S8XS8%:888;888tt8888 8X888888% 8888888 .:88t@S:%8%88@:S:8 8%8t88%8%8;8X8888888:8%@@8%8888;@8;@;8S88X8 88%S8S88% S88888% 888888%888t8%8%S8 :88@8t8%88;tXX@8888%St:88888SS88X%8;8;X8888 8t888X888 8;S8%:t@ 888X8X88;@%tt8;8t 88%88888%X;;ttX88t88;S;;88t:t8S8:SSt%888;S88X t888S88t @88S@88X XX8@S888t88;8S%tX 8%@8t88%X88%t88XXt8;:88;8tt%t;8888@;tt;@88%%8 88;88%@@ 88@8888@ 88@@88t%8X%S@S8 @t88%88Xt88S%8888;X8@%8@@%8%S888S8;88XS8tt@t8 8%8@S8 @8;X8;8X ;88888%S888SS S8888S8t;StXt88S8X8S@@t@8S%%tS%;;tX;88;SS@888 88888 88 X888@%%8@ X888t888@88t %888;t%t8@8S@8@;8t88t8S%888%%@S8%88888%8%t@X :@ X888 8@8tX8S@ @8@88%888XS8 8t @SX@;S%8@t@8tX%@8S8@@8t@88X8888%8@88XX8t@X%t 88 8Xt8t8@8S @%t%%8X@8tX @@%X8 t8@t8tS@8%@t@88;8;X8%@%%S8XX88@8888888@%%X@88 8SSS@8%@% 8t@XSS888t8 888S% 8%tX8@%888%88t8S@%8S88X888@@t8t%t88XSS%S88St8 8@88S@ 888tt88S8888 :Xtt%X SX88@888%%8@8X8@888@tSX8@8@tt8SS%8X8S888888%tX 88%: 8@S Xt8%tt88@8X %8@SX8 88@88@S8%XS88@tSXStt8@@t@%8S88X@@%8t8888@88S@@ @ S@S :@@8t8888@8 8@8@X88 @SS8@S8@888%8888%Xt@X88t@tSS@8X@t@S@@XX@8888888 88@@ 8S8X8SSXSS88 8@8@XS@% 88%88t8@S88@8@SS@SX8t888X@8@8St888X88SX8X%8@%X 888 %88SSS@888 8888@8%XXS 8X@88S%888X8X8S8888X@8%@@8@X@@88@%88@%X8X8X8 888 88S@8XSXS@@8888X8@XSX8@S8X88@S%88%88@8SX8 t8S@8%%@8@8888%%8888@S8S8%@@SS@@XSS8XX %88%@XS88888S88X88@8X88X8S8%88888X. 88S8X@88S@88@88XX88X888SSX88%8X 88X@8@8@8@X@@8S@8@X88888@8%8 88S8888SS8:@ |
LD_LIBRARY_PATH=/usr/local/lib sudo suricata-update to download the latest free rulesets. Note we need to set the LD_LIBRARY_PATH so Suricata runs it's tests successfully.
sudo nano /etc/systemd/system/suricata.service
systemctl enable suricata && systemctl start suricata journalctl -fu suricata
sudo nano /etc/logrotate.d/suricata_log
Note: You can test your logrotate script with the following: logrotate -d /etc/logrotate.d/suricata_log sudo tail -f /usr/local/var/log/suricata/fast.log we begin to see various anomalies if there's live traffic.
sudo curl -o /root/eminyildirim_futuristic-alarm.wav https://jedi.sh/eminyildirim_futuristic-alarm.wav sudo nano /usr/local/bin/watcher.sh
sudo nano /etc/systemd/system/suricata-alert.service
Thoughts:*************Now we can summarize data on the network, and act on that information. This is just the start of what you can do while inline (or out of band on a mirrored port) on the network. Outside of the home setting we could scale this up on actual hardware and ingest our logs to ELK stack to provide a less opaque pane of glass for security and network monitoring. |