![]() SD-cards are not meant for intensive I/O and they can fail after a while. The bottom line is that storage read and write operations linked to Suricata and Elasticsearch can be relatively intensive, and it is not recommended to run it entirely on the Pi SD-card. Step 3 - Mount the iSCSI filesystem and migrate files to it To disable a rule: Add the rule ID in /etc/suricata/nf (the file does not exist on disk by default but Suricata-update will search for it everytime it runs) then run sudo suricata-update and restart the Suricata service.In case Suricata complains about missing symbols ( /usr/local/bin/suricata: undefined symbol: htp_config_set_lzma_layers), simply do: sudo ldconfig /lib.Simply test it by issuing the following command on the command line curl 3wzn5p2yiumh7akj.onion and verify that an alert is logged in the two files /var/log/suricata/fast.log and /var/log/suricata/eve.json. Also do not forget to increase the ring_size to avoid dropping packets. Now follow the steps in the tutorial (again ) to make Suricata a full-fledged systemd service, and to update the rules automatically every night through the root's crontab. configure -prefix=/usr -sysconfdir=/etc -localstatedir=/var -enable-nfqueue -enable-luaĪt this point edit the Suricata config file to indicate what is the IP block of your home addresses: change HOME_NET in /etc/suricata/suricata.yaml to whatever is relevant to your network (in my case it’s 192.168.1.0/24).Īlso I only want real alerts to trigger events, my goal is not to spy on my spouse and kids, hence in the same configuration I have disabled stats globally and under eve-log I have disabled or commented out all protocols - here you need to adjust to whatever you think is right for you: # Global stats configuration List of commands (same as in the tutorial from Stéphane): sudo apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev make libmagic-dev libjansson-dev rustc cargo python-yaml python3-yaml liblua5.1-dev Unfortunately the package available on the Raspberry OS repository is quite old so I have downloaded and installed the latest version. I am summarizing the main steps below but all the credit goes to the original author Stéphane Potier.įirst install Suricata. Install the following required packages: apt-get install python-pipįor this step I highly recommend you to follow the excellent tutorial available here: or its french original version. Setup your Raspberry Pi OS as usual, I recommend choosing the Lite version to avoid unnecessary packages and since the graphical user interface is useless for a NIDS.Ĭreate a simple user and add it to the sudoers group. Checking that everything is up and running.Mount the iSCSI filesystem and migrate files to it.Here is an example of a very simple dashboard created to visualize the alerts: The Pi can definitely handle the load without problem, it’s only getting a bit hot whenever it updates the Suricata rules (I can hear the (awful official cheap) fan spinning for 1 minute or so). The Pi 4 is a bit overpowered for the task given the bandwidth of the link I am monitoring (100 Mbps), but on the memory side it’s a different story and more than 3.5 GB of memory is consumed (thank you Java !). I still need to gradually disable some Suricata rules to narrow down the number of alerts. I have been using it for a few days now and it works pretty well. ![]() I am mounting a filesystem exposed by my QNAP NAS via iSCSI to avoid stressing too much the Pi SD-card with read/write operations, and eventually destroying it. ![]() The intrusion detection engine is Suricata, then Logstash Fluent Bit is pushing the Suricata events to Elasticsearch, and Kibana is used to present it nicely in a Dashboard. The Pi4 is monitoring my home network that has about 25 IP enabled devices behind a Unifi Edgerouter 4. I have recently completed the installation of my home network intrusion detection system (NIDS) on a Raspberry Pi4 8 GB (knowing that 4 GB would be sufficient), and I wanted to share my installation notes with you. Also Logstash was a bit overkill for the very basic needs of this setup. Fluent Bit is less heavy on the memory, saves a few % of CPU, and uses GeoLiteCity2 for the ip geoloc that is more up to date. The principles stay the same, only step 6 is different. The best thing? The base model is only $20 $5!.ĭo you know a related subreddit? We'd love to know.Ģ1/06/03 - Update Note: I am updating this tutorial after ditching Logstash in favor of Fluent Bit. Welcome to /r/raspberry_pi, a subreddit for discussing the raspberry pi credit card sized, ARM powered computer, and the glorious things we can do with it. Pi project ideas: There's a huge list right here on this sub! Friendly reminder: Please don't just post pictures of unused pis - do a project!Ĭomplete r/raspberry_pi Rules Check the FAQ and Helpdesk here
0 Comments
Leave a Reply. |