• このエントリーをはてなブックマークに追加
Create your own NSM devices with Suricata using Dualcomm’s ETAP-PI, network tap appliance
閉じる
閉じる

新しい記事を投稿しました。シェアして読者に伝えましょう

×

Create your own NSM devices with Suricata using Dualcomm’s ETAP-PI, network tap appliance

2022-01-04 02:19
     Create your own NSM devices with Suricata using Dualcomm’s ETAP-PI, network tap appliance
    as well as Raspbery Pi with power redundant, graceful shutdown, user defined push buttons and leds.

    e3123a28e717c3ba9e5c6b2a32e56efd07a6b2de


      
    Youtube movie here
    https://youtube.com/watch?v=vo6yySnmvFE

    Dualcomm社ETAP-PIで作成するSuricata NSMアプライアンス(日本語・Youtube)
    Download PDF
    https://www.ikeriri.ne.jp/develop/Dualcomm/Create%20your%20own%20NSM%20devices%20with%20Suricata%20using%20Dualcomm%E2%80%99s%20ETAP-PI,%20network%20tap%20appliance.pdf

    Dualcomm’s ETAP-PI is a network tap appliance, there are two gigabit port for inline connection, and 1 monitor gigabit port that aggregate the traffic. Not only network tap, ETAP-PI has a raspberry Pi 4 inside the box. We can create our own NSM ( network security monitoring ), NIDS devices using Suricata, Snort and so on. This TAP appliance has dual redundant power supply and graceful shutdown button, as well as user-defined two LEDs and a push button for enterprise use.
    I refer the useful websites below: https://jufajardini.wordpress.com/2021/02/15/suricata-on-your-raspberry-pi/ https://www.reddit.com/r/raspberry_pi/comments/np1a8f/building_my_home_intrusion_detection_system/

    Step1: Install Suricata for Raspberry Pi4 Install required packages
    apt-get install python-pip libnss3-dev liblz4-dev libnspr4-dev libcap-ng-dev git
    Install packages for build Suricata
    apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libyaml-0-2 libyaml-dev pkg-config
    zlib1g zlib1g-dev make libmagic-dev libjansson-dev rustc cargo python-yaml python3-yaml liblua5.1-dev Get Suricata source file
    wget https://www.openinfosecfoundation.org/download/suricata-6.0.3.tar.gz Extract source file and change directory for source file
    tar -xvf suricata-6.0.3.tar.gz
    cd suricata-6.0.3
    Execute configure script with some option
    ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua Compile and install Suricata
    make
    sudo make install Setup rules
    cd suricata-update
    sudo python setup.py build sudo python setup.py install
    cd ..
    sudo make install-full
        
    Step2: Suricata Configuration Update Suricata rules
    sudo suricata-update Edit configuration file
    Nano /etc/suricata/suricata.yaml
    Check #ring-size: 2048 section
    And uncomment and change ring buffer size to 30000 ring-size: 30000

    Step3: Execute Suricata and Test detection
    Execute suricata in background ( -c config file -i interface -S rule file)
    sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -S /var/lib/suricata/rules/suricata.rules & Check the latest log file
    sudo tail -f /var/log/suricata/fast.log Access malware specific website
    wget 3wzn5p2yiumh7akj.onio
    and you can find alert event like that
    ET MALWARE Cryptowall .onion Proxy Domain [**] [Classification: A Network Trojan was detected] [Priority: 1] ps aux | grep suricata to find process ID and kill the process after testing

    Step4: Set Suricata as a service Edit service script
    nano /etc/systemd/system/suricata.service Copy and Paste a sample
    [Unit]
    Description=Suricata Intrusion Detection Service
    After=network.target syslog.target
    [Service]
    ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -S /var/lib/suricata/rules/suricata.rules ExecReload=/bin/kill -HUP $MAINPID
    ExecStop=/bin/kill $MAINPID
    [Install]
    WantedBy=multi-user.target
    Start/Stop/Restart/Check Suricata as a service sudo service suricata [start/stop/restart/status]
     
    Step5: Check log and Log rotate
    Suricata creates log files at /var/log/suricata
    eve.json : huge json file for analysing with Erastic Search and Kibana or Sprunk, etc. fast.log : suspicious event log ( it is useful to just check event )
    stats.log : network statistics log
    suricata.log : Suricata’s service log
    Check the latest suspicious events
    sudo tail -n 100 -f /var/log/suricata/fast.log
    Suricata may create huge size of log file, so you may configure log rotate setting, so edit log rotate setting file nano /etc/logrotate.d/suricata
    /var/log/suricata/*.log /var/log/suricata/*.json {
    daily
    maxsize 1G
    rotate 30
    missingok
    nocompress
    create
    sharedscripts
    postrotate
    systemctl restart suricata.service endscript
    }
    It means each daily log file limit to 1GB and holds the latest 30 files (for a month) Change logrotate configuration
    Sudo logrotate -f /etc/logratate.conf

    Step6: Automatically update Suricata rules at midnight
    Edit crontab to update and restart suricata at 3:33 am
    33 3 * * * sudo suricata-update && sudo service suricata restart
     
    It is a typical setting of maintain Suricata by Raspberry Pi but works best with ETAP-PI
    Create and customize your own stable NSM device and be ready for cyber security.
    I recommend to connect other packet capturing devices at external port of ETAP-PI.
    We can check actual pcap/pcapng file with Wireshark, if you find some important security event!!
    Megumi Takeshita, ikeriri network service co., ltd. (Twitter@ikeriri / megumi@ikeriri.ne.jp)
    https://www.ikeriri.ne.jp/develop/Dualcomm/rapsberrypinetworkappliance.html 
     
    コメントを書く
    コメントをするにはログインして下さい。