Two new images with network IDS tools are added to ExoGENI Image Registry. Both images can be used to deploy Network IDS tools to the slices.
– Centos 7.4 v1.0.4 BRO
– Ubuntu 14.04 Security Onion
“Bro Network Security Monitor” is a framework that can be used to monitor network traffic. It has built-in analyzers to inspect the traffic for all kinds of activity. Bro Web Site includes documentation.
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. Detailed information can be found on wiki and web site.
1. Configuration of Bro instance from image “Centos 7.4 v1.0.4 BRO”
Bro v2.5.2 is built from source with pf_ring and installed to /opt directory.
Minimal starting configuration can be done by modifying
[root@bro ~]# cat /opt/bro/etc/node.cfg # Example BroControl node configuration. # # This example has a standalone node ready to go except for possibly changing # the sniffing interface. # This is a complete standalone configuration. Most likely you will # only need to change the interface. [bro] type=standalone host=localhost interface=eth0
Cluster (multiple workers with pf_ring):
[root@bro ~]# cat /opt/bro/etc/node.cfg [manager] type=manager host=localhost # [proxy] type=proxy host=localhost [bro-eth1] type=worker host=localhost interface=eth1 lb_method=pf_ring lb_procs=5 #pin_cpus=1,3
Deploy configuration and start Bro:
[root@bro ~]# broctl deploy checking configurations ... installing ... removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ... removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ... creating policy directories ... installing site policies ... generating cluster-layout.bro ... generating local-networks.bro ... generating broctl-config.bro ... generating broctl-config.sh ... stopping ... bro-eth1-1 not running bro-eth1-2 not running proxy not running manager not running starting ... starting manager ... starting proxy ... starting bro-eth1-1 ... starting bro-eth1-2 ... [root@bro ~]# broctl status Name Type Host Status Pid Started manager manager localhost running 1307 25 Oct 15:46:02 proxy proxy localhost running 1348 25 Oct 15:46:04 bro-eth1-1 worker localhost running 1399 25 Oct 15:46:05 bro-eth1-2 worker localhost running 1401 25 Oct 15:46:05
2. Configuration of Security Onion instance from image “Ubuntu 14.04 Security Onion”
After deploying the VM, login with SSH X11 forwarding and run
$ ssh -Y -i ~/.ssh/id_rsa email@example.com ... [output omitted] ... root@so-1:~# sosetup
Follow the prompts:
Next window about network interface configuration can be omitted since we will not change the management interface. However, if a configuration needs to be done through this window, eth0 should be selected as the management interface with the current IP address of the VM (from 10.103.0.0/24 subnet) and netmask (255.255.255.0) and default gateway 10.103.0.1 .
Details about the server configuration can be found on the wiki . This sample configuration will select “Evaluation Mode”.
Configuration changes will be committed.
Information messages pop up.
Firewall needs to be configured to allow connections to the instance. this should be done after sosetup is completed.
Configure firewall for access to the instance (Entries are mentioned with bold text below):
root@so-1:~# so-allow This program allows you to add a firewall rule to allow connections from a new IP address. What kind of device do you want to allow? [a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp [c] - apt-cacher-ng client - port 3142/tcp [l] - syslog device - port 514 [o] - ossec agent - port 1514/udp [s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp If you need to add any ports other than those listed above, you can do so using the standard 'ufw' utility. For more information, please see the Firewall page on our Wiki: https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall Please enter your selection (a - analyst, c - apt-cacher-ng client, l - syslog, o - ossec, or s - Security Onion sensor): a Please enter the IP address of the analyst you'd like to allow to connect to port(s) 22,443,7734: 184.108.40.206 We're going to allow connections from 220.127.116.11 to port(s) 22,443,7734. Here's the firewall rule we're about to add: sudo ufw allow proto tcp from 18.104.22.168 to any port 22,443,7734 We're also whitelisting 22.214.171.124 in /var/ossec/etc/ossec.conf to prevent OSSEC Active Response from blocking it. Keep in mind, the OSSEC server will be restarted once configuration is complete. To continue and add this rule, press Enter. Otherwise, press Ctrl-c to exit. PRESS ENTER Rule added Rule has been added. Here is the entire firewall ruleset: Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22,443,7734/tcp ALLOW 126.96.36.199 22/tcp (v6) ALLOW Anywhere (v6) Added whitelist entry for 188.8.131.52 in /var/ossec/etc/ossec.conf. Restarting OSSEC Server... Deleting PID file '/var/ossec/var/run/ossec-remoted-5006.pid' not used... Killing ossec-monitord .. Killing ossec-logcollector .. ossec-remoted not running .. Killing ossec-syscheckd .. Killing ossec-analysisd .. ossec-maild not running .. Killing ossec-execd .. Killing ossec-csyslogd .. OSSEC HIDS v2.8 Stopped Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... Started ossec-csyslogd... 2017/10/25 16:20:23 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed.
Check status of the services:
root@so-1:~# service nsm status Status: securityonion * sguil server [ OK ] Status: HIDS * ossec_agent (sguil) [ OK ] Status: Bro Name Type Host Status Pid Started bro standalone localhost running 7390 25 Oct 16:14:13 Status: so-1-eth1 * netsniff-ng (full packet data) [ OK ] * pcap_agent (sguil) [ OK ] * snort_agent-1 (sguil) [ OK ] * snort-1 (alert data) [ OK ] * barnyard2-1 (spooler, unified2 format) [ OK ]
Web UI can be accessed through the public IP address of the VM. Squert and ELSA can be accessed from the links: