{"id":242,"date":"2022-10-23T20:41:50","date_gmt":"2022-10-24T06:41:50","guid":{"rendered":"https:\/\/wroberts.me\/?p=242"},"modified":"2022-12-08T09:06:52","modified_gmt":"2022-12-08T19:06:52","slug":"suricata","status":"publish","type":"post","link":"https:\/\/wroberts.me\/?p=242","title":{"rendered":"Configuring Suricata IDS in Proxmox"},"content":{"rendered":"<div class=\"pps-series-post-details pps-series-post-details-variant-classic pps-series-post-details-865\" data-series-id=\"14\"><div class=\"pps-series-meta-content\"><div class=\"pps-series-meta-text\">This entry is part 4 of 6 in the series <a href=\"https:\/\/wroberts.me\/?series=cyber-defense-monitoring-homelab\">Cyber Defense Monitoring Homelab<\/a><\/div><\/div><\/div>\n<p id=\"bkmrk-suricata-is-the-open\">In this post, we&#8217;re going to set up an IDS (Intrusion Detection System) called Suricata for our lab. What&#8217;s an IDS? It&#8217;s a program that analyzes network traffic to look for malicious or suspicious data based on pre-configured rules. Similar to how anti-virus software can identify malware based on signatures, an IDS can analyze network traffic for specific signatures and log these alerts. The difference with an IDS like Suricata is that it can be configured to alert us to anything we want it to including machines connecting to specific IP addresses, ports, or connecting to servers outside of certain hours. Our choice of IDS will be Suricata.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bkmrk-initial-setup\"><span class=\"ez-toc-section\" id=\"Initial_Setup\"><\/span>Initial Setup<span class=\"ez-toc-section-end\"><\/span><\/h2><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/wroberts.me\/?p=242\/#Initial_Setup\" >Initial Setup<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/wroberts.me\/?p=242\/#LXC_Creation\" >LXC Creation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/wroberts.me\/?p=242\/#Host_System_Configuration\" >Host System Configuration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/wroberts.me\/?p=242\/#Suricata_Install\" >Suricata Install<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/wroberts.me\/?p=242\/#Create_SPAN_Port_on_Lab_Switch\" >Create SPAN Port on Lab Switch<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/wroberts.me\/?p=242\/#Configure_Suricata\" >Configure Suricata<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/wroberts.me\/?p=242\/#Installation\" >Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/wroberts.me\/?p=242\/#Edit_Suricatayaml\" >Edit Suricata.yaml<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/wroberts.me\/?p=242\/#Create_Custom_Rules\" >Create Custom Rules<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/wroberts.me\/?p=242\/#Testing_Custom_Rules\" >Testing Custom Rules<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-lxc-creation\"><span class=\"ez-toc-section\" id=\"LXC_Creation\"><\/span>LXC Creation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-start-by-installing-\">Start by creating a new Ubuntu 22.04 LXC. Refer to the&nbsp;<a href=\"http:\/\/10.80.80.10\/books\/bookstack\">Bookstack<\/a>&nbsp;article for downloading container templates. Don&#8217;t start the machine after creation.<\/p>\n\n\n\n<p id=\"bkmrk-specs%3A\">Specs:<\/p>\n\n\n\n<ul class=\"wp-block-list\" id=\"bkmrk-25-gb-of-storage-2-c\">\n<li>25 GB of storage<\/li>\n\n\n\n<li>2 cores<\/li>\n\n\n\n<li>2 GB RAM<\/li>\n\n\n\n<li>Network: vmbr0; Set a static IP<\/li>\n\n\n\n<li>DNS:&nbsp; Host settings<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"721\" height=\"504\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-81.png\" alt=\"\" class=\"wp-image-243\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-81.png 721w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-81-300x210.png 300w\" sizes=\"auto, (max-width: 721px) 100vw, 721px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"511\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-82.png\" alt=\"\" class=\"wp-image-244\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-82.png 720w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-82-300x213.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"731\" height=\"515\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-83.png\" alt=\"\" class=\"wp-image-245\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-83.png 731w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-83-300x211.png 300w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"504\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-85.png\" alt=\"\" class=\"wp-image-248\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-85.png 720w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-85-300x210.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"731\" height=\"515\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-83.png\" alt=\"\" class=\"wp-image-246\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-83.png 731w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-83-300x211.png 300w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"717\" height=\"512\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-84.png\" alt=\"\" class=\"wp-image-247\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-84.png 717w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-84-300x214.png 300w\" sizes=\"auto, (max-width: 717px) 100vw, 717px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"515\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-86.png\" alt=\"\" class=\"wp-image-249\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-86.png 724w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-86-300x213.png 300w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-afterwards%2C-add-anot\">Afterwards, add another network interface for vmbr1, the internal\/lab switch. The interface is going to send copies of packets of machines connected to the internal switch to this server. No IP will be assigned to this interface. Make sure the firewall is unchecked. After adding the device, start the machine.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"268\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-87.png\" alt=\"\" class=\"wp-image-250\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-87.png 601w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-87-300x134.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-host-system-configur\"><span class=\"ez-toc-section\" id=\"Host_System_Configuration\"><\/span>Host System Configuration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-log-in-and-update-th\">Log in and update the system.<\/p>\n\n\n\n<pre id=\"bkmrk-apt-update-%26%26-apt-up\" class=\"wp-block-code\"><code>apt update &amp;&amp; apt upgrade -y<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-optional%3A-install-vi\">Optional: install vim<\/p>\n\n\n\n<pre id=\"bkmrk-apt-install-vim\" class=\"wp-block-code\"><code>apt install vim<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-check-our-interface%3A\">Check our interface:<\/p>\n\n\n\n<pre id=\"bkmrk-ip-a\" class=\"wp-block-code\"><code>ip a<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-interfaces-look-corr\">Interfaces look correct. We can continue.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"471\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-88-1024x471.png\" alt=\"\" class=\"wp-image-251\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-88-1024x471.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-88-300x138.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-88-768x353.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-88.png 1478w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"bkmrk-suricata-install\"><span class=\"ez-toc-section\" id=\"Suricata_Install\"><\/span>Suricata Install<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-create-span-port-on-\"><span class=\"ez-toc-section\" id=\"Create_SPAN_Port_on_Lab_Switch\"><\/span>Create SPAN Port on Lab Switch<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p id=\"bkmrk-in-this-setup%2C-we-wa\">In this setup, we want a copy of all traffic on the pfSense internal switch to be sent to the Suricata server. To do that, we need create a SPAN port on that switch.<\/p>\n\n\n\n<p id=\"bkmrk-open-the-shell-on-yo\">Open the shell on your Proxmox server, and run the command:<\/p>\n\n\n\n<pre id=\"bkmrk-ip-link-show-%7C-grep-\" class=\"wp-block-code\"><code>ip link show | grep container-id<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-where-container-id-i\">where container-id is the id number of the Proxmode node for the suricata server.<\/p>\n\n\n\n<p id=\"bkmrk-in-my-case%2C-the-id-i\">In my case, the id is 107. If you are seeing extra interfaces that start with &#8220;fw,&#8221; make sure the firewalls are off on the network interfaces for the suricata server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"172\" height=\"24\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-89.png\" alt=\"\" class=\"wp-image-252\"\/><\/figure>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"102\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-90-1024x102.png\" alt=\"\" class=\"wp-image-253\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-90-1024x102.png 1024w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-90-300x30.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-90-768x77.png 768w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-90.png 1359w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-the-first-interface-\">The first interface veth103i0@if2 is the interface connected to the home network where the machine receives it&#8217;s IP. The second interface for the SPAN port.&nbsp;<\/p>\n\n\n\n<p id=\"bkmrk-now%2C-run-the-followi\">Now, run the following command in the Proxmox shell to create a span port on the lab switch:<\/p>\n\n\n\n<pre id=\"bkmrk-ovs-vsctl------id%3D%40p\" class=\"wp-block-code\"><code>ovs-vsctl -- --id=@p get port (Interface_Name) -- --id=@m create mirror name=suriIDS select-all=true output-port=@p -- set bridge vmbr1 mirrors=@m<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-where-%22interface_nam\">where &#8220;Interface_Name&#8221; is where the interface of the span port will be. For my system the command will be:<\/p>\n\n\n\n<pre id=\"bkmrk-ovs-vsctl------id%3D%40p-0\" class=\"wp-block-code\"><code>ovs-vsctl -- --id=@p get port veth103i1 -- --id=@m create mirror name=suriIDS select-all=true output-port=@p -- set bridge vmbr1 mirrors=@m<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"bkmrk-configure-suricata\"><span class=\"ez-toc-section\" id=\"Configure_Suricata\"><\/span>Configure Suricata<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-installation\"><span class=\"ez-toc-section\" id=\"Installation\"><\/span>Installation<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-back-in-the-suricata\">Back in the Suricata machine, run the following commands:<\/p>\n\n\n\n<pre id=\"bkmrk-apt-install-software\" class=\"wp-block-code\"><code>apt install suricata jq<\/code><\/pre>\n\n\n\n<p>This will install Suricata and the jq package which is a useful command line tool for reading and manipulating json data.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-edit-suricata.yaml\"><span class=\"ez-toc-section\" id=\"Edit_Suricatayaml\"><\/span>Edit Suricata.yaml<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-next%2C-we-need-to-set\">Next, we need to setup the interface Suricata is going to monitor. Open up the suricata.yaml fille:<\/p>\n\n\n\n<pre id=\"bkmrk-vim-%2Fetc%2Fsuricata%2Fsu\" class=\"wp-block-code\"><code>vim \/etc\/suricata\/suricata.yaml<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-the-first-line-to-ch\">The first line to change is the home network. We&#8217;re going to change this to the networks we&#8217;re going to monitor. In our case , this is the LAN on 10.0.10.0\/29 and the Active Directory network on 10.0.20.0\/28.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"71\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-91.png\" alt=\"\" class=\"wp-image-254\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-91.png 700w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-91-300x30.png 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"77\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-92.png\" alt=\"\" class=\"wp-image-255\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-92.png 692w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-92-300x33.png 300w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-make-sure-the-eve.js\">Make sure the eve.json file is enabled.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"791\" height=\"110\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-93.png\" alt=\"\" class=\"wp-image-256\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-93.png 791w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-93-300x42.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-93-768x107.png 768w\" sizes=\"auto, (max-width: 791px) 100vw, 791px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-change-the-interface\">Change the interface from eth0 to the monitoring interface.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"823\" height=\"125\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-94.png\" alt=\"\" class=\"wp-image-257\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-94.png 823w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-94-300x46.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-94-768x117.png 768w\" sizes=\"auto, (max-width: 823px) 100vw, 823px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"916\" height=\"122\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-95.png\" alt=\"\" class=\"wp-image-258\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-95.png 916w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-95-300x40.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-95-768x102.png 768w\" sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-change-the-default-r\">Change the default rule path and add a local rules file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"92\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96.png\" alt=\"\" class=\"wp-image-259\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96.png 672w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96-300x41.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96-666x92.png 666w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"92\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96.png\" alt=\"\" class=\"wp-image-260\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96.png 672w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96-300x41.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-96-666x92.png 666w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"bkmrk-create-custom-rules\"><span class=\"ez-toc-section\" id=\"Create_Custom_Rules\"><\/span>Create Custom Rules<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p id=\"bkmrk-create-a-file-for-cu\">Create a file for custom rules by running command:<\/p>\n\n\n\n<pre id=\"bkmrk-vim-%2Fetc%2Fsuricata%2Fru\" class=\"wp-block-code\"><code>vim \/etc\/suricata\/rules\/local.rules<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-we%27re-going-to-creat\">We&#8217;re going to create a generic test rule to test our system. Add the following lines to the file:<\/p>\n\n\n\n<pre id=\"bkmrk-alert-any-any--%3E-any\" class=\"wp-block-code\"><code>alert icmp any any -&gt; any any (msg: \"ICMP Packet Found\";)<\/code><\/pre>\n\n\n\n<p id=\"bkmrk-finally%2C-restart-sur\">Finally, restart Suricata to apply the changes. Then start Suricata on the monitoring interface in the background.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart suricata\nsuricata -i mirrorAD &amp;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bkmrk-testing-custom-rules\"><span class=\"ez-toc-section\" id=\"Testing_Custom_Rules\"><\/span>Testing Custom Rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p id=\"bkmrk-to-test-the-custom-r\">To test the custom rules, we&#8217;re going to test the machines connected on the internal switch. Let start with the Kali machine on the 10.0.10.0\/29 network. I&#8217;m going to ping the default gateway on the home network.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"631\" height=\"509\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-97.png\" alt=\"\" class=\"wp-image-261\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-97.png 631w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-97-300x242.png 300w\" sizes=\"auto, (max-width: 631px) 100vw, 631px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-back-on-the-suricata\">Back on the Suricata server, run the command:<\/p>\n\n\n\n<pre id=\"bkmrk-tail-%2Fvar%2Flog%2Fsurica\" class=\"wp-block-code\"><code>tail \/var\/log\/suricata\/fast.log<\/code><\/pre>\n\n\n\n<p id=\"bkmrk--19\">And we can see Suricata has picked up the ICMP packets from the Kali machine at 10.0.10.2 to the machine at 10.80.80.1.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"37\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-98.png\" alt=\"\" class=\"wp-image-262\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-98.png 908w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-98-300x12.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-98-768x31.png 768w\" sizes=\"auto, (max-width: 908px) 100vw, 908px\" \/><\/figure>\n\n\n\n<p id=\"bkmrk-now%2C-we%27re-going-to-\">Now, we&#8217;re going to test a machine from the Active Directory network. We&#8217;ll send a ping from that network to the Kali machine.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"603\" height=\"274\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-99.png\" alt=\"\" class=\"wp-image-263\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-99.png 603w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-99-300x136.png 300w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-checking-the-fast.lo\">Checking the fast.log on the Suricata machine:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"916\" height=\"41\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-101.png\" alt=\"\" class=\"wp-image-264\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-101.png 916w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-101-300x13.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-101-768x34.png 768w\" sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-the-packets-from-the\">The packets from the machine on the Active Directory at 10.0.20.2 were captured as well.<\/p>\n\n\n\n<p id=\"bkmrk-one-final-test-is-fo\">One final test is for the firewall rules. Our firewall is set up so that traffic cannot pass between the Active Directory network and the WAN\/home network. Lets confirm it.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"556\" height=\"192\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-100.png\" alt=\"\" class=\"wp-image-265\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-100.png 556w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-100-300x104.png 300w\" sizes=\"auto, (max-width: 556px) 100vw, 556px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"bkmrk-the-ping-request-fai\">The ping request fails. Let check the Suricata server to see if it picked it up.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"897\" height=\"30\" src=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-102.png\" alt=\"\" class=\"wp-image-266\" srcset=\"https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-102.png 897w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-102-300x10.png 300w, https:\/\/wroberts.me\/wp-content\/uploads\/2022\/11\/image-102-768x26.png 768w\" sizes=\"auto, (max-width: 897px) 100vw, 897px\" \/><\/figure>\n\n\n\n<p id=\"bkmrk-we-see-that-suricata\">We see that Suricata did pick it up and it confirms the machine on the 10.80.80.0 network didn&#8217;t reply back. We&#8217;ve now confirmed both that our Suricata server and firewall are working as intended.<\/p>\n\n\n\n<p id=\"bkmrk-now-that-our-ids-is-\">Now that our IDS is in place, we can start monitoring our machines and set up alerts for unusual activity. This won&#8217;t be done with only Suricata though. In the next part of this lab, we&#8217;re going to setup a SIEM to centralize logs from all of the machines we&#8217;re monitoring. We&#8217;ll then forward all of the alerts from Suricata to our SIEM so we can monitor everything going on in our lab environment through one interface.<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pps-series-post-details pps-series-post-details-variant-classic pps-series-post-details-865 pps-series-meta-excerpt\" data-series-id=\"14\"><div class=\"pps-series-meta-content\"><div class=\"pps-series-meta-text\">This entry is part 4 of 6 in the series <a href=\"https:\/\/wroberts.me\/?series=cyber-defense-monitoring-homelab\">Cyber Defense Monitoring Homelab<\/a><\/div><\/div><\/div><p>In this post, we&#8217;re going to set up an IDS (Intrusion Detection System) called Suricata for our lab. What&#8217;s an IDS? It&#8217;s a program that analyzes network traffic to look for malicious or suspicious data based on pre-configured rules. Similar to how anti-virus software can identify malware based on signatures, an IDS can analyze network &#8230; <a href=\"https:\/\/wroberts.me\/?p=242\" class=\"more-link\">Read More<span class=\"screen-reader-text\"> &#8220;Configuring Suricata IDS in Proxmox&#8221;<\/span> &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":550,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,13],"tags":[],"series":[14],"class_list":["post-242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-home-lab","category-security","series-cyber-defense-monitoring-homelab"],"_links":{"self":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts\/242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=242"}],"version-history":[{"count":10,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts\/242\/revisions"}],"predecessor-version":[{"id":843,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/posts\/242\/revisions\/843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=\/wp\/v2\/media\/550"}],"wp:attachment":[{"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=242"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/wroberts.me\/index.php?rest_route=%2Fwp%2Fv2%2Fseries&post=242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}