Smooth-Sec is a ready to-go IDS/IPS (Intrusion Detection/Prevention System) linux distribution based on the multi threaded Suricata IDS/IPS engine and Snorby, the top notch web application for network security monitoring. Functionality is the key point that allow to deploy a complete IDS/IPS System up and running out of the box within a few minutes, even for security beginners with minimal Linux experience. Feedback and suggestions are welcome on this page.
64bit edition is out.
Smooth-Sec 64bit edition features:
Operating system: Debian 6.0 squeeze 64-bit
IDS: Suricata 1.3 stable
WEB Console: Snorby 2.5.1
Database: MariaDB 5.5.25
Log interpreter: Barnyard2 2.1.10-beta2
Web framework: nginx/0.8.54 – passenger-3.0.4
IMPORTANT Smooth-Sec comes with a default username and password (root/toor) . Root password must be changed at the first boot, by issuing the passwd command:
root@Smooth-Sec:~# passwd Enter new UNIX password: {enter your new password here } Retype new UNIX password: {enter your new password again} passwd: password updated successfully root@Smooth-Sec:~#
ISO Download:
http://sourceforge.net/projects/smoothsec/files/SmoothSec-2.0/
Wiki: https://sourceforge.net/apps/mediawiki/smoothsec
Mailing List: https://lists.sourceforge.net/lists/listinfo/smoothsec-talk
Download: SmoothSec-1.2.iso
Size Compressed: 623 MB
Snorby login:
Snorby interface: https://ipaddress
Username: snorby@snorby.org
Password: snorby (please change this password after the firts login)
Ssh login:
Username: root
Password: the password you have chose during the installation
Credits:
Smooth-Sec is developed by Phillip Bailey.
Snorby is developed by Dustin Webber .
Suricata is developed by open infosec foundation.
License: GPLv3
Snorby Features:
Metrics Metrics & Reports
Classifications
Full packet and session data.
Settings Custom Settings
Hotkeys
Suricata Features:
Native IPv6 Support
Automatic protocol detection
Multi threaded
Native hardware acceleration support
Passive OS and Portscan detection
L7 Protocol awareness
IP Reputation using scoring threshold
Distributed blocking & feedback
Global flowbits and variables
Changelog
7-09-2011 – Smooth-Sec 1.2 Released
[*] Improvements and fixes
*Upgraded to Kernel 2.6.32-33-generic-pae with support up to 64GB RAM
*Snorby upgraded to 2.3.9 version
*Suricata upgraded to 1.1 Beta2 version
*Barnyard2 upgraded to 1.10 version
21-03-2011 – Smooth-Sec 1.1 Released
[*] Improvements and fixes
*Fixed suricata bug on alert classification.
*Fixed apt-get directories missing.
*Barnyard output files to suricata conventional naming.
*Timezone selection on firstboot.
*Autostart Snorby worker on boot.
*Delete all the events script added in /root/script.utils/
*Transparent bridge support script /etc/init.d/bridge
*Suricata user added to run the engine as unprivileged user
The link to turnkey Linux is broken.
@finid , link fixed. Thanks for the comment.
Is the Ubuntu platform 32 or 64 bit?
Hello @sdamron, I hope soon to have a 64 bit version .
Any chance for thumbdrive edition or is this fully funtional Ubuntu (portability feature).
Thanks.
@originalguru
Hello, please check this project, it might be what you need : http://unetbootin.sourceforge.net/
Hi,
How to install a Spanish keyboard ?
Best Regards,
Hello, try this dpkg-reconfigure console-setup . Please let me know if it work.
Best
Hi,
Error in:
apt-get update for apt-get install locales:
E: Archive directory /var/cache/apt/archives/partial is missing
Best Regards,
Hello, this is a bug spotted today, please create manually the missing directories.
mkdir /var/cache/apt/archives/partial
an so on,
Best,
Phillip
thanks, the spanish keyboard is solved.
Best, Regards,
Thanks, the Archive directory /var/cache/apt/archives/partial is missing is solved.
Best Regards,
welcome.
Hi,
¿ Error ?:
In Dashboard: 3 Low Severity Events.
In Dashboard, click in LOW SEVERITY: Low Severity Events 92 events found.
Best Regards,
The dashboard uses the Snorby worker to calculate it’s metrics, and the worker run every 30 minutes, so might be some delay of what you see in the dashboard and what you see in the events.
Best,
Phillip
Hey Phil,
Great overall implementation. Curious to know if any particular commands to utilize specific ports updates ie being able to be customize alerts on specific ports.
Thanks!
Thanks to you for the feedback.
Phillip
Hey Phil,
Let me rephrase the last question.
Is there any way command that would allow a user to customize alerts (emails) for specific events and ports. Like a more finite way of sending a notification.
Thanks,
G
Hello,
I’m sorry but this option isn’t included in Snorby (at the moment).
Phillip
Hi Phillip,
I´ve just installed new smoth-sec. All run ok……
Suricate offers alerts by means of barnyard2, and aparently all is ok…..
On Snorby´s Dashboard always appears 0 of Hight, Medium and Low Severity alerts, but when I click on events menu, then 82 events show up!. If I click on each high, medium and low severity:
HIGH SEVERITY = 34 events found
MEDIUM SEVERITY = 60 events found
LOW SEVERITY = 0 events found
by following instructions., I have just carried out update on Smooth-Sec patchavailable for the bug on Alert classification.
After seven hours, nothing has changed!
Best Regards.
Hello there,
please follow this set of commands.
dpkg-reconfigure tzdata (configure the timezone according with your location)
ntpdate ntp.ubuntu.com
/etc/init.d/suricata stop
rm -rf /var/log/suricata/*
touch /var/log/suricata/barnyard2.waldo
rm -rf /var/www/snorby/tmp/pids/delayed_job.pid
cd /var/www/snorby/
#Rails consolle, type:
rails c
wait untill the rails consolle is open
then run inside the rail consolle
Snorby::Jobs.clear_cache true
Snorby::Worker.stop
Snorby::Worker.start
type quit to exit the rails consolle and check if the snorby worker is running via administration snorby page.
/etc/init.d/suricata start
This might help you to fix the issue.
Best.
Phillip
Phillip,
Thanks. I’ll try and tell you if it solved.
Best Regard,
@Spanish_
waiting.
Phillip
Phillip,
Thanks, thanks, thanks, All is solved.
Best Regards,
@Spanish_
This is a great news!
Best,
phillip
Hello.
same problem with 0 events on the dashboard. I will try ur fix. Maye you’ll patch it.
Excellent piece of software. May Jah bless you!
Hi
Tried the fix but still have the 0 events problem on the dash. Any other tips to get this working?
Hello,
are you using the 1.0 version or the 1.1 ?
Best,
phillip
I’m using 1.1. I may have posted too soon, some results have come in but now the time seems to be off? I reset the time zone etc as per instructions above and it was correct. Now the current time is 14.17 and the dashboard states “Last Updated: 03/23/11 4:00:00 PM”
I have this running in a test VM, what are the min reccomended specs?
Thanks for this awsome package
fusspils
@fusspils
Hello,
first of all you need to collect some alerts, you can do it event with a single ping like this ping -s 6000 ip address, run the ping for 10 minutes and then wait for one our in order to align snorby metrics,
don’t force to restart the Snorby worker if is running.
Phillip
So, I’m guessing I just set up a port-mirror to the suricata interface? It’s labeled as an IPS, would be nice to have a GUI built in for some simple alert responses (if X occurs, take Y action – such as shutting down port 1/0/33 on Switch2)
This looks really good although it appears once the system boots at install time the installer is locked to the screen. How did you master the ISO so I can try modify isolinux configuration and change a boot option to redirect console out serial port? Unless I do this it is not possible to install this as I am vision impaired. I tried this on fit-pc although perhaps 256-megs of memory is a bit low. an option to redirect console out serial port would allow install on headless boxes and for those of us who can not easily access a monitor. I’ll get a friend on the weekend to help me install it with a screen. Alternative would be an option that asks no questions, blows away first hard drive and does unattended install.
@Kerry
Hello kerry,
Nice to hear from you, I’ve chosen to maintain the installer as simple as possible, this is part of my my philosophy. Anyway you can try to mount the ISO image and edit the boot options, so you so you won’t need to remaster the whole ISO. Please let me know.
Phillip
Pingback: Anonymous
Hello
nice project bro …
if i wanna use smoothsec as fully ips to drop all events “high, medium & low ” what can i do ??
Thanx again
Hi,
Thanks for smooth-sec, very easy to install, stable!
Question: how to configure 2 sniffer interfaces, not only 1?
(I have eth0 for management; eth1 is the 1st sniffing interface; I want eth2 to be the second sniffing interface, on another segment of the network).
Thanks!
@eugenc
hello,
you need to tweak this files /etc/init.d/suricata /etc/suricata/barnyard2.conf , add the interfaces that you need to monitor.
Hi. Anybody try booting the ISO on a VMware server?
I’m getting a Kernel panic.
@Simon
Hello,
I’m running Smooth-Sec on varius virtual platforms, included Vmware server 1 and 2 and I never saw a kernel panic before, did you check the MD5 of the iso ?
Must be d734ccd5f672c845062baa974ac36160 .
Thanks,
Phillip
I am trying to use Smooth-Sec, with OpenFPC turned on. I have a question about the configuration of OpenFPC. During the setup, do I just point to a directory on the local harddrive as the directory I want to save the pcaps too? When I select to turn on the OpenFPC, it doesn’t seem to save the pcap there…
Any help would be appreciated,
Thanks
@John
Hello,
Thanks for your comment, this look like a issue related to the permissions on the folder where the pcap files are saved.
phillip
Same as Simon, kernel panic using “VMware-VMvisor-Installer-4.1.0.update1-348481.x86_64.iso” already checked md5 of “SmoothSec-1.1.iso” and is ok.
Hi Phillip, Simon (http://bailey.st/blog/smooth-sec/#comment-1676) and JackH (http://bailey.st/blog/smooth-sec/#comment-2015).
The kernel panic with VMware ESX/ESXi (v4.1 IIRC) has been reported quite a few times on the TKL forums. It seems to be caused by a combo of Ubuntu kernel, VMware & specific hardware. A workaround is to disable acceleration during boot. Some have reported swapping in a different kernel is an alternative (and probably superior) workaround. Aq uck search turned up this thread, but there are others: http://www.turnkeylinux.org/forum/support/20101222/problem-booting-revision-control-appliance-110rc-when-hosted-vmware-esxi-and-
Hi Jeremy ,
Thanks for the hint, really appreciated!
Phillip
Hi Phillip, i need your help to fix a little trouble, i have installed Smoothsec with 3 network adapter (network 1, network 2 and administration) but in “sensors” only shows me eth0.
best regards.
Hello Roberto,
you need to define the additional interfaces in two separated files, the
first is /etc/suricata/barnyard2.conf where you can add the additional
interfaces as such
config interface: eth0 eth1
and the second is /etc/init.d/suricata, where you can add additional
interfaces in the startup script, ex:
/etc/suricata/suricata.yaml -i eth0 eth1
Best regards,
Phillip
Hi Phillip, thanks by the quick answer, i did that you told me , and smoothsec shows me more sensors, but i have another trouble, how you already know, i have 3 network interfaces (switch1 eth1, switch2 eth2 and administration eth0) in both switchs i have configurated port mirror to the smoothsec interfaces (eth1,eth2) but nothing is listened, but if i configure eth0 like sensor listen everything and i loss the administracion for the mirrors, i try to administrate for another interface but that not works.
My configuration files:
/etc/suricata/barnyard2.conf:
config interface: eth1 eth2
/etc/init.d/suricata
/etc/suricata/suricata.yaml -i eth1 eth2
Regards
in events, says that i have 4868811 unclassified events
but in the event list only shows 72000 events
in sensors i have 72000 events
i think that the events are being loggin in another sensor that snorby dont shows.
Hello,
I’m looking for a way to configure Suricate to only alert when the source or the destination corresponds to a public IP, and not my internal network.
Is there a way to do that ?
Thx
c
After installing Smooth-sec, the system ask for password and configuring network.
Did configured the network in both option DHCP and Static but it always return me to the network configuration.
Why it does not pass this option is there something wrong with the image…
regards
Isi
I’ve added suppress gen_id 1, sig_id 201240 to my /etc/suricata/threshold.config (to block rancid config updates) file but my rancid server is still showing up on in the logs. Ideas?
Hi,
Suricata runs out of memory on startup:
[24598] 8/9/2011 — 10:29:13 – (detect.c:658) (SigLoadSignatures) — 43 rule files processed. 11644 rules succesfully loaded, 9 rules failed
[24598] 8/9/2011 — 10:29:24 – (detect.c:2101) (SigAddressPrepareStage1) — 12114 signatures processed. 659 are IP-only rules, 3883 are inspecting packet payload, 8098 inspect application layer, 0 are decoder event only
[24598] 8/9/2011 — 10:29:24 – (detect.c:2104) (SigAddressPrepareStage1) — building signature grouping structure, stage 1: adding signatures to signature source addresses… complete
[24598] 8/9/2011 — 10:40:42 – (detect-engine-siggroup.c:105) (SigGroupHeadInitDataAlloc) — [ERRCODE: SC_ERR_MEM_ALLOC(1)] – SCMalloc failed: Cannot allocate memory, while trying to allocate 1515 bytes
[24598] 8/9/2011 — 10:40:42 – (detect-engine-siggroup.c:105) (SigGroupHeadInitDataAlloc) — [ERRCODE: SC_ERR_FATAL(169)] – Out of memory. The engine cannot be initialized. Exiting…
Any ideas ?
Hello,
How much ram are u using? VM o bare metal server?
Hi,
I downloaded 1.2, created it on a Kingston 2GB memstick using unetbootin.
When I boot it on a netbook, it boots the kernel and gets to a config screen for the network params (IP, netmask, gateway, DNS) and it fails there after I enter the correct info. It displays:
refusing to write /etc/network/interfaces.
header not found: # UNCONFIGURED INTERFACES
I could not proceed from there.
ed
Hi Brian,
I posted earlier but my posting disappeared? I was having problem with smooth-sec booting from a USB image to my netbook. I didn’t have a desktop available yesterday for SmoothSec so I tried to test-drive using netbook. The netbook has no CD drive so I had to bootup with Live CD on USB. That fails with either 1.2 or 1.1 on both the Intel Atom netbook and a desktop AMD64. I finally got booted on the AMD64 box from a CD image and a HDD install. Then it worked: it accepted the networking configuration.
My question is with network config: Is the eth0 IP address for the management i/f? or for the sniffer/sensor i/f? Otherwise, where do I define my sensor?
There may be problems with boots using Live CD. The ISO was put to USB memstick with unetbootin-549. That image would not finish bootup, but always gives: “refusing to write /etc/network/interfaces”.
Pingback: smooth-sec IDS/IPS v1.2 released « IT Vulnerability & ToolsWatch
I would like to use smooth-sec in a bridging setup – I would also like to drop packets.
I can see that suricata is built with –nfqueue so that means it should be able to drop packets ?
- is there a sensible way of doing this or do I just edit /etc/init.d/suricata
Also what is the best was of setting up a network bridge ?
- should I just edit /etc/network/interfaces and add br0 (as I normally would on an Ubuntu install)
One last thing (assuming it is possible to put this is bridging mode) do I have to alter the actual rules to drop packets ? (like snort-inline)
Regards
Hello Morgan,
take a look in /etc/init.d/bridge for the bridge script. In /etc/suricata/barnyard2.conf and /etc/suricata/suricata.yaml edit the network field from eth0 to br0. Once you are ready with interfaces you can run chmod +x /etc/init.d/bridge then /etc/init.d/bridge start. Soon I’m going to cover the bridging mode.
stay tuned.
Phillip
Phillip,
I have SmoothSec 1.2 installed and running on AMD64 box. I have suricata running, gathering data from eth1. I run tcpdump on there and see all the Internet traffic going by. I set eth1 as i/f in suricata and barnyard2 configs.
I have snorby running but not correctly… almost no events reported even though the data is there. But it does see a small few events: “ET POLICY unusual number of DNS No Such Name”… That coming from a sendmail spamassassin server blasting 20 DNS queries in 1 sec.
I need assistance with snorby_config.yml. Like for production: domain: what should that be set to? Not much detailed doc can be found on the web. I found that rules: had empty rules so I put all the suricata file paths in there; 33 files. like this: – “/etc/suricata/rules/~~~”. I hope that was OK.
Also, the dashboard has NEVER displayed what I see on the snorby website: counters and plots. What is that problem? imagemagicK is installed it seems.
I even went to IRC channel #snorby and asked for help. they say, build it using: bundle pack; bundle install; rake snorby:setup. I would but then I need to get all the source pieces. Not sure I want to do that yet.
I know that you are busy so if you could just point me to URLs of help for configs, I would be very happy.
thanks man.
Thanks
egf
Phillip – thanks for the advice.
I have tried editing /etc/init.d/bridge however when I launch it I lose all network connections.
- looking at ifconfig (after running script) there is no br0 and both eth0+1 have no ip address.
The start of the script is
————————————————-
#!/bin/sh
# Define Bridge Interface, assuming that eth0 is the management interface
# Remember to chanche the suricata init.d script and the barnyard configuration
# file.
br=”br0″
# Define physical ethernet interface to be bridged
eth0=”eth0″
eth1=”eth1″
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
brctl addbr $br
brctl addif $br $eth0
brctl addif $br $eth1
ifconfig $eth0 0.0.0.0
ifconfig $eth1 0.0.0.0
}
stop_bridge () {
####################################
# Tear Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
}
————————————————-
And my network interfaces – /etc/network/interfaces – reads:-
—————————
# UNCONFIGURED INTERFACES
# remove the above line if you edit this file
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address xx.xx.xx.xx
netmask xxx.xxx.xxx.xxx
gateway xxx.xxx.xxx.xxx
dns-nameservers xxx.xxx.xxx.xxx
network xxx.xxx.xxx.xxx
broadcast xxx.xxx.xxx.xxx
# bridge_ports eth0 eth1
# bridge_stp off
# bridge_fd 0
# bridge_maxwait 0
auto eth1
iface eth1 inet static
address 10.0.0.10
netmask 255.255.255.0
—————————
Can you suggest how to get it working ?
First.. This is an awesome appliance and it is exactly what I have been looking for. Thank you for your time, effort, and expertise. Couple of newbie questions:
1. Do the snort rules autoupdate? If not, how can one manually update them?
2. Can custom Snort rules be added?
Hi Bill,
thanks for your comment.
1) Suricata rules are updated via a crontab that run at . Or you can update the rules manually running the script /root/script.utils/rules.update . Before you need to configure the /etc/oinkmaster.conf according to the snort rules.
2) You can run Snort rules as well, but is but is recommended to use custom made Suricata rules.
If you want 0 day rules you can subscribe to http://www.emergingthreatspro.com .
To add snort rules you need to configure the
/etc/suricata/suricata.yaml file.
Phillip
As others have said, thank you for your work developing this.
I have installed it on a machine with two interfaces. eth0 is connected to a tap mirroring Internet bound traffic for a large group of machines. Tcpdump shows the traffic (column after date shows a vlan number, mentioning in case relevant). The suricata and barnyard configs both refer to eth0. eth1 is the management interface and I can login to Snorby, but it shows no alerts, even if I click into Events as I see others have sometimes had a problem – nothing there. Admin shows the sensor is there and the “workers” are working. I’ve tried rebooting and I noticed eth0 was not in promisc mode by default so I changed that, but no help. I’m reasonably certain there would have been a lot of traffic that would have flagged things by now within the traffic it is watching. Do I need to set eth0 to use 802.1q tags matching the vlan ID I’m seeing in tcpdump maybe? What else can I try please?
TIA
Hello,
Looking at the Suricata source code I can see that decode-vlan.c is included in it.
http://suricata.sourcearchive.com/documentation/1.0.2/decode-vlan_8c-source.html
If you like you can try to give a shot and try to set up the network card to use the
vlan.
http://wiki.debian.org/NetworkConfiguration#Howto_use_vlan_.28dot1q.2C_802.1q.2C_trunk.29_.28Etch.2C_Lenny.29
If you have any news or updates please let me know,
Phillip
Hmm, no joy unfortunately. I’ve now got a new interface called eth0.1014 (1014 being the vlan ID I’m seeing) and I’ve changed barnyard and suricata’s configs to match that and then done a “service suricata restart” – but still no events in Snorby. Any other ideas? Thanks.
Can you see something with tcpdump ?
Phillip
Yes sorry, tcpdump on the new interface shows all the traffic, minus the vlan tagging. So that much seems to be working.
But you don’t have events in suricata, I’m I correct?
There are no events in Snorby at least. Is there a way to directly check if suricata has seen any?
Hello,
you can check the suricata log with cat /var/log/suricata/fast.log
Phillip
Hi,
I have tried to figure out how to integrate and enable the openFPC ..any instructions or pointers ?
Kind regrads,
How can I purge all alerts from the system and start from scratch?
Hello,
You can use this script
/root/script.utils/CleanAllEvents.sh , but be careful that will erase all your events and reset the login credentials.
Phillip
To drop packets do I still need to change the word ‘alert’ to ‘drop’ in the rules file ?
(And I assume I would need as bridging setup)
I have purchased the ruleset from emergingthreatspro.com. How do you implement the subscription into Smoothsec?
Hi Bill,
I guess that you received a code from emergingthreatspro, you need to add it to the /etc/oinkmaster.conf file in this way,
http://rules.emergingthreatspro.com//
/etpro.rules.tar.gz
Best,
Phillip
I am getting the occasional crash.
This is in dmesg
—————————————————–
[438117.195623] Detect2[13484]: segfault at 4 ip 0808be5e sp b3bc3950 error 4 in suricata[8048000+134000]
[798849.899958] Decode & Stream[19482]: segfault at b4c7e000 ip b760e29f sp b4c7ae10 error 4 in libc-2.11.1.so[b7598000+142000]
[950746.500210] Decode & Stream[23515]: segfault at b4cf0000 ip b768029f sp b4cece10 error 4 in libc-2.11.1.so[b760a000+142000]
[1039451.131470] Decode & Stream[10320]: segfault at b4cda000 ip b766a29f sp b4cd6e10 error 4 in libc-2.11.1.so[b75f4000+142000]
[1107375.681150] Detect2[28238]: segfault at 2029343e ip b759a619 sp b3c10878 error 4 in libc-2.11.1.so[b752c000+142000]
—————————————————–
I am shortly going to be using this in inline mode so a crash would mean losing connection….
The server only has 1 GB could it be memory related ? Looking at the logs it is possibly after a cron-apt update?
Any ideas?
I really like the product, however after 2 days it has stopped working. The dashboard started working slowly after a day and then wouldn’t load at all. It captured over 200,000 events since I was last able to view the page. Not sure why nearly every single packet is viewed as a threat…
Hi.. Some questions..
It Smooth-sec works only like informative or it block attacks too? Could Smooth-sec works in bridge mode?
Any one having a problem with Smooth-Sec and Snorby where the Snorby Sensor Cache stops regularly and you have to restart it from the web interface If left unattended, the Snorby Worker stops all together and one must do the following to get it restarted.
rails c
Snorby::Jobs.clear_cache true
Snorby::Worker.stop
Snorby::Worker.start
Anyone have a fix for this problem.
Hi! I am still facing problems with smooth-sec 1.3. After 2 hours of operation Smooth-Sec kernel crashes with the following message:
Smooth-Sec kernel: [134615.060177] Decode & Stream[30761]: segfault at 9e9d6000 ip b766629f sp b5ea9db0 error 6 in libc-2.11.1.so[b75f0000+142000]
and then my ethernet interface leaves promiscuous mode.
Does anybody have an idea what could be happened? I am running it in a 24 cores machine with 24 gb RAM.
Regards,
Ariel
Hello,
Great project!
Is there a way to use Smoothsec as an inline transparent IPS ?
Basically to have 3 interfaces (internal,external,management) and connect the internal and the external networks without the use of iptables or any other routing/firewall software.
Thanks
i really like your project…many thanks for your effort Phillip!
i have some questions:
Is it possible to use SmothSec as an inline transparent IPS?
I would like to try this implementation if applicable:
-2 Interfaces to monitor 1 network segment (no ip addresses, L2 transparent)
-1 interface as a Management (eth2)
-not to use IP Tables or third party application/FW for blocking an intruder
- ability to drop packets when an even occur
Many thanks in advance.
Kind regards,
Marios
hi can it be setup to IDS Only? in that case does it need to have 2 NICs or can it be done using only 1 NIC? what do i need to change?
Regards
r
Implemented today. Still trying to find out all the nifty features tho. Thank you for a very nice piece of work, Philip!
A quick note: I too would be very keen to understand how to configure it as a transparent IPS. I have the bridge setup all done, and that works fine. But the ‘dropping packets’ bit leaves me a bit stumped. I’ve read you have to start suricata with ‘-q 0′. When doing that though it reports it hasn’t been compliled with nfqueue support. However that sortof contradicts what Morgan says, above.
Any pointers how to go about it ?
Thanks in advance
Maarten
Bugreport (including fix!)
Clicking on the button “View Rule” always yields an error. Here is how to fix that:
1) Edit /var/www/snorby/config/snorby_config.yml, Change “production” section so it includes the path to the rules: – “/etc/suricata/rules”
2) chmod a+r /etc/suricata/rules/*
3) restart the server if you have trouble with restarting Rails (like me…)
Now the rules are viewable from the dashboard.
Cheers, Maarten
Hi Maarten,
thanks very much for the fix, very much appreciated.
Phillip
I have 2 interfaces in the box I’m using to run smooth-sec. Is there a default for which interface is for “Monitoring” and which interface is for management (i.e. SSH and HTTPS) traffic?
I assume eth0 is for monitoring, and eth 1 would be for management.
Hi,
How can I use a remote sensor to the snorby of smothsec?
Which are the default password for the mysql root user on smoothsec?
snorby:snorby works, but it hasn’t enough privileges to grant modifications on mysql.
Regards.
Pingback: » Лучшие дистрибутивы linux для мониторинга безопасности сети Unixzen
Pingback: » Лучшие дистрибутивы linux для мониторинга безопасности сети Unixzen
How do you upgrade to suricata-1.2
How can I add custom rules and change the Snort Rule sets in SmoothSec. Probably a very simple question… sorry. ; )
I am trying to partition the hard drive and it keeps telling me to set up the swap partition.
There is no option for the swap partition, how do I set this up?
Thanks
Awesome product, however a couple of things need to be addressed before putting it into production:
- NFQ turning it into an IPS
- Cuda support
Then it would rock. I am trying to tweak 1.3 into getting that and if I will succeed I will post the howto.
I am wondering if Smooth-Sec can be used in conjunction with OPENWRT? Basically, I have my smooth-sec system off a managed switch (inside my network) and I have a gateway router (OpenWRT). I would like Smooth-Sec to trigger on vulnerabilities and block malicious traffic from re-entering or exiting my network at the gateway (OPENWRT Router). Is such capability available with both Smooth-Sec and OpenWrt?
Thanks,
-Mark
Pingback: Deploying Smooth-Sec 1.3 | Focus Determines Reality
Great project, I used SPSA a while back, and enjoyed that one as well.
I just got everything installed, have tcpdump showing traffic, however, no events are being captured/displayed. Have 1.2 installed, and upgraded suricata to version 1.0.4. Rules appear to be setup, but no traffic. I put it out in-front of my router so it’s looking at public IP space instead of Private space.. is it looking for particular private IP ranges?
Thanks,
Rob
I found that updating to Suricata 1-0-4 in my case broke Smooth-Sec from working after a default install.
I followed the steps outlined, however, it did not work for me. I did run into an issue with oisf, the error message outlined in the comments for the update to 1.0.4 page. The answer given was “apt-get remove oisf”. For me, suricata never picked up traffic, but tcpdump did.
After I realized upgrading is what seems to break things for me (using VMware), I decided to update Snorby to version 2.5.1, the latest as of today. This was pretty easy.
Steps:
cd /var/www/html/snorby/config
mv database.yml database.yml.bak
mv snorby-geoip.dat snorby-geoip.dat.bak
mv snorby_config.yml snorby_config.yml.bak
cd initializers/
mv mail_config.rb mail_config.rb.bak
cd /var/www/html/snorby
git pull origin master
bundle install
cd /var/www/html/snorby/config
mv database.yml.bak database.yml
mv snorby-geoip.dat.bak snorby-geoip.dat
mv snorby_config.yml.bak snorby_config.yml
cd initializers/
mv mail_config.rb.bak mail_config.rb
rake snorby:update
service nginx restart
Maybe I’ll try a manual update on Suricata next to the latest, to see if that helps.
Thanks,
Rob
I am a linux noob here. How can i set this up as a transparent bridge? I see the bridge script, but what is required to get it going?
Allright , looks pretty fuckin awesome, will be installing this in the coming days and giving it a spin. Looks to be the perfect addition to the lan to enhance perimeter securtity, thanks for your time and efforts making this available for the general public.
I´ve just installed smoth-sec with two interfaces and aparently all is ok, but on Snorby´s Dashboard always appears 0, but when I click on High, Medium or Low Severity always show up the events correctly…
I’ve been following this post and I tried fix this problem following the solution that appear above, but nothing has changed.
what can I do to solve this little error?
thanks a lot!!!
Hi, just installed the v2.0, but the root password I set during install doesn’t seem to work, any ideas? is there something else it sets too?
also is there any doco on how to configure this? i would like to have one interface as management and one on a mirror port, but only see one in the snorby web, and can’t get into the cli to check anything else due to root password issue above
looks like a sweet web interface though
Hi Tud,
are you sure the CapsLock was not pressed during the setup? With debian this kind of errors are very unlikely to happen. I can only advise to run again from the iso and try the Rescue option to reset the password.
Let me know,
Phillip
I’m working with Beta 1 of smooth-sec 2.0
It seems that the root password entered during setup is not stored properly, as I’m not able to log on locally or ssh with the password provided during installation.
I’m working with Beta 1 of smooth-sec 2.0
I’ll add, I tried re-installing, leaving the root password blank, and creating a different initial user, with the same results.
Hey guys, you are right. There’s a bug in the installer that prevent to update the root passord.
To log in please use, root and password toor, I will fix this bug within minutes.
Sorry again.
UPDATE, the bug has been fixed, within few hours Smooth-Sec 2.1 will be released.
No apologies needed. Thanks for putting this together!
Hi Bart,
did root : root work for you?
Phillip
pls help am new to linux distributions and IDS’s.What do i type @ the root@spsa line and root@smooth_sec lines.Thank you
Thanks, toor worked for me
next question, I have installed on ESXi,added two interfaces, but only one is picked up during the install, is this normal behaviour?
is there any further doco I can read through for troubleshooting?
Cheers
Hello everyone,
Smoothsec Debian installer root password bug has been fixed. Smoothsec version 2.1 released, default login root:toor . Get the new iso here.
http://sourceforge.net/projects/smoothsec/files/SmoothSec-2.0/
Smooth-Sec support mailing list:
https://lists.sourceforge.net/lists/listinfo/smoothsec-talk
Yes, root and toor worked. Suricata is configured to “listen” to eth0, so make sure you are monitoring that particular nic. If you use an ifconfig -a you should see your unused NIC, which you can assign an ip or set to use dhcp (for management)
Hi There
I have a little problem with the script rules.update:
GET 200 http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz 453+1248685 VIRUS ClamAV: cve_2011_2657
Virus DETECTED
Could someone let me know what append ??
many thanks and very nice IDS
HAMS
How can i stop the server (smoothsec) sending this alert ET POLICY OpenSSL Demo CA – Internet Widgits Pty
It comes from my smooth sec box to my client laptop that accesses the server’s dashboard
Is it possible to install the gnome in Smooth-Sec?
Hello Sir,
I am using “Smooth-Sec” IDS/IPS in VMware-Player. i have installed it properly.
I am also able to get graphical access on browser but on my IDS/IDS interface no packets are intercepting so i am not able to get “HIGH, MEDIUM, LOW” severity window.
I have updated the signature & rules using script/suricata.rules.update…. path. it is not reflecting on browser signature database.
please let me know about this solution as soon as possible.
Hi phillips , gr8 job whith smooth-sec , I have a question I’m running version 2.1 and I see that suricata with recording barnyard2 this event, but the event does not update snorby .
my events mysql:
Enter password:
+———-+
| count(*) |
+———-+
| 37884 |
+———-+
Enter password:
+———-+
| count(*) |
+———-+
| 39682 |
+———-+
any idea?
Thanks for the Distro, quite easy to setup and use. I am having issue with disk space, after 4 days of work it used 8GB. I tried to limit the log file in suricata, is there anything else I can do to minimise the disk usage? (I m running that under VM, with 8 GB of storage)
Hello.
Where can I find more documentation?
I want to install smooth-sec as inline-ips but I am unable to find useful information regarding this scenario.
Thanks.
amazing work, makes much easier my work
Pingback: » Smooth-Sec v1.2 - CyberPunk
Hi,
We started to run hosting service from last month, but we faced attacked problem. I search a long long time in google, but I still can’t find the suitable IPS for us. I have following question. Can you tell me ?
1. We faced ddos issue. Our server is attacked and run out of our international bandwidth(over 100MB attacked from oversea). Can we use smooth-sec to filter/block ddos attacked ? If yes, do I have bandwidth issue ? At this stage, we just can ask our data centre to block IP or mitigation.
2. Where I put smooth-sec in our network environment ? I have Linux server(2 network card and bridge in 2 vlan) act QoS router.
3. I can’t find manual how to use smooth-sec, where can I find the documentation ?
Many thanks for all your help !
how to remove all event from database.
i know with snorby and snort:
echo “drop database snorby;”|mysql –user=root –password=
cd /var/www/snorby && /usr/local/bin/rake -f /var/www/snorby/Rakefile snorby:setup RAILS_ENV=production
but in suricata how to.
thanks
I like this! thanks for share
How do you configure securesec in in-line mode. i mean to be able to drop packets that do not fall under the ambit of the rules defined. At present with suricata logs and snorby interface i can only detect.
somebody help am new to linux distributions and IDS’s.What do i type @ the root@spsa line and root@smooth_sec lines. or instructions to get to the desktop or web interfaceThank you