The quest for IDS

Snorby

Been playing around with IDS lately, and there is a lot of information out there, and so so many different ways of doing it. My initial plan was to just a get an old box up and running, then sniff my local network, straight forward I thought..

 

Snorby was my first thing on my mind, I wanted a nice “this-generation” UI, and I wanted it to be  based on one of my favourit distro, Debian. Google is still your friend, and I quickly found a good guide to get snort/snorby up and running. “How to install snort and snorby on debian

This was way to many steps, there must be an easier way… So spent an evening rewriting the guide with some small modification to a single bash script.

The result. IDSSetup.sh

#!/bin/bash
# Name: IDSsetup.sh
# Version: 0.1
# Date: 22.09.2014
#
# Desc: Ever been in the need of getting a quick IDS service up and running?
# This install script will get snort and snorby up and running in now time.
#
# This has been tested on a clean Debian 7.6 install
# Distributor ID: Debian
# Description: Debian GNU/Linux 7.6 (wheezy)
# Release: 7.6
# Codename: wheezy
#
# For full explanation, and further reading, check out
# url: http://dev.n0ll.com/2014/09/the-quest-for-ids/
#
# Changelog
# v0.1 = Headless install based on http://wolfer.blog.com/2013/06/28/how-to-installing-snort-and-snorby-on-debian/

Basically you just need a clean install of Debian 7.6 (works probably on other version too).

But it was not working as I wanted…. I need to get more knowledge on how things are set up, and I’ve lately be drawn into the discussion on what IDS system is best, SNORT or Suricata. And I even tried and old fried. Security Onion, but still not satisfied… Any new players? Yes: SmoothSec. Looks promising.. They are basically doing what I want.. But are they still alive? Last update from January this year, and their webpage http://www.smoothsec.org/ ain’t working….. valid domain, but no DNS info….

On another matter, to get a proper IDS system up and running, I need dedicated hardware. A new Dell PowerEdge R220 rackserver is being build/shipped as we speak, so the quest for a IDS solution is still on…

Last minute addition, while writing this small blogupdate, I came across EVE from suricata. This look really cool. I really need to check this one out a bit more!

With 2.0 we introduced “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.

kibana300

“Eve”, Suricata all JSON event and alert output.

Leave a Comments