[教學] HOWTO : Protect My Home Network With Croissants

samiux

What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10GB traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low-end x86 computer, such as Intel ATOM D2550 CPU with 4GB or 8GB RAM. I recommend to use at least 8GB RAM for home security purpose. More memory and faster more cores Intel CPU for Home Office or larger business.



I am the developer of the Croissants.  The Croissants is very easy to install and maintain.  I hereby to introduce Croissants to you all.  The full article is here.  You can download it at here.

Hope you enjoy and have your secured home network.

Samiux

cma019

Thanks for sharing again! I like your post very much!

samiux

Thanks for sharing again! I like your post very much!
cma019 發表於 2015-3-30 10:13

    Thanks.

fatdog

1）一部機行晒 ips 同 ids ok嗎？
2）一般人用，裝係 router 前就可以？
3）1GB RAM 既 raspberry pi 2 唔夠力？

samiux

1）一部機行晒 ips 同 ids ok嗎？
2）一般人用，裝係 router 前就可以？
3）1GB RAM 既 raspberry pi 2 唔 ...
fatdog 發表於 2015-3-30 16:28

(1) Croissants is IDS and IPS on the same box.  If you configure it to drop some rules, it is acting as IPS and leave other untouched rules as IDS.  You can see the feedback from the web interface "Snorby".

(2) I recommend to put the sensor (IPS/IDS) in front of the router for home users.  It is because, their home switches are hub more than a real switches as business one.  The article is talking about setting a IDS behind the router is my experiment only.

(3) I think Raspberry Pi 2 is not good for Croissants as the limited CPU power and the number of NICs on the board.  I recommend the CPU should be at least Intel ATOM D2550 and the amount of RAM is at least 4GB for a low traffic home network.

Samiux

keithlcs

Hi Samiux
睇左你個BLOG 都有興趣整返個 IPS 試下
想問下你個 Croissants 係咪就係 package integrate Snorby + Suricata
仲有想問下 兩個 NIC Interfaces 係咪要 bridge埋佢 而 Suricata 要行 inline mode?
可唔可以用 PostgreSQL 唔用 MySQL 架?

fatdog

http://item.taobao.com/item.htm? ... ;abbucket=16#detail

X29-J1900
計埋 ssd 同 ram 應該 ＄1000 度
夠用了吧？

samiux

Hi Samiux
睇左你個BLOG 都有興趣整返個 IPS 試下
想問下你個 Croissants 係咪就係 package integrate Snor ...
keithlcs 發表於 2015-4-3 10:25

(1) Croissants will almost handle all the installation procedure automatically.  All the required dependencies and packages will be installed.

(2) Croissants will take care of Suricata settings.  Users are not required to set the NICs in any mode.  You need 3 NICs.

(3) Suricata is running as inline mode when it is connected with other networking appliances properly.

(4) Snorby will use MySQL by default.  I have not test on PostgreSQL,

samiux

X29-J1900
計埋 ssd 同 ram 應該 ＄1000 度
夠用了吧？
fatdog 發表於 2015-4-3 19:04

The power of the CPU and the throughput of the NICs are the most important.  I tested on Intel ATOM D2550 without any problem.  More cores are recommended.

keithlcs

(1) Croissants will almost handle all the installation procedure automatically.  All the required ...
samiux 發表於 2015-4-4 01:36

唔明...我見你個 nsm_install script 改 interfaces 做 inet manual
其實我估係主要唔好 offload d 野
但點解要 inet manual 仲要 0.0.0.0 IP ?
如果我係 Internet <--> IPS <--> router
咁 IPS 個兩個 Interfaces 係咪要 bridge?
定其實 IPS 係 NAT router ?

冋埋我發覺 gem install 個 command 去到中途會 >6hrs 100% CPU hold 左 o係到
上網D人教加 --no-ri --no-rdoc
試左之後咁就無問題
另外想問下點解要加個 dhclient.conf ?