Recently I had a D945GSEJT Mini-ITX board which I wanted to turn into a networked-based Intrusion Detection System (IDS) to monitor my CTF network.
The board is pretty sweet, as it is fairly inexpensive, came with a 1.6GHz processor and 1GB of RAM, and I put another Intel Pro 1000 NIC on it to have two interfaces, and of course bought a small SATA drive to install the IDS to. The board is also super-quiet (no fans even), and is powered by a 12-v power supply, so it doesn't draw a lot of power.
I wanted a headless IDS, so that I could plug the monitored port into my CTF network with one NIC, and administer it via the other one (via another network, or directly plugged in).
Of course my IDS is Snort, but I wanted a good way to manage the alerts aside from ssh. I LOVED Sguil, but installing that is prohibitively hard, so I didn't even try.
I tried out SnortReports, and that didn't do it for me, as the reporting is pretty bare-bones.
I've used BASE before, so I gave that a try. That seemed a bit glitchy also, as some of the graphics didn't render correctly, and it just seemed less clean and more hassle than I wanted (below is a screenshot).
That was when a friend suggested Snorby. I hadn't used Snorby before, but I decided to give it a try. I downloaded Insta-Snorby0.7.0, and the installation was a breeze! I basically booted to the iso, entered my root password, put in my time, my oinkcode, selected no Pulled Pork and no automatic updates (it won't have a solid connection to the Internet), and BAM! It was installed!
The trickiest part was getting the network interface to be monitored to not have an IP address, as Turnkey linux didn't let me assign an IP of 0.0.0.0 to the interface during installation or configuration. So I changed it in the /etc/network/interfaces file after installation. This made the Turnkey Linux Configuration Console complain (it didn't notice that eth0 was up), but it worked. Here's my /etc/network/interfaces file:
Here's a few screenshots of Insta-Snorby's Awesomeness:
Turnkey Linux has a Web configuration, which is nice:
And after you log in, you can administer lots of stuff:
It even has a web login on port 12320 to allow you to ssh into it through a browser, which is cool (but I'd probably just use SSH).
But where Snorby really shines is with its easy to use Alert monitoring GUI. Check these screenshots out:
It even makes pdfs of the reports for you, and is just a wonderful interface to use. It's simple like they advertise, but it's also just fun to browse through. I LOVE it. Snorby is definately the IDS front end for me.
The board is pretty sweet, as it is fairly inexpensive, came with a 1.6GHz processor and 1GB of RAM, and I put another Intel Pro 1000 NIC on it to have two interfaces, and of course bought a small SATA drive to install the IDS to. The board is also super-quiet (no fans even), and is powered by a 12-v power supply, so it doesn't draw a lot of power.
I wanted a headless IDS, so that I could plug the monitored port into my CTF network with one NIC, and administer it via the other one (via another network, or directly plugged in).
Of course my IDS is Snort, but I wanted a good way to manage the alerts aside from ssh. I LOVED Sguil, but installing that is prohibitively hard, so I didn't even try.
I tried out SnortReports, and that didn't do it for me, as the reporting is pretty bare-bones.
I've used BASE before, so I gave that a try. That seemed a bit glitchy also, as some of the graphics didn't render correctly, and it just seemed less clean and more hassle than I wanted (below is a screenshot).
That was when a friend suggested Snorby. I hadn't used Snorby before, but I decided to give it a try. I downloaded Insta-Snorby0.7.0, and the installation was a breeze! I basically booted to the iso, entered my root password, put in my time, my oinkcode, selected no Pulled Pork and no automatic updates (it won't have a solid connection to the Internet), and BAM! It was installed!
The trickiest part was getting the network interface to be monitored to not have an IP address, as Turnkey linux didn't let me assign an IP of 0.0.0.0 to the interface during installation or configuration. So I changed it in the /etc/network/interfaces file after installation. This made the Turnkey Linux Configuration Console complain (it didn't notice that eth0 was up), but it worked. Here's my /etc/network/interfaces file:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ifconfig $IFACE promisc
down ifconfig $IFACE down
auto eth1
iface eth1 inet static
address 192.168.15.1
netmask 255.255.255.0
That seemed to work fine.
Here's a few screenshots of Insta-Snorby's Awesomeness:
Turnkey Linux has a Web configuration, which is nice:
And after you log in, you can administer lots of stuff:
It even has a web login on port 12320 to allow you to ssh into it through a browser, which is cool (but I'd probably just use SSH).
But where Snorby really shines is with its easy to use Alert monitoring GUI. Check these screenshots out:
It even makes pdfs of the reports for you, and is just a wonderful interface to use. It's simple like they advertise, but it's also just fun to browse through. I LOVE it. Snorby is definately the IDS front end for me.
Comments
Post a Comment