Skip to content

Downloads, builds, and installs Suricata IDS, Barnyard2 web-parser, and Snorby web-ui frontend.

Notifications You must be signed in to change notification settings

dustinmhorvath/OneStopIDS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 

Repository files navigation

OneStopIDS

Single machine, single interface intrusion detection.

  • Downloads, builds, and installs Suricata IDS, Barnyard2 log/database-parser, and Snorby web-ui frontend.
  • Built and tested for Debian 8 Jessie 64-bit.
  • This implementation is currently in BETA. Has been confirmed working on clean install of Debian 8, though has only been tested in a limited environment. Expect revisions.

Install:

  • Execute install.sh. Requires sudo privileges.
  • Install takes a long time. Expect a setup time anywhere from 30 to 120 minutes, depending on your hardware.
  • You'll need to use routing to mirror traffic from the network in question to the machine running OneStopIDS. This can be accomplished with router-supported port mirroring or by using firewall rules such as: iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw $MACHINE_IP_HERE iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw $MACHINE_IP_HERE

Requirements:

  1. 2170 MB free disk space
  2. 1 GB ram
  3. ~2?GB swap space for compilation
  • Note: considerable memory is used for compiling ruby gems, which generally fail gracefully but with unhelpful error messages when memory is filled. Actual required running memory is likely much lower, so this can be reduced for a physical machine or VM after Snorby deployment.

Components:

  1. Suricata is a next-generation intrusion detection system that supports multi-core architectures as well as additional performance enhancements, and can be considered a more sophisticated version of Snort.
  2. Barnyard2 is a log-parser that can convert Suricata's output detection logs into database entries. It stores these entries with MySQL.
  3. Snorby is a web-ui frontend built using Ruby on Rails. It is relatively complex and relies on quite a few dependencies to be built from source. It's capable of interpreting Barnyard2's database entries (which also work with Snort), and can perform rule lookups using Suricata's ruleset. It supports multiple users, alerts, emails, and other useful features.

Utilizes:

  • Apache
  • Ruby
  • Rails
  • MySQL
  • Git
  • wkhtmltopdf
  • Nokogiri
  • Passenger

About

Downloads, builds, and installs Suricata IDS, Barnyard2 web-parser, and Snorby web-ui frontend.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages