Skip to main content

Snorby as IDS

Recently I had a D945GSEJT Mini-ITX board which I wanted to turn into a networked-based Intrusion Detection System (IDS) to monitor my CTF network.  

The board is pretty sweet, as it is fairly inexpensive, came with a 1.6GHz processor and 1GB of RAM, and I put another Intel Pro 1000 NIC on it to have two interfaces, and of course bought a small SATA drive to install the IDS to.   The board is also super-quiet (no fans even), and is powered by a 12-v power supply, so it doesn't draw a lot of power.  

I wanted a headless IDS, so that I could plug the monitored port into my CTF network with one NIC, and administer it via the other one (via another network, or directly plugged in). 

Of course my IDS is Snort, but I wanted a good way to manage the alerts aside from ssh.  I LOVED Sguil, but installing that is prohibitively hard, so I didn't even try.  

I tried out SnortReports, and that didn't do it for me, as the reporting is pretty bare-bones.  

I've used BASE before, so I gave that a try.  That seemed a bit glitchy also, as some of the graphics didn't render correctly, and it just seemed less clean and more hassle than I wanted (below is a screenshot).

That was when a friend suggested Snorby.  I hadn't used Snorby before, but I decided to give it a try.  I downloaded Insta-Snorby0.7.0, and the installation was a breeze!  I basically booted to the iso, entered my root password, put in my time, my oinkcode, selected no Pulled Pork and no automatic updates (it won't have a solid connection to the Internet), and BAM!  It was installed!  

The trickiest part was getting the network interface to be monitored to not have an IP address, as Turnkey linux didn't let me assign an IP of to the interface during installation or configuration.  So I changed it in the /etc/network/interfaces file after installation.  This made the Turnkey Linux Configuration Console complain (it didn't notice that eth0 was up), but it worked.  Here's my /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual
up ifconfig $IFACE up
up ifconfig $IFACE promisc
down ifconfig $IFACE down

auto eth1
iface eth1 inet static

That seemed to work fine.

Here's a few screenshots of Insta-Snorby's Awesomeness:

Turnkey Linux has a Web configuration, which is nice:

And after you log in, you can administer lots of stuff:

It even has a web login on port 12320 to allow you to ssh into it through a browser, which is cool (but I'd probably just use SSH).

But where Snorby really shines is with its easy to use Alert monitoring GUI.  Check these screenshots out:

It even makes pdfs of the reports for you, and is just a wonderful interface to use.  It's simple like they advertise, but it's also just fun to browse through.  I LOVE it.  Snorby is definately the IDS front end for me.  


Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:…