Setting up a IDP, IPS in Ubuntu
What is IDP, IPS?
IDS and IPS are key components of network security. They are intended to detect, notify, and frequently respond to potential security threats and unauthorized network activities.
An intrusion detection system (IDS) monitors network traffic for unusual activity and recognized threats, and generates alerts when they are identified.
An IPS, like an IDS, detects threats but also takes proactive steps to prevent those threats from inflicting harm.
What is Suricata?
Suricata is an open-source network threat detection engine that can identify intrusions (IDS), prevent them (IPS), and monitor network security (NSM). It is intended to be quick, robust, and extremely configurable, with real-time traffic analysis and packet tracking over IP networks. Suricata can detect and notify to a variety of security risks, including malware, network intrusions, and other suspicious activity.
Installing Suricata
Install the dependencies using,
sudo apt-get install software-properties-common
Now add suricata repository and update the machine,
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
Install Suricata using,
sudo apt-get install suricata
Now check the interface of the network in the machine, using ifconfig command.
Use that information to configure Suricata:
nano /etc/suricata/suricata.yamlThere are many possible configuration options, we focus on the setup of the HOME_NET variable and the network interface configuration. The HOME_NET variable should include, in most scenarios, the IP address of the monitored interface and all the local networks in use. The default already includes the RFC 1918 networks. In this example 10.0.0.23 is already included within 10.0.0.0/8. If no other networks are used the other predefined values can be removed.
In this example the interface name is enp0s1 so the interface name in the af-packet section needs to match. An example interface config might look like this:
af-packet:
- interface: enp1s0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
Now update suricata using,
sudo suricata-update
Now restart suricata,
sudo systemctl restart suricata
Let us test the working of Suricata by check fast.log,
sudo tail -f /var/log/suricata/fast.log
curl http://testmynids.org/uid/index.html
With the generated alrets we can confirm the working of the IDS machine.
Also check out my Masters in USA journey from the profile,
Subscribe to our YouTube channel: https://www.youtube.com/@CyberToolGuardian/featured
Follow us on Instagram:
https://instagram.com/cybertoolguardian
Check out the website:
https://cybertoolguardain.com
