smooth-sec
Smooth-Sec is a ready to-go IDS/IPS (Intrusion Detection/Prevention System) linux distribution based on the multi threaded Suricata IDS/IPS engine and Snorby, the top notch web application for network security monitoring. Smooth-Sec is built on Ubuntu 10.04 LTS using the TurnKey Core base as development platform. Functionality is the key point that allow to deploy a complete IDS/IPS System up and running out of the box within a few minutes, even for security beginners with minimal Linux experience. Feedback and suggestions are welcome on this page.
Suricata 1-0-4 update available for Smooth-Sec
Wiki: https://sourceforge.net/apps/mediawiki/smoothsec
Mailing List: https://lists.sourceforge.net/lists/listinfo/smoothsec-talk
Download: SmoothSec-1.2.iso
Size Compressed: 623 MB
Snorby login:
Snorby interface: https://ipaddress
Username: snorby@snorby.org
Password: snorby (please change this password after the firts login)
Ssh login:
Username: root
Password: the password you have chose during the installation
Credits:
Smooth-Sec is developed by Phillip Bailey.
Snorby is developed by Dustin Webber .
Suricata is developed by open infosec foundation.
Turnkey-Linux is developed by www.turnkeylinux.org
License: GPLv3
Snorby Features:
Metrics Metrics & Reports
Classifications
Full packet and session data.
Settings Custom Settings
Hotkeys
Suricata Features:
Native IPv6 Support
Automatic protocol detection
Multi threaded
Native hardware acceleration support
Passive OS and Portscan detection
L7 Protocol awareness
IP Reputation using scoring threshold
Distributed blocking & feedback
Global flowbits and variables
Changelog
7-09-2011 – Smooth-Sec 1.2 Released
[*] Improvements and fixes
*Upgraded to Kernel 2.6.32-33-generic-pae with support up to 64GB RAM
*Snorby upgraded to 2.3.9 version
*Suricata upgraded to 1.1 Beta2 version
*Barnyard2 upgraded to 1.10 version
21-03-2011 – Smooth-Sec 1.1 Released
[*] Improvements and fixes
*Fixed suricata bug on alert classification.
*Fixed apt-get directories missing.
*Barnyard output files to suricata conventional naming.
*Timezone selection on firstboot.
*Autostart Snorby worker on boot.
*Delete all the events script added in /root/script.utils/
*Transparent bridge support script /etc/init.d/bridge
*Suricata user added to run the engine as unprivileged user
11/03/2011 at 1:51 am Permalink
The link to turnkey Linux is broken.
@finid , link fixed. Thanks for the comment.
11/03/2011 at 2:29 pm Permalink
Is the Ubuntu platform 32 or 64 bit?
Hello @sdamron, I hope soon to have a 64 bit version .
14/03/2011 at 7:51 am Permalink
Any chance for thumbdrive edition or is this fully funtional Ubuntu (portability feature).
Thanks.
@originalguru
Hello, please check this project, it might be what you need : http://unetbootin.sourceforge.net/
14/03/2011 at 1:07 pm Permalink
Hi,
How to install a Spanish keyboard ?
Best Regards,
Hello, try this dpkg-reconfigure console-setup . Please let me know if it work.
Best
14/03/2011 at 1:36 pm Permalink
Hi,
Error in:
apt-get update for apt-get install locales:
E: Archive directory /var/cache/apt/archives/partial is missing
Best Regards,
Hello, this is a bug spotted today, please create manually the missing directories.
mkdir /var/cache/apt/archives/partial
an so on,
Best,
Phillip
14/03/2011 at 1:46 pm Permalink
thanks, the spanish keyboard is solved.
Best, Regards,
14/03/2011 at 3:38 pm Permalink
Thanks, the Archive directory /var/cache/apt/archives/partial is missing is solved.
Best Regards,
welcome.
14/03/2011 at 3:49 pm Permalink
Hi,
¿ Error ?:
In Dashboard: 3 Low Severity Events.
In Dashboard, click in LOW SEVERITY: Low Severity Events 92 events found.
Best Regards,
The dashboard uses the Snorby worker to calculate it’s metrics, and the worker run every 30 minutes, so might be some delay of what you see in the dashboard and what you see in the events.
Best,
Phillip
15/03/2011 at 5:02 am Permalink
Hey Phil,
Great overall implementation. Curious to know if any particular commands to utilize specific ports updates ie being able to be customize alerts on specific ports.
Thanks!
Thanks to you for the feedback.
Phillip
15/03/2011 at 5:08 am Permalink
Hey Phil,
Let me rephrase the last question.
Is there any way command that would allow a user to customize alerts (emails) for specific events and ports. Like a more finite way of sending a notification.
Thanks,
G
Hello,
I’m sorry but this option isn’t included in Snorby (at the moment).
Phillip
16/03/2011 at 1:26 pm Permalink
Hi Phillip,
I´ve just installed new smoth-sec. All run ok……
Suricate offers alerts by means of barnyard2, and aparently all is ok…..
On Snorby´s Dashboard always appears 0 of Hight, Medium and Low Severity alerts, but when I click on events menu, then 82 events show up!. If I click on each high, medium and low severity:
HIGH SEVERITY = 34 events found
MEDIUM SEVERITY = 60 events found
LOW SEVERITY = 0 events found
by following instructions., I have just carried out update on Smooth-Sec patchavailable for the bug on Alert classification.
After seven hours, nothing has changed!
Best Regards.
Hello there,
please follow this set of commands.
dpkg-reconfigure tzdata (configure the timezone according with your location)
ntpdate ntp.ubuntu.com
/etc/init.d/suricata stop
rm -rf /var/log/suricata/*
touch /var/log/suricata/barnyard2.waldo
rm -rf /var/www/snorby/tmp/pids/delayed_job.pid
cd /var/www/snorby/
#Rails consolle, type:
rails c
wait untill the rails consolle is open
then run inside the rail consolle
Snorby::Jobs.clear_cache true
Snorby::Worker.stop
Snorby::Worker.start
type quit to exit the rails consolle and check if the snorby worker is running via administration snorby page.
/etc/init.d/suricata start
This might help you to fix the issue.
Best.
Phillip
17/03/2011 at 5:10 pm Permalink
Phillip,
Thanks. I’ll try and tell you if it solved.
Best Regard,
@Spanish_
waiting.
Phillip
17/03/2011 at 5:46 pm Permalink
Phillip,
Thanks, thanks, thanks, All is solved.
Best Regards,
@Spanish_
This is a great news!
Best,
phillip
22/03/2011 at 11:22 am Permalink
Hello.
same problem with 0 events on the dashboard. I will try ur fix. Maye you’ll patch it.
Excellent piece of software. May Jah bless you!
23/03/2011 at 11:09 am Permalink
Hi
Tried the fix but still have the 0 events problem on the dash. Any other tips to get this working?
Hello,
are you using the 1.0 version or the 1.1 ?
Best,
phillip
23/03/2011 at 2:09 pm Permalink
I’m using 1.1. I may have posted too soon, some results have come in but now the time seems to be off? I reset the time zone etc as per instructions above and it was correct. Now the current time is 14.17 and the dashboard states “Last Updated: 03/23/11 4:00:00 PM”
I have this running in a test VM, what are the min reccomended specs?
Thanks for this awsome package
fusspils
@fusspils
Hello,
first of all you need to collect some alerts, you can do it event with a single ping like this ping -s 6000 ip address, run the ping for 10 minutes and then wait for one our in order to align snorby metrics,
don’t force to restart the Snorby worker if is running.
Phillip
24/03/2011 at 2:11 pm Permalink
So, I’m guessing I just set up a port-mirror to the suricata interface? It’s labeled as an IPS, would be nice to have a GUI built in for some simple alert responses (if X occurs, take Y action – such as shutting down port 1/0/33 on Switch2)
28/03/2011 at 1:40 pm Permalink
This looks really good although it appears once the system boots at install time the installer is locked to the screen. How did you master the ISO so I can try modify isolinux configuration and change a boot option to redirect console out serial port? Unless I do this it is not possible to install this as I am vision impaired. I tried this on fit-pc although perhaps 256-megs of memory is a bit low. an option to redirect console out serial port would allow install on headless boxes and for those of us who can not easily access a monitor. I’ll get a friend on the weekend to help me install it with a screen. Alternative would be an option that asks no questions, blows away first hard drive and does unattended install.
@Kerry
Hello kerry,
Nice to hear from you, I’ve chosen to maintain the installer as simple as possible, this is part of my my philosophy. Anyway you can try to mount the ISO image and edit the boot options, so you so you won’t need to remaster the whole ISO. Please let me know.
Phillip
04/04/2011 at 10:29 am Permalink
Hello
nice project bro …
if i wanna use smoothsec as fully ips to drop all events “high, medium & low ” what can i do ??
Thanx again
05/04/2011 at 1:31 am Permalink
Hi,
Thanks for smooth-sec, very easy to install, stable!
Question: how to configure 2 sniffer interfaces, not only 1?
(I have eth0 for management; eth1 is the 1st sniffing interface; I want eth2 to be the second sniffing interface, on another segment of the network).
Thanks!
@eugenc
hello,
you need to tweak this files /etc/init.d/suricata /etc/suricata/barnyard2.conf , add the interfaces that you need to monitor.
13/04/2011 at 10:31 pm Permalink
Hi. Anybody try booting the ISO on a VMware server?
I’m getting a Kernel panic.
@Simon
Hello,
I’m running Smooth-Sec on varius virtual platforms, included Vmware server 1 and 2 and I never saw a kernel panic before, did you check the MD5 of the iso ?
Must be d734ccd5f672c845062baa974ac36160 .
Thanks,
Phillip
02/05/2011 at 3:32 pm Permalink
I am trying to use Smooth-Sec, with OpenFPC turned on. I have a question about the configuration of OpenFPC. During the setup, do I just point to a directory on the local harddrive as the directory I want to save the pcaps too? When I select to turn on the OpenFPC, it doesn’t seem to save the pcap there…
Any help would be appreciated,
Thanks
@John
Hello,
Thanks for your comment, this look like a issue related to the permissions on the folder where the pcap files are saved.
phillip
12/05/2011 at 2:51 pm Permalink
Same as Simon, kernel panic using “VMware-VMvisor-Installer-4.1.0.update1-348481.x86_64.iso” already checked md5 of “SmoothSec-1.1.iso” and is ok.
02/06/2011 at 12:14 pm Permalink
Hi Phillip, Simon (http://bailey.st/blog/smooth-sec/#comment-1676) and JackH (http://bailey.st/blog/smooth-sec/#comment-2015).
The kernel panic with VMware ESX/ESXi (v4.1 IIRC) has been reported quite a few times on the TKL forums. It seems to be caused by a combo of Ubuntu kernel, VMware & specific hardware. A workaround is to disable acceleration during boot. Some have reported swapping in a different kernel is an alternative (and probably superior) workaround. Aq uck search turned up this thread, but there are others: http://www.turnkeylinux.org/forum/support/20101222/problem-booting-revision-control-appliance-110rc-when-hosted-vmware-esxi-and-
Hi Jeremy ,
Thanks for the hint, really appreciated!
Phillip
28/06/2011 at 1:16 pm Permalink
Hi Phillip, i need your help to fix a little trouble, i have installed Smoothsec with 3 network adapter (network 1, network 2 and administration) but in “sensors” only shows me eth0.
best regards.
Hello Roberto,
you need to define the additional interfaces in two separated files, the
first is /etc/suricata/barnyard2.conf where you can add the additional
interfaces as such
config interface: eth0 eth1
and the second is /etc/init.d/suricata, where you can add additional
interfaces in the startup script, ex:
/etc/suricata/suricata.yaml -i eth0 eth1
Best regards,
Phillip
29/06/2011 at 1:46 pm Permalink
Hi Phillip, thanks by the quick answer, i did that you told me , and smoothsec shows me more sensors, but i have another trouble, how you already know, i have 3 network interfaces (switch1 eth1, switch2 eth2 and administration eth0) in both switchs i have configurated port mirror to the smoothsec interfaces (eth1,eth2) but nothing is listened, but if i configure eth0 like sensor listen everything and i loss the administracion for the mirrors, i try to administrate for another interface but that not works.
My configuration files:
/etc/suricata/barnyard2.conf:
config interface: eth1 eth2
/etc/init.d/suricata
/etc/suricata/suricata.yaml -i eth1 eth2
Regards
01/07/2011 at 7:32 pm Permalink
in events, says that i have 4868811 unclassified events
but in the event list only shows 72000 events
in sensors i have 72000 events
i think that the events are being loggin in another sensor that snorby dont shows.
11/08/2011 at 8:48 am Permalink
Hello,
I’m looking for a way to configure Suricate to only alert when the source or the destination corresponds to a public IP, and not my internal network.
Is there a way to do that ?
Thx
c
18/08/2011 at 5:34 pm Permalink
After installing Smooth-sec, the system ask for password and configuring network.
Did configured the network in both option DHCP and Static but it always return me to the network configuration.
Why it does not pass this option is there something wrong with the image…
regards
Isi
25/08/2011 at 2:56 pm Permalink
I’ve added suppress gen_id 1, sig_id 201240 to my /etc/suricata/threshold.config (to block rancid config updates) file but my rancid server is still showing up on in the logs. Ideas?
08/09/2011 at 9:12 am Permalink
Hi,
Suricata runs out of memory on startup:
[24598] 8/9/2011 — 10:29:13 – (detect.c:658) (SigLoadSignatures) — 43 rule files processed. 11644 rules succesfully loaded, 9 rules failed
[24598] 8/9/2011 — 10:29:24 – (detect.c:2101) (SigAddressPrepareStage1) — 12114 signatures processed. 659 are IP-only rules, 3883 are inspecting packet payload, 8098 inspect application layer, 0 are decoder event only
[24598] 8/9/2011 — 10:29:24 – (detect.c:2104) (SigAddressPrepareStage1) — building signature grouping structure, stage 1: adding signatures to signature source addresses… complete
[24598] 8/9/2011 — 10:40:42 – (detect-engine-siggroup.c:105) (SigGroupHeadInitDataAlloc) — [ERRCODE: SC_ERR_MEM_ALLOC(1)] – SCMalloc failed: Cannot allocate memory, while trying to allocate 1515 bytes
[24598] 8/9/2011 — 10:40:42 – (detect-engine-siggroup.c:105) (SigGroupHeadInitDataAlloc) — [ERRCODE: SC_ERR_FATAL(169)] – Out of memory. The engine cannot be initialized. Exiting…
Any ideas ?
08/09/2011 at 10:05 am Permalink
Hello,
How much ram are u using? VM o bare metal server?
10/09/2011 at 3:10 am Permalink
Hi,
I downloaded 1.2, created it on a Kingston 2GB memstick using unetbootin.
When I boot it on a netbook, it boots the kernel and gets to a config screen for the network params (IP, netmask, gateway, DNS) and it fails there after I enter the correct info. It displays:
refusing to write /etc/network/interfaces.
header not found: # UNCONFIGURED INTERFACES
I could not proceed from there.
ed
12/09/2011 at 3:46 am Permalink
Hi Brian,
I posted earlier but my posting disappeared? I was having problem with smooth-sec booting from a USB image to my netbook. I didn’t have a desktop available yesterday for SmoothSec so I tried to test-drive using netbook. The netbook has no CD drive so I had to bootup with Live CD on USB. That fails with either 1.2 or 1.1 on both the Intel Atom netbook and a desktop AMD64. I finally got booted on the AMD64 box from a CD image and a HDD install. Then it worked: it accepted the networking configuration.
My question is with network config: Is the eth0 IP address for the management i/f? or for the sniffer/sensor i/f? Otherwise, where do I define my sensor?
There may be problems with boots using Live CD. The ISO was put to USB memstick with unetbootin-549. That image would not finish bootup, but always gives: “refusing to write /etc/network/interfaces”.
13/09/2011 at 3:17 pm Permalink
I would like to use smooth-sec in a bridging setup – I would also like to drop packets.
I can see that suricata is built with –nfqueue so that means it should be able to drop packets ?
- is there a sensible way of doing this or do I just edit /etc/init.d/suricata
Also what is the best was of setting up a network bridge ?
- should I just edit /etc/network/interfaces and add br0 (as I normally would on an Ubuntu install)
One last thing (assuming it is possible to put this is bridging mode) do I have to alter the actual rules to drop packets ? (like snort-inline)
Regards
Hello Morgan,
take a look in /etc/init.d/bridge for the bridge script. In /etc/suricata/barnyard2.conf and /etc/suricata/suricata.yaml edit the network field from eth0 to br0. Once you are ready with interfaces you can run chmod +x /etc/init.d/bridge then /etc/init.d/bridge start. Soon I’m going to cover the bridging mode.
stay tuned.
Phillip
14/09/2011 at 4:48 am Permalink
Phillip,
I have SmoothSec 1.2 installed and running on AMD64 box. I have suricata running, gathering data from eth1. I run tcpdump on there and see all the Internet traffic going by. I set eth1 as i/f in suricata and barnyard2 configs.
I have snorby running but not correctly… almost no events reported even though the data is there. But it does see a small few events: “ET POLICY unusual number of DNS No Such Name”… That coming from a sendmail spamassassin server blasting 20 DNS queries in 1 sec.
I need assistance with snorby_config.yml. Like for production: domain: what should that be set to? Not much detailed doc can be found on the web. I found that rules: had empty rules so I put all the suricata file paths in there; 33 files. like this: – “/etc/suricata/rules/~~~”. I hope that was OK.
Also, the dashboard has NEVER displayed what I see on the snorby website: counters and plots. What is that problem? imagemagicK is installed it seems.
I even went to IRC channel #snorby and asked for help. they say, build it using: bundle pack; bundle install; rake snorby:setup. I would but then I need to get all the source pieces. Not sure I want to do that yet.
I know that you are busy so if you could just point me to URLs of help for configs, I would be very happy.
thanks man.
Thanks
egf
14/09/2011 at 11:32 am Permalink
Phillip – thanks for the advice.
I have tried editing /etc/init.d/bridge however when I launch it I lose all network connections.
- looking at ifconfig (after running script) there is no br0 and both eth0+1 have no ip address.
The start of the script is
————————————————-
#!/bin/sh
# Define Bridge Interface, assuming that eth0 is the management interface
# Remember to chanche the suricata init.d script and the barnyard configuration
# file.
br=”br0″
# Define physical ethernet interface to be bridged
eth0=”eth0″
eth1=”eth1″
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
brctl addbr $br
brctl addif $br $eth0
brctl addif $br $eth1
ifconfig $eth0 0.0.0.0
ifconfig $eth1 0.0.0.0
}
stop_bridge () {
####################################
# Tear Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
}
————————————————-
And my network interfaces – /etc/network/interfaces – reads:-
—————————
# UNCONFIGURED INTERFACES
# remove the above line if you edit this file
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address xx.xx.xx.xx
netmask xxx.xxx.xxx.xxx
gateway xxx.xxx.xxx.xxx
dns-nameservers xxx.xxx.xxx.xxx
network xxx.xxx.xxx.xxx
broadcast xxx.xxx.xxx.xxx
# bridge_ports eth0 eth1
# bridge_stp off
# bridge_fd 0
# bridge_maxwait 0
auto eth1
iface eth1 inet static
address 10.0.0.10
netmask 255.255.255.0
—————————
Can you suggest how to get it working ?
15/09/2011 at 9:17 pm Permalink
First.. This is an awesome appliance and it is exactly what I have been looking for. Thank you for your time, effort, and expertise. Couple of newbie questions:
1. Do the snort rules autoupdate? If not, how can one manually update them?
2. Can custom Snort rules be added?
16/09/2011 at 1:03 pm Permalink
Hi Bill,
thanks for your comment.
1) Suricata rules are updated via a crontab that run at . Or you can update the rules manually running the script /root/script.utils/rules.update . Before you need to configure the /etc/oinkmaster.conf according to the snort rules.
2) You can run Snort rules as well, but is but is recommended to use custom made Suricata rules.
If you want 0 day rules you can subscribe to http://www.emergingthreatspro.com .
To add snort rules you need to configure the
/etc/suricata/suricata.yaml file.
Phillip
20/09/2011 at 10:15 am Permalink
As others have said, thank you for your work developing this.
I have installed it on a machine with two interfaces. eth0 is connected to a tap mirroring Internet bound traffic for a large group of machines. Tcpdump shows the traffic (column after date shows a vlan number, mentioning in case relevant). The suricata and barnyard configs both refer to eth0. eth1 is the management interface and I can login to Snorby, but it shows no alerts, even if I click into Events as I see others have sometimes had a problem – nothing there. Admin shows the sensor is there and the “workers” are working. I’ve tried rebooting and I noticed eth0 was not in promisc mode by default so I changed that, but no help. I’m reasonably certain there would have been a lot of traffic that would have flagged things by now within the traffic it is watching. Do I need to set eth0 to use 802.1q tags matching the vlan ID I’m seeing in tcpdump maybe? What else can I try please?
TIA
Hello,
Looking at the Suricata source code I can see that decode-vlan.c is included in it.
http://suricata.sourcearchive.com/documentation/1.0.2/decode-vlan_8c-source.html
If you like you can try to give a shot and try to set up the network card to use the
vlan.
http://wiki.debian.org/NetworkConfiguration#Howto_use_vlan_.28dot1q.2C_802.1q.2C_trunk.29_.28Etch.2C_Lenny.29
If you have any news or updates please let me know,
Phillip
22/09/2011 at 3:25 pm Permalink
Hmm, no joy unfortunately. I’ve now got a new interface called eth0.1014 (1014 being the vlan ID I’m seeing) and I’ve changed barnyard and suricata’s configs to match that and then done a “service suricata restart” – but still no events in Snorby. Any other ideas? Thanks.
Can you see something with tcpdump ?
Phillip
23/09/2011 at 9:14 pm Permalink
Yes sorry, tcpdump on the new interface shows all the traffic, minus the vlan tagging. So that much seems to be working.
But you don’t have events in suricata, I’m I correct?
26/09/2011 at 11:45 am Permalink
There are no events in Snorby at least. Is there a way to directly check if suricata has seen any?
Hello,
you can check the suricata log with cat /var/log/suricata/fast.log
Phillip
27/09/2011 at 11:02 pm Permalink
Hi,
I have tried to figure out how to integrate and enable the openFPC ..any instructions or pointers ?
Kind regrads,
29/09/2011 at 1:51 pm Permalink
How can I purge all alerts from the system and start from scratch?
Hello,
You can use this script
/root/script.utils/CleanAllEvents.sh , but be careful that will erase all your events and reset the login credentials.
Phillip
03/10/2011 at 1:31 pm Permalink
To drop packets do I still need to change the word ‘alert’ to ‘drop’ in the rules file ?
(And I assume I would need as bridging setup)
06/10/2011 at 1:31 pm Permalink
I have purchased the ruleset from emergingthreatspro.com. How do you implement the subscription into Smoothsec?
Hi Bill,
I guess that you received a code from emergingthreatspro, you need to add it to the /etc/oinkmaster.conf file in this way,
http://rules.emergingthreatspro.com//
/etpro.rules.tar.gz
Best,
Phillip
12/10/2011 at 3:58 pm Permalink
I am getting the occasional crash.
This is in dmesg
—————————————————–
[438117.195623] Detect2[13484]: segfault at 4 ip 0808be5e sp b3bc3950 error 4 in suricata[8048000+134000]
[798849.899958] Decode & Stream[19482]: segfault at b4c7e000 ip b760e29f sp b4c7ae10 error 4 in libc-2.11.1.so[b7598000+142000]
[950746.500210] Decode & Stream[23515]: segfault at b4cf0000 ip b768029f sp b4cece10 error 4 in libc-2.11.1.so[b760a000+142000]
[1039451.131470] Decode & Stream[10320]: segfault at b4cda000 ip b766a29f sp b4cd6e10 error 4 in libc-2.11.1.so[b75f4000+142000]
[1107375.681150] Detect2[28238]: segfault at 2029343e ip b759a619 sp b3c10878 error 4 in libc-2.11.1.so[b752c000+142000]
—————————————————–
I am shortly going to be using this in inline mode so a crash would mean losing connection….
The server only has 1 GB could it be memory related ? Looking at the logs it is possibly after a cron-apt update?
Any ideas?
21/10/2011 at 5:10 pm Permalink
I really like the product, however after 2 days it has stopped working. The dashboard started working slowly after a day and then wouldn’t load at all. It captured over 200,000 events since I was last able to view the page. Not sure why nearly every single packet is viewed as a threat…
15/11/2011 at 6:03 pm Permalink
Hi.. Some questions..
It Smooth-sec works only like informative or it block attacks too? Could Smooth-sec works in bridge mode?
02/12/2011 at 6:44 am Permalink
Any one having a problem with Smooth-Sec and Snorby where the Snorby Sensor Cache stops regularly and you have to restart it from the web interface If left unattended, the Snorby Worker stops all together and one must do the following to get it restarted.
rails c
Snorby::Jobs.clear_cache true
Snorby::Worker.stop
Snorby::Worker.start
Anyone have a fix for this problem.
19/12/2011 at 6:38 pm Permalink
Hi! I am still facing problems with smooth-sec 1.3. After 2 hours of operation Smooth-Sec kernel crashes with the following message:
Smooth-Sec kernel: [134615.060177] Decode & Stream[30761]: segfault at 9e9d6000 ip b766629f sp b5ea9db0 error 6 in libc-2.11.1.so[b75f0000+142000]
and then my ethernet interface leaves promiscuous mode.
Does anybody have an idea what could be happened? I am running it in a 24 cores machine with 24 gb RAM.
Regards,
Ariel
02/01/2012 at 1:23 pm Permalink
Hello,
Great project!
Is there a way to use Smoothsec as an inline transparent IPS ?
Basically to have 3 interfaces (internal,external,management) and connect the internal and the external networks without the use of iptables or any other routing/firewall software.
Thanks
03/01/2012 at 11:08 pm Permalink
i really like your project…many thanks for your effort Phillip!
i have some questions:
Is it possible to use SmothSec as an inline transparent IPS?
I would like to try this implementation if applicable:
-2 Interfaces to monitor 1 network segment (no ip addresses, L2 transparent)
-1 interface as a Management (eth2)
-not to use IP Tables or third party application/FW for blocking an intruder
- ability to drop packets when an even occur
Many thanks in advance.
Kind regards,
Marios
09/01/2012 at 4:22 pm Permalink
hi can it be setup to IDS Only? in that case does it need to have 2 NICs or can it be done using only 1 NIC? what do i need to change?
Regards
r
12/01/2012 at 7:18 pm Permalink
Implemented today. Still trying to find out all the nifty features tho. Thank you for a very nice piece of work, Philip!
A quick note: I too would be very keen to understand how to configure it as a transparent IPS. I have the bridge setup all done, and that works fine. But the ‘dropping packets’ bit leaves me a bit stumped. I’ve read you have to start suricata with ‘-q 0′. When doing that though it reports it hasn’t been compliled with nfqueue support. However that sortof contradicts what Morgan says, above.
Any pointers how to go about it ?
Thanks in advance
Maarten
14/01/2012 at 5:06 pm Permalink
Bugreport (including fix!)
Clicking on the button “View Rule” always yields an error. Here is how to fix that:
1) Edit /var/www/snorby/config/snorby_config.yml, Change “production” section so it includes the path to the rules: – “/etc/suricata/rules”
2) chmod a+r /etc/suricata/rules/*
3) restart the server if you have trouble with restarting Rails (like me…)
Now the rules are viewable from the dashboard.
Cheers, Maarten
17/01/2012 at 9:47 am Permalink
Hi Maarten,
thanks very much for the fix, very much appreciated.
Phillip
08/02/2012 at 9:37 pm Permalink
I have 2 interfaces in the box I’m using to run smooth-sec. Is there a default for which interface is for “Monitoring” and which interface is for management (i.e. SSH and HTTPS) traffic?
I assume eth0 is for monitoring, and eth 1 would be for management.
13/02/2012 at 3:15 am Permalink
Hi,
How can I use a remote sensor to the snorby of smothsec?
Which are the default password for the mysql root user on smoothsec?
snorby:snorby works, but it hasn’t enough privileges to grant modifications on mysql.
Regards.
01/03/2012 at 8:13 pm Permalink
How do you upgrade to suricata-1.2
02/03/2012 at 10:10 pm Permalink
How can I add custom rules and change the Snort Rule sets in SmoothSec. Probably a very simple question… sorry. ; )
19/03/2012 at 7:56 pm Permalink
I am trying to partition the hard drive and it keeps telling me to set up the swap partition.
There is no option for the swap partition, how do I set this up?
Thanks
19/04/2012 at 12:20 pm Permalink
Awesome product, however a couple of things need to be addressed before putting it into production:
- NFQ turning it into an IPS
- Cuda support
Then it would rock. I am trying to tweak 1.3 into getting that and if I will succeed I will post the howto.
23/04/2012 at 6:39 pm Permalink
I am wondering if Smooth-Sec can be used in conjunction with OPENWRT? Basically, I have my smooth-sec system off a managed switch (inside my network) and I have a gateway router (OpenWRT). I would like Smooth-Sec to trigger on vulnerabilities and block malicious traffic from re-entering or exiting my network at the gateway (OPENWRT Router). Is such capability available with both Smooth-Sec and OpenWrt?
Thanks,
-Mark