Detection IDS/IPS with Suricata + Port Mirroring Cisco

Simple Detection with suricata running for cisco

Detection IDS/IPS with Suricata + Port Mirroring Cisco

Simple Explanation about Suricata is the OISF IDP engine, the open source Intrusion Detection and Prevention Engine.
which you can so easy download file in here

in this tutorial i'm using Centos Minimal for base OS, for reason about performance and memory utilization what can i get than other, ok let's me explain about how to install suricata in centos 6.4

1. Install dependencies package or Development tools
------------------------------------------------------------------------------------------------------------------------
~# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
------------------------------------------------------------------------------------------------------------------------ 

IPS Support

If you want to build Suricata with IPS support, we to need “libnfnetlink” and “libnetfilter_queue” packages, these pre-built packages is not available in the EPEL or CentOS Base repositories. So, we need to download and install rpms from the Emerging Threats CentOS repository.

------------------------------------------------------------------------------------------------------------------------
~# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm

OR

~# mkdir /etc/suricata
~# cd /etc/suricata
~# wget -c http://rules.emergingthreats.net/open/suricata-1.3/emerging.rules.tar.gz
~# tar -zxvf emerging.rules.tar.gz
------------------------------------------------------------------------------------------------------------------------ 

2. Download and Compile suricata package
------------------------------------------------------------------------------------------------------------------------ 
~# cd /opt/
~# wget -c  http://www.openinfosecfoundation.org/download/suricata-1.4.6.tar.gz
~# tar -zxvf suricata-1.4.6.tar.gz
~# cd  suricata-1.4.6
~# ./configure && make && make install-conf
~# ./configure && make && make install-rules
~# ./configure && make && make install-full
------------------------------------------------------------------------------------------------------------------------ 
 
3. Create spesific directory for Suricata configuration
------------------------------------------------------------------------------------------------------------------------

~# mkdir /var/log/suricata
~# touch /var/log/suricata 
~# chown suricata.suricata /var/log/suricata
 ------------------------------------------------------------------------------------------------------------------------

4. Copy default configuration to spesific directory
 ------------------------------------------------------------------------------------------------------------------------
~# cp classification.config /etc/suricata
~# cp reference.config /etc/suricata
~# cp suricata.yaml /etc/suricata
 ------------------------------------------------------------------------------------------------------------------------

5. Config Suricata.yaml and rules from http://rules.emergingthreats.net
------------------------------------------------------------------------------------------------------------------------

~# vi /etc/suricata/suricata.yaml

----------------------------------------------------------------

default-log-dir: /var/log/suricata/

filename: /var/log/suricata/suricata.log

default-rule-path: /etc/suricata/rules
rule-files:
 - botcc.rules
 - ciarmy.rules
 - compromised.rules
 - drop.rules
 - dshield.rules
 - emerging-activex.rules
 - emerging-attack_response.rules
 - emerging-chat.rules
 - emerging-current_events.rules
 - emerging-dns.rules
 - emerging-dos.rules
 - emerging-exploit.rules
 - emerging-ftp.rules
 - emerging-games.rules
 - emerging-icmp_info.rules
 - emerging-icmp.rules
 - emerging-imap.rules
 - emerging-inappropriate.rules
 - emerging-malware.rules
 - emerging-misc.rules
 - emerging-mobile_malware.rules
 - emerging-netbios.rules
 - emerging-p2p.rules
 - emerging-policy.rules
 - emerging-pop3.rules
 - emerging-rpc.rules
 - emerging-scada.rules
 - emerging-scan.rules
 - emerging-shellcode.rules
 - emerging-smtp.rules
 - emerging-snmp.rules
 - emerging-sql.rules
 - emerging-telnet.rules
 - emerging-tftp.rules
 - emerging-trojan.rules
 - emerging-user_agents.rules
 - emerging-virus.rules
 - emerging-voip.rules
 - emerging-web_client.rules
 - emerging-web_server.rules
 - emerging-web_specific_apps.rules
 - emerging-worm.rules

 HOME_NET: "[192.168.56.0/24,10.0.0.0/8]"

 ----------------------------------------------------------------
note : 
 "default-rule-path: /etc/suricata/rules"
- is dependen all rules files in /etc/suricata/rules

 "HOME_NET: "[X.X.X.X/24]"
- This variable indicates network address or the address of the computer that will be monitored by Suricata
------------------------------------------------------------------------------------------------------------------------ 

6. running suricata with daemon
~# suricata -c /etc/suricata/suricata.yaml -i eth0 -D

13/12/2013 -- 15:39:01 - <Info> - This is Suricata version 1.4.6 RELEASE
13/12/2013 -- 15:39:01 - <Info> - CPUs/cores online: 1
13/12/2013 -- 15:39:01 - <Info> - Found an MTU of 1500 for 'eth2'
13/12/2013 -- 15:39:01 - <Info> - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32
13/12/2013 -- 15:39:01 - <Info> - preallocated 65535 defrag trackers of size 104
13/12/2013 -- 15:39:01 - <Info> - defrag memory usage: 8912792 bytes, maximum: 33554432
13/12/2013 -- 15:39:01 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
13/12/2013 -- 15:39:01 - <Info> - preallocated 1024 packets. Total memory 3170304
13/12/2013 -- 15:39:01 - <Info> - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32
13/12/2013 -- 15:39:01 - <Info> - preallocated 1000 hosts of size 76
13/12/2013 -- 15:39:01 - <Info> - host memory usage: 207072 bytes, maximum: 16777216
13/12/2013 -- 15:39:01 - <Info> - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32
13/12/2013 -- 15:39:01 - <Info> - preallocated 10000 flows of size 176
13/12/2013 -- 15:39:01 - <Info> - flow memory usage: 3857152 bytes, maximum: 33554432
13/12/2013 -- 15:39:01 - <Info> - IP reputation disabled
13/12/2013 -- 15:39:01 - <Info> - using magic-file /usr/share/file/magic

7. Monitoring Suricata 
~#  tail -f /var/log/suricata/fast.log


8. Config port mirroring cisco for suricata

port mirroring mechanism in this case is using to duplicate all traffic on your port or vlan Interface to IDS/IPS (Suricata Server), that configure is needed to capture all income traffic and habit how the attacker force to get privilege to some system
here is the scenarion and configuration  :

------------------------------------------------------------------------------------------------------------------------ 
Cisco_device#configure terminal
Cisco_device(config)#monitor session 1 source interface GigabitEthernet x/x
Cisco_device(config)#monitor session 1 destination interface GigabitEthernet x/x
------------------------------------------------------------------------------------------------------------------------

Source :
- http://suricata-ids.org/
- http://rules.emergingthreatspro.com/