標題: [教學] HOWTO : Protect My Home Network With Croissants [打印本頁]

---

作者: samiux    時間: 2015-3-26 21:15     標題: HOWTO : Protect My Home Network With Croissants

What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10GB traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low-end x86 computer, such as Intel ATOM D2550 CPU with 4GB or 8GB RAM. I recommend to use at least 8GB RAM for home security purpose. More memory and faster more cores Intel CPU for Home Office or larger business.

[youtube]pzPRwJln8eg[/youtube]

I am the developer of the Croissants.  The Croissants is very easy to install and maintain.  I hereby to introduce Croissants to you all.  The full article is here.  You can download it at here.

Hope you enjoy and have your secured home network.

Samiux

---

作者: cma019    時間: 2015-3-30 10:13

Thanks for sharing again! I like your post very much!

---

作者: samiux    時間: 2015-3-30 16:17




    Thanks.

---

作者: fatdog    時間: 2015-3-30 16:28

1）一部機行晒 ips 同 ids ok嗎？
2）一般人用，裝係 router 前就可以？
3）1GB RAM 既 raspberry pi 2 唔夠力？

---

作者: samiux    時間: 2015-3-30 16:37



(1) Croissants is IDS and IPS on the same box.  If you configure it to drop some rules, it is acting as IPS and leave other untouched rules as IDS.  You can see the feedback from the web interface "Snorby".

(2) I recommend to put the sensor (IPS/IDS) in front of the router for home users.  It is because, their home switches are hub more than a real switches as business one.  The article is talking about setting a IDS behind the router is my experiment only.

(3) I think Raspberry Pi 2 is not good for Croissants as the limited CPU power and the number of NICs on the board.  I recommend the CPU should be at least Intel ATOM D2550 and the amount of RAM is at least 4GB for a low traffic home network.

Samiux

---

作者: keithlcs    時間: 2015-4-3 10:25

Hi Samiux
睇左你個BLOG 都有興趣整返個 IPS 試下
想問下你個 Croissants 係咪就係 package integrate Snorby + Suricata
仲有想問下 兩個 NIC Interfaces 係咪要 bridge埋佢 而 Suricata 要行 inline mode?
可唔可以用 PostgreSQL 唔用 MySQL 架?

---

作者: fatdog    時間: 2015-4-3 19:04

http://item.taobao.com/item.htm? ... ;abbucket=16#detail

X29-J1900
計埋 ssd 同 ram 應該 ＄1000 度
夠用了吧？

---

作者: samiux    時間: 2015-4-4 01:36




(1) Croissants will almost handle all the installation procedure automatically.  All the required dependencies and packages will be installed.

(2) Croissants will take care of Suricata settings.  Users are not required to set the NICs in any mode.  You need 3 NICs.

(3) Suricata is running as inline mode when it is connected with other networking appliances properly.

(4) Snorby will use MySQL by default.  I have not test on PostgreSQL,

---

作者: samiux    時間: 2015-4-4 01:38



The power of the CPU and the throughput of the NICs are the most important.  I tested on Intel ATOM D2550 without any problem.  More cores are recommended.

---

作者: keithlcs    時間: 2015-4-5 21:12




唔明...我見你個 nsm_install script 改 interfaces 做 inet manual
其實我估係主要唔好 offload d 野
但點解要 inet manual 仲要 0.0.0.0 IP ?
如果我係 Internet <--> IPS <--> router
咁 IPS 個兩個 Interfaces 係咪要 bridge?
定其實 IPS 係 NAT router ?

冋埋我發覺 gem install 個 command 去到中途會 >6hrs 100% CPU hold 左 o係到
上網D人教加 --no-ri --no-rdoc
試左之後咁就無問題
另外想問下點解要加個 dhclient.conf ?

---

作者: samiux    時間: 2015-4-5 23:56



I think you are running Croissants right now.

First of all, I would like to know what is your hardware.  I run the script on ATOM D2550 without problem.

I think you are out of the knowledge of this field.  Further reading :
(1) What is NSM?
(2) What is IDS/IPS?
(3) What is UTM?
(4) What is Suricata?

Samiux

---

作者: keithlcs    時間: 2015-4-6 10:21

本帖最後由 keithlcs 於 2015-4-6 10:26 編輯


當然無你對 security 咁熟啦
其實我只係想知你個 system arch. 係點同有咩assumption...因為我個理解同 design 同實戰遇到d 野又未必同你一樣

我見你個 p2p1 同 p4p1 都係一個 0.0.0.0 interfaces...無bridge 過....而我見你 eth0 monitoring interface 又會用 google DNS
估你p2p1 係 Internet, p4p1 係 Internal Network??

而我部clean install ubuntu.. 你個 script 會改左 interfaces 做 inet manual 就算有左你加個 /etc/init/dhclient.conf 佢 startup 都 DHCP 唔到public IP
所以我想知你本身個arch. 同 script 係有咩 assumption 再去改返適合自己用

另外我見你話係 inline mode 但個 script 同 Suricata 教係有唔同
https://redmine.openinfosecfound ... IPSinline_for_Linux
另外要做 IPS 我見你篇文教要加多幾個 steps
http://samiux.blogspot.hk/2015/0 ... e-network-with.html

P.S. 我用Atom D510....其實都好多人遇到 gem install 100% CPU問題
https://github.com/rails/rails/issues/11814
加左 --no-ri --no-rdoc 應該唔會影響到個Suricata架可?

我見有人行左 Interfaces Bridge 先再攪 Scricata
http://taosecurity.blogspot.hk/2 ... on-ubuntu-1204.html
另外有d 人（包括你個script ) 係用 Scricata 本身個 copy interface
https://home.regit.org/2012/09/n ... s-mode-in-suricata/
想問下兩者有咩 Pros & Cons?

---

作者: samiux    時間: 2015-4-6 10:32



(1) ATOM D510 is older than ATOM D2550.

(2) There are many ways to configure Suricata to be IPS/IDS and just depends on your situation.

(3) Those ways have Pros and Cons.  Just depends on your desire.

Samiux

P.S. you can reach me at my IRC channel

---

作者: samiux    時間: 2015-4-7 18:17

Just learnt that Croissants can run on 2GB RAM and Intel ATOM D510 without problem.

If your CPU is D510, it requires to change something in the install script before installing.

Samiux