Read on Twitter
How to setup an Intrusion & Detection System (IDS/IPS) for your homelab:
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are among the first lines of defence.
As their name suggests, they detect and prevent hackers from breaching your network.
As their name suggests, they detect and prevent hackers from breaching your network.
But what is an IDS/IPS actually? 
In their simplest forms they are rule engines that watch traffic packets, hence the following image of Snort (one IDS tool) piggy backing on Wireshark - the packet police.
IDS/IPS are combinations of package inspection and rule engine software.
IDS/IPS are combinations of package inspection and rule engine software.
Essentially, the IDS watches all packets coming into your network, all the packets flying around inside your network and the ones that want to leave your network.
That means, all the packets are being watched! 📦 👀
That means, all the packets are being watched! 📦 👀
But… What does that actually mean - packets are being watched?
Great question, as usual!
A packet has some content and some information about the package - we can call that meta information.
Great question, as usual!
A packet has some content and some information about the package - we can call that meta information.
The IDS/IPS scans the packet information and checks them against its rules.
If the packet is categorized as possibly malicious the fun begins.
If the packet is categorized as possibly malicious the fun begins.
Depending on the configuration the IDS can isolate and drop the packet like there is no tomorrow.
It injects full power into the all destroying laser beams and burns any malicious content right down to their last bit.
Adios Mr packet bug. 📦🐛😵
It injects full power into the all destroying laser beams and burns any malicious content right down to their last bit.
Adios Mr packet bug. 📦🐛😵
In order to integrate with the SIEM the IDS/IPS needs to create and forward messages to our SIEM.
These are sometimes called alerts and in case of suricata, the IDS that we will install, they are saved in a file called eve.json located in
These are sometimes called alerts and in case of suricata, the IDS that we will install, they are saved in a file called eve.json located in
OK, great but how do we get that json file into our SIEM now?!
Here is the plan:
Here is the plan:
1. add one VM to our homelab - Debian/Ubuntu.
2. add the suricata repositories and install it
3. download and install rules from a public collection
4. setup wazuh agent
5. add suricata log collection to wazuh agent
6. profit
7. oh and test if the log forwarding actually works
2. add the suricata repositories and install it
3. download and install rules from a public collection
4. setup wazuh agent
5. add suricata log collection to wazuh agent
6. profit
7. oh and test if the log forwarding actually works
Step-By-Step, lets GOOOOOO
1. add a debian/ubuntu VM to your homelab
I trust you are able to setup a new Virtual Machine with debian - if not yet:
1. add a debian/ubuntu VM to your homelab
I trust you are able to setup a new Virtual Machine with debian - if not yet:
⚠️ Keep in mind that in order for the connection to the SIEM to work you need to have a working SIEM in your homelab - here is a thread showing you how to do it:
2. add suricata repositories + install
Since suricata is not included in the standard repository collection of ubuntu/debian we need to add it - lucky for us we can do it with a single command:
Since suricata is not included in the standard repository collection of ubuntu/debian we need to add it - lucky for us we can do it with a single command:
sudo add-apt-repository ppa:oisf/suricata-stable
# afterwards we need to update the repository cache
sudo apt-get update
# and now we can finally install suricita
sudo apt-get install suricata -y
# afterwards we need to update the repository cache
sudo apt-get update
# and now we can finally install suricita
sudo apt-get install suricata -y
3. Download and install rules
Suricata needs rules to detect malicious activity - where do we get them though?
Open Source is our friend as usual!
you can have a look at the collection -
Suricata needs rules to detect malicious activity - where do we get them though?
Open Source is our friend as usual!
you can have a look at the collection -
# first we download
cd /tmp/ && curl -LO
# now we untar the rules and move all the rules to the suricata rule folder
sudo tar -xzvf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/rules.emergingthreats.net/open/suricata-…
cd /tmp/ && curl -LO
# now we untar the rules and move all the rules to the suricata rule folder
sudo tar -xzvf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/rules.emergingthreats.net/open/suricata-…
in order for suricata to be able to use the rules they need to be accessible
640 = owner read/write, group only read, everyone else has no permissions
sudo chmod 640 /etc/suricata/rules/*.rules
640 = owner read/write, group only read, everyone else has no permissions
sudo chmod 640 /etc/suricata/rules/*.rules
now adapt /etc/suricata/suricata.yaml
HOME_NET: "<your_suricata_vm_ip>"
EXTERNAL_NET: "any"
default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"
# Global stats
stats:
enabled: no
af-packet:
- interface: <interface_name_e.g._enp0s1>
HOME_NET: "<your_suricata_vm_ip>"
EXTERNAL_NET: "any"
default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"
# Global stats
stats:
enabled: no
af-packet:
- interface: <interface_name_e.g._enp0s1>
In order to find the interface name you need to run `ip a` or ifconfig and identify the name of the network interface (see screenshot below)
Once that is done, you can either reboot the VM now or wait until the wazuh agent is installed in the next step
Once that is done, you can either reboot the VM now or wait until the wazuh agent is installed in the next step
you can check the following documentation as a guideline: documentation.wazuh.com/current/instal…
# become root
su -
# download and import the wazuh signing key
curl -s | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpgpackages.wazuh.com/key/GPG-KEY-WA…
su -
# download and import the wazuh signing key
curl -s | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpgpackages.wazuh.com/key/GPG-KEY-WA…
# set up the the repository in combination with the signing key
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] stable main" | tee -a /etc/apt/sources.list.d/wazuh.listpackages.wazuh.com/4.x/apt/
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] stable main" | tee -a /etc/apt/sources.list.d/wazuh.listpackages.wazuh.com/4.x/apt/
# update repository cache with our newly added repository
apt-get update
# install wazuh agent with the wazuh manager, dont forget the " " around the IP
WAZUH_MANAGER="<your_wazuh_VM_ip_here>" apt-get install wazuh-agent
# last step - restart the machine
reboot
apt-get update
# install wazuh agent with the wazuh manager, dont forget the " " around the IP
WAZUH_MANAGER="<your_wazuh_VM_ip_here>" apt-get install wazuh-agent
# last step - restart the machine
reboot
5. add suricata log forward to wazuh
In order to forward the suricata logs properly you need to adjust the
you can look for
In order to forward the suricata logs properly you need to adjust the
you can look for
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
afterwards it should look like this:
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
afterwards it should look like this:
Make sure to restart the agent or the whole VM after the modification.
# agent start
sudo systemctl restart wazuh-agent
# or reboot
reboot
WE ARE SO FREAKING CLOSE TO FINISHING 🎉
# agent start
sudo systemctl restart wazuh-agent
# or reboot
reboot
WE ARE SO FREAKING CLOSE TO FINISHING 🎉
6. Profit!!! 💰
You rock! 🤘🎸
You just setup your own IDS system, the only thing left is to … well test it?!
You rock! 🤘🎸
You just setup your own IDS system, the only thing left is to … well test it?!
7. Testing your IDS!
The IDS will monitor suspicious activity and report back to wazuh via alerts.
We can test this by running a ping against our suricata VM from another machine.
The IDS will monitor suspicious activity and report back to wazuh via alerts.
We can test this by running a ping against our suricata VM from another machine.
use the following command:
ping -c 20 "<suricata_vm_ip>"
ping -c 20 "<suricata_vm_ip>"
Now switch to the wazuh dashboard and click on the navigation hamburger in the top left → then on
The last step is to search for
🎉 🥳 YOU DID IT! Your very own IDS connected with your SIEM, what an amazing achievement 🎈
🎉 🥳 YOU DID IT! Your very own IDS connected with your SIEM, what an amazing achievement 🎈
That is it for today!
If you liked this thread
→ follow me @maikroservice for similar content
if you want to become a great SOC analyst - you can also check out academy.maikroservice.com
If you liked this thread
→ follow me @maikroservice for similar content
if you want to become a great SOC analyst - you can also check out academy.maikroservice.com
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
