HOWTO High Performance IDS IPS with SmoothSec 3 2

Since the previous setup (HOWTO) of SmoothSec are not perfect, I am going to use AF_PACKET as packet acquisition engine. In this setting, you are required to have at least 3 network interfaces, one for the management purpose.



As AF_PACKET has high performance, even the very low-end hardware is benefited. The following setup is ideal for home/SOHO environment.



(A) Hardware



Motherboard - Intel Desktop Board D510MO

CPU - Intel Atom D510 (2-core with HT)

RAM - 4GB (2 x 2GB)

Hard Drive - 320GB

Network Card 0 (eth0) - Onboard Gigabit

Network Card 1 (eth1) - TP-Link TG-3269 Gigabit PCI Network Adapter (with low profile)

Network Card 2 (eth2) - D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter (up to 200MB)



(B) Software



Operating System - Debian 7.0 (Wheezy)

IDS/IPS pre-configure system - SmoothSec 3.2 (64-bit)

IDS/IPS Engine - Suricata

Spooler - Pigsty

Web Interface - Snorby

Rules Management - PulledPork



(C) Setup



Internet -- Router -- SmoothSec -- Switch -- Personal Computers



The SmoothSec will monitor all the incoming and outgoing traffic between router and the switch.



Step a - Cable connection :



First of all, SmoothSec (Network Card 2) is connected to the Switch while Network Card 0 and 1 do not connect to the router at the moment. It is because you need to access the internet for the SmoothSec installation.



Step -1 - Installation of SmoothSec :



Install SmoothSec as usual or refer to SmoothSec Wiki. When you are prompted to install non-free network interface firmware, you just ignore it. It is because Debian missed some firmware for Realtek 8169. After the installation, reboot the box as advice. The username is "root" while the password is "toor".



Step 0 - Install the missing packages :



apt-get install ethtool postfix fail2ban openjdk-7-jre



If you want to use Postfix as mail server for the Snorby report, you should install it and configure it after the install. For the configuration of Postfix, you may ask Google if you do not know how to.



Make sure you select "Internet Site" when installing Postfix.



You may consider to install fail2ban to protect your ssh connection inside the network.



To improve the SmoothSec :



apt-get --purge remove arpwatch

apt-get install arpalert

cd /etc/arpalert/

mv oui.txt oui.txt.old

wget http://standards.ieee.org/regauth/oui/oui.txt




Step 1 - Get new Linux Kernel :



In order to install a high performance IDS/IPS, you need a newer kernel that the version should be 3.7 or greater.



apt-cache search linux-image



To look for Linux Kernel version that is greater than 3.7. If not, just add the following repos :



nano /etc/apt/sources.list



Append the following line (the address of the source may be different from yours, but it must be "unstable" :


deb http://ftp.us.debian.org/debian/ unstable main

deb-src http://ftp.us.debian.org/debian/ unstable main




Then look for Linux Kernel version that is greater than 3.7 :



apt-get update



I select the version 3.10 :



apt-get install linux-image-3.10-2-amd64 linux-headers-3.10-2-amd64



When you are asked to restart some services when install, just reply "yes".



You will be warned for some firmware missing, just ignore it. It is because Debian do not has some firmware for Realtek 8169. Anyway, it is harmless.



After the new kernel install, comment out what you added in "/etc/apt/sources.list". This step is VERY IMPORTANT as the newer version of Apache (2.4.x) and Perl will break the Snorby and PulledPork, the web interface of the SmoothSec and rules management tool.



Then reboot the SmoothSec and select the new kernel when it is available.



Step 2 - Configure Suricata :



nano /etc/suricata/suricata.yaml



Locate "#- delayed-detect: yes" and replace with "- delayed-detect: yes".



Locate "- fast:" and replace "enabled: no" with "enabled: yes".



Locate "- drop:" and replace "enabled: no" with "enabled: yes".



Locate "af-packet:" and replace "threads: 1" with "threads: 4". Or, the number of core of CPU you have.



Locate "#checksum-checks: kernel" and replace it with "checksum-checks: kernel".



Locate "#copy-mode: ips" and replace it with "copy-mode: ips".



Locate "#copy-iface: eth1" and replace it with "copy-iface: eth1".



Add "buffer-size: 64535" just below "copy-iface: eth1".



Locate "- interface: eth1" and replace "threads: 1" with "threads: 4". Or, the number of core of CPU you have.



Add the following lines just below "# disable-promisc: no" :



buffer-size: 64535

copy-mode: ips

copy-iface: eth0

use-mmap: yes

checksum-checks: kernel




Locate "rule-files:" and add "- local.rules" just below "- emerging.rules".



touch /etc/suricata/rules/local.rules



nano /etc/init.d/suricata



Locate "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -i $INTERFACES -D" with "/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml --af-packet -D"



There are 2 entries, you should replace them all.



Step 3 - Time Zone :



Make sure your SmoothSec is UTC no matter your time zone is. It is because, Snorby is only working on UTC. Otherwise, the timestamp of Snorby will be wrong.



To check time zone of SmoothSec :



date



If the time is not UTC, you need to change back to it :



dpkg-reconfigure tzdata



Set the time zone to "UTC" at "None of the above".



Step 4 - Configure email feature of Snorby :



If you installed Postfix, configure it properly according to your network at "/etc/postfix/main.cf".



nano /var/www/snorby/config/initializers/mail_config.rb



Then uncomment the lines just below "#Sendmail Example:". Or, refer to the SmoothSec Wiki for the installation.



Step 5 - Configure network interfaces :



Make it looks like the following. Make sure your eth2 has your IP "address" and "gateway" instead of "192.168.2.180" as it is an example only :



nano /etc/network/interfaces



# The loopback network interface

auto lo

iface lo inet loopback



auto eth0

iface eth0 inet manual

   up ifconfig eth0 0.0.0.0 up

   down ifconfig eth0 down

   post-up ethtool -K eth0 gro off



auto eth1

iface eth1 inet manual

   up ifconfig eth1 0.0.0.0 up

   down ifconfig eth1 down

   post-up ethtool -K eth1 gro off



# The primary network interface

#allow-hotplug eth2

#iface eth2 inet dhcp

auto eth2

iface eth2 inet static

   address 192.168.2.180

   netmask 255.255.255.0

   gateway 192.168.2.1




* Please note that ethtool is used as the Realtek network interfaces will produce error when working as AF_PACKET method.



Error messages when doing debugging with "suricata -c /etc/suricata/suricata.yaml --af-packet" :



[ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 10: Message too long

[ERRCODE: SC_ERR_INVALID_ACTION(142)] - Unable to release packet data




Step 6 - Configure SmoothSec :



Run the following script to setup SmoothSec :



smoothsec.first.setup



Type "eth0" when asks for the monitor interface. Enter "192.168.2.0/24" when asked for the network. Please note that the address here is an example only. When asked for Intrusion Detection Engine, you type "2" for Suricata. The email address and password asked are for the login purpose of Snorby (web interface).



Step b - Cable connection :



Connect Network Card 0 to the router and Network Card 1 to the switch. Network Card 2 connect to the switch.



When done, reboot the SmoothSec.



Step 7 - Browse Snorby :



You need to wait for several minutes before you can connect to the internet as Suricata need some time to do with the rules.



Open your browser and enter the following url :



https://192.168.2.180



Accept the certificate and wait for about a minute the Snorby will show up.



Step 8 - IPS Setup :



Now your SmoothSec is running as IDS (Intrusion Detection System) and it will not block or drop any malicious traffic.



To configure the SmoothSec to running as IPS (Intrusion Prevention System), you need to :



nano /etc/pulledpork/suricata/dropsid.conf



Append the following :



pcre:MS(0[0-9]|1[0-9])-d+,bugtraq:d+,cve:20[0-9][0-9]-d+



So, you will drop/block any malicious traffic that match the vulnerabilities in the vulnerability reports, such as cve and bugtraq as well as Microsofts. Meanwhile, you can add your own rules in "/etc/suricata/rules/local.rules". Make sure to run "smoothsec.suricata.rules.update" after your add them.



You may want to disable some rules :



nano /etc/pulledpork/suricata/disablesid.conf



Append the following :



1:2210000-1:2210049



It will disable the rules serial 2210000 to 2210049. A total of 50 rules to be disabled.



After done, run the following script :



smoothsec.suricata.rules.update



* Please also note that you are required to wait for several minutes before you can connect to the internet as Suricata requires some time to do with the rules.



(D) Troubleshooting



(1) In case you find there is no GeoIP information on the events, you should check if the file "snorby-geoip.dat" in /var/www/snorby/config/ or not. If not, just download it, please follow the below commands. If the file does not exist, that mean you cannot connect to the internet when installing Snorby.



cd /tmp/

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gzip -d GeoIP.dat.gz

mv GeoIP.dat snorby-geoip.dat

chown www-data:www-data snorby-geoip.dat

cp snorby-geoip.dat /var/www/snorby/config/




(2) In case you do not capture the events, you should make sure the correct interface name (such as eth0, eth1 and eth2) are connected properly. You should examine the MAC address of the Network Card to determine the correct interface name.



(E) Performance



The SmoothSec is installed on a low-end hardware (Intel Atom D510 CPU with Realtek Gigabit NICs). It is also behind a router, which is running Untangle (Intel Atom D510 CPU with Realtek Gigabit NICs). Untangle is an UTM (Unified Threat Management System) which can block some malicious traffic (but a few only). The switch is D-Link DGS-1008D (Home) Gigabit switch.



To test the performance, I am watching a youtube at 1080p on PC-1 (via wifi), watching a youtube at 720p on PC-2 (via wifi) and watching a youtube at HD on Android smartphone with wifi. The result is very smooth without any lagging for all the devices.



The CPU loading for the test is below 4.x and memory used is below 3GB.



AF_PACKET is ideal for IDS/IPS implementation when you have a very low-end hardware.



(F) Limitation



Since SmoothSec 3.2 is build on Debian 7.0 (Wheezy), the system will be broken when you upgrade to Sid (Unstable). The newer version of Apache (2.4.x) and Perl will refuse to run due to error. Therefore, when you installed the newer kernel (for AF_PACKET purpose), make sure you comment out the repos that you added in order to prevent the system upgrade to the Sid (Unstable) by accident.



Another limitation is that you are requested to have at least 3 NICs for IDS or IPS.



One more limitation is the Snorby cannot show the dropped traffic at the moment.



Known Issue



Pigsty will crash randomly. As a result, no capture in Snorby. The problem has been reported, see here. --> The workaround is to run a testing bash script on every 5 minutes to start Pigsty again.



nano /root/chkpigstylog



#!/bin/bash

# Check if "Error: " in pigsty.log or not. If yes, start Pigsty again.

STRING="Error: "

if grep -R "$STRING" /var/log/pigsty.log

then

   /root/runpigsty

fi




nano /root/runpigsty



#!/bin/bash

/usr/local/bin/pigsty -c /etc/pigsty/suricata.pigsty.config.js -i eth0 -n "Suricata" -d /var/log/suricata/ -m unified2.alert.* -D




crontab -e

*/5 * * * * /root/chkpigstylog




Update



Developers just fixed the problem. You just upgrade the Pigsty with the following command :



npm update pigsty-mysql -g

npm update pigsty -g




Thats all! See you.



Read More..

Desktop Best for CM Series CM1855 FX 4300 Monitor none Open Box Product Limited Availability No Back Orders

Good to CM Series CM1855 - FX 4300 - Monitor: none. (Open Box Product Limited Availability No Back Orders) using the web

Reviews: CM Series CM1855 - FX 4300 - Monitor: none. (Open Box Product Limited Availability No Back Orders)

CM Series CM1855 - FX 4300 - Monitor: none. (Open Box Product Limited Availability No Back Orders)

CM Series CM1855 - FX 4300 - Monitor: none. (Open Box Product Limited Availability No Back Orders) on the web

ASUS CM Series CM1855 - Tower - 1 x FX 4300 - RAM 8GB - HDD 1 x 1TB - DVD-Writer - Radeon HD 7670 - Gigabit LAN - Windows 8 - Monitor: none.

Read more »
Read More..

Computer or laptop Ideal for StarTech com USB DVI KVM Console IP Extender over Cat5 with Audio 1680x1050 330 ft 100m 1 Computer s 1 User s 1 x DVI D Digital Video 1 x RJ 45 Network 1 x Type B USB

Good for StarTech.com USB DVI KVM Console IP Extender over Cat5 with Audio - 1680x1050 330 ft (100m) - 1 Computer(s) - 1 User(s) - 1 x DVI-D Digital Video, 1 x RJ-45 Network, 1 x Type B USB most desirable value

Scores: StarTech.com USB DVI KVM Console IP Extender over Cat5 with Audio - 1680x1050 330 ft (100m) - 1 Computer(s) - 1 User(s) - 1 x DVI-D Digital Video, 1 x RJ-45 Network, 1 x Type B USB

StarTech.com USB DVI KVM Console IP Extender over Cat5 with Audio - 1680x1050 330 ft (100m) - 1 Computer(s) - 1 User(s) - 1 x DVI-D Digital Video, 1 x RJ-45 Network, 1 x Type B USB

StarTech.com USB DVI KVM Console IP Extender over Cat5 with Audio - 1680x1050 330 ft (100m) - 1 Computer(s) - 1 User(s) - 1 x DVI-D Digital Video, 1 x RJ-45 Network, 1 x Type B USB preferred total price

The SV565LANDUA Dual Mode USB DVI KVM Console Extender over Cat5 100m or LAN lets you control a USB & DVI-D PC or KVM switch over an IP Local Area Network, or by direct Cat5 or better cable connection, up to 100 meters 330 feet away. Connecting over your existing IP LAN avoids the hassle and cost of running new infrastructure cabling, and allows for a greater overall extension distance that can easily traverse many floors of your office building. Or you can connect the local and remote units via a single Cat5 cable, providing a versatile KVM extension solution. The DVI KVM extender supports video resolutions up to 1680x1050 at maximum distance without signal degradation, and supports 3.5mm audio/mic connections. Also featuring 3 High-Speed 480 Mbps USB 2.0 ports on the remote end, allowing you to connect a keyboard, mouse or other peripherals such as external storage drives or webcams. Backed by a StarTech.com 2-year warranty and free lifetime technical support. Dual mode support provides functionality over a LAN, or with standalone Cat5 cabling for a flexible, hardware-based KVM extension solution. Integrated High-Speed USB 2.0 ports allow for hard drives, webcams, USB hubs and any other peripherals to communicate flawlessly, as if they were directly connected. MAC address layer 2 LAN operation allows the extender to function on virtually any Ethernet network with minimal overhead or setup requirements. Use one or more servers in a server room from a remote location within the same building or campus. Secure remote control of physically secured inaccessible servers. Control remote machines and security monitoring systems. Can act as a thin client for power users controlling powerful rack mounted servers as their desktop machines. Control/Monitor a remote server from a harsh environment where the PC would not function properly due to heat/dust/etc. factory, warehouse, mining, etc. Ideal for controlling a PC in an area where fan or hard drive noise is unacceptable such as a television broadcast studio.

Read more »
Read More..

Notebook computer !! Promotions to get Valcom VIP 130L GY IC Ip Horn Gray

Specials designed for Valcom VIP-130L-GY-IC Ip Horn Gray available on the market internet

Scores: Valcom VIP-130L-GY-IC Ip Horn Gray

Valcom VIP-130L-GY-IC Ip Horn Gray

Valcom VIP-130L-GY-IC Ip Horn Gray available for purchase on the web

The Valcom VIP-130L-GY-IC is an IP Paging horn for use only with Informacast systems. It is also offered in marine white and beige as well as SIP compatible. PoE (802.3af) - No Local Power Required. Very High - Efficiency Ensures Penetration with Lower Energy Consumption. Weather - Resistant. Include Long Line Extender for Cabling Up to 1200 Feet. Backboxes Available for Some Speakers.

Read more »
Read More..

AutoCAD WS Free Download now Available in the App Store for iOS

AutoCAD WS on iPhone-iTouch
AutoCAD WS is a mobile application for the Apple iPhone, iPod, and iPad.  It gives users the ability to view, edit and share AutoCAD DWG files!  You don’t have to take your laptop with you to view DWG files, or to edit them, AutoCAD WS can do that for you.

AutoCAD WS, formerly known as Project Butterfly) is now out and it is free.  It is available in two forms; Web Browser Based (in Adobe Flash) and for iOS devices (iPhone, iTouch and iPad).  There are many things that you can do with AutoCAD WS, but there are also many things that you can not do with it.  AutoCAD WS is not meant to replace AutoCAD, if it were it wouldn’t be free!  It is meant to be mobile and a means to collaborate with others.  The browser based AutoCAD WS is different from the iOS based version.  You can do more with the browsers version, but it’s not mobile unless you are running it on a laptop or netbook.


AutoCAD WS in a browser


AutoCAD WS allows users to upload (only from the browser version or the AutoCAD Plug In) DWG files so that they can be viewed and marked up in AutoCAD WS.  If you haven’t tried it out I suggest you do.  Multiple users can access and edit a DWG file simultaneously.  Notes can be taken and viewed by all parties involved.  This feature will allow users to better understand drawing discussions, provide the same notes, the same markups, and allow further collaboration.  AutoCAD WS is not meant to be a full out CAD program.  It is a simple 2D mark up and collaboration tool.  
If you want to find out more about it here are some links to follow:


AutoCAD WS Web application and online workspace. www.autocadws.com
AutoCAD WS Mobile app for the for Apple® iPad™, iPhone®, and iPod touch®, available for download on iTunes (www.itunes.com/app/autocad-ws)
AutoCAD WS Mobile apps are immediately available from iTunes store, plug-ins from www.autocadws.com/downloads, and web app sign-up/account access at www.autocadws.com.
Video is available on the log-in page www.autocadws.com


AutoCAD WS on iPad
There is a plug in available for AutoCAD and some of its verticals that will give you access to your AutoCAD WS Account from within AutoCAD.  This will make it easier for users to upload files for viewing.  The plug-in is only available for English AutoCAD 2011 and English AutoCAD LT and these verticals:

  • AutoCAD® Architecture 2011
  • AutoCAD® MEP 2011
  • AutoCAD® Mechanical 2011
  • AutoCAD® Plant 3D 2011
  • AutoCAD® P&ID 2011
  • AutoCAD® Civil 3D® 2011
  • AutoCAD® Electrical 2011
  • AutoCAD® ecscad 2011 
  • AutoCAD® Structural Detailing 2011
  • AutoCAD® Map 3D 2011



I suggest that you check it out.  It may be a tool that you can use.
Read More..

Ace Powered Stereo Notebook Speakers


Ace Powered Stereo Notebook Speakers



Ace Powered Stereo Notebook Speakers is one of the bestseller product in the market today. People arround United Kingdom is looking for Ace Powered Stereo Notebook Speakers with low prices from Internet. If youre lucky you can get a special discount from Amazon, only in this month. Well, good product that comes with low prices is everyone choices.

For sale now at cheap price, promo discounts and fast shipping. Im very satisfied with the qualities and recommend it to everyone wanting for a high quality product with the useful specifications at an reasonable. You can read testimony from buyers to find out more through their experience. Ace Powered Stereo Notebook Speakers has worked wonders for me and I believe it will do wonders on you too. Why then spend any more time? Enjoy it, you know where to purchase the best ones.

Most of the customer reviews speak that the Ace Powered Stereo Notebook Speakers are splendid luggage. Also, It Is a pretty well product for the price. It’s great for colony on a tight budget. We’ve found pros and cons on this type of product. But overall, It’s a supreme product and we are well recommend it! When you however want to know more details on this product, so read the reports of those who have already used it.




Ace Powered Stereo Notebook Speakers is a good choice with brand new features that will make you amaze. But if you still want to have another information about Ace Powered Stereo Notebook Speakers, you can read more detail information, spesification, and reviews from people that bought Ace Powered Stereo Notebook Speakers below.

Ace Powered Stereo Notebook Speakers Detail Information :



This Page is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.co.uk
CERTAIN CONTENT THAT APPEARS ON THIS SITE COMES FROM AMAZON SERVICES LLC. THIS CONTENT IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE OR REMOVAL AT ANY TIME.

Read More..

45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP


45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP



45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP is one of the bestseller product in the market today. People arround United Kingdom is looking for 45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP with low prices from Internet. If youre lucky you can get a special discount from Amazon, only in this month. Well, good product that comes with low prices is everyone choices.

Available now at cheap price, promo discounts and fast shipping. Im really satisfied with their features and recommend it to everyone wanting for a high quality product with the newest features at an cheap. You can read testimony from customers to find out more from their experience. 45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP has worked wonders for me and I believe it will do wonders on you too. So why spend any more time? Have Fun, you understand where to purchase the best ones.

Most people reviews speak that the 45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP are splendid luggage. Also, It Is a pretty well product for the price. It’s great for colony on a tight budget. We’ve found pros and cons on this type of product. But overall, It’s a supreme product and we are well recommend it! When you however want to know more details on this product, so read the reports of those who have already used it.




45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP is a good choice with brand new features that will make you amaze. But if you still want to have another information about 45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP, you can read more detail information, spesification, and reviews from people that bought 45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP below.

45MM RECHARGEABLE PORTABLE SPEAKER LAPTOP Detail Information :



This Page is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.co.uk
CERTAIN CONTENT THAT APPEARS ON THIS SITE COMES FROM AMAZON SERVICES LLC. THIS CONTENT IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE OR REMOVAL AT ANY TIME.

Read More..