In this second part of “Detecting intruders at home”, we will look at the following points:
- Installation and configuration of an operating system in raspberry pi 3 from Windows.
- Installing and configuring Suricata.
Once we finish with these three points, we will have a fully functional NIDS in our house or any other place where we want to set it up. So, let’s get on with things.
Installing an Operating system
The first thing to do with Raspberry Pi is to give it an operating system to work with. In this case, by installing Raspbian as it is a fairly light distribution. In addition, having apt (Advanced Packing Tool) will allow us to install Suricata with a single instruction without the need to juggle GitHub, compilers, etc … If anyone wants to try it just go here, it’s not complicated, but it’s much simpler to use apt.
Installing Raspbian with Etcher.
The first step to take is to download the OS that is going to be installed, for this simply download Raspbian from the official Raspberry Pi website. This image takes up approximately 350 MB and does not have any graphic environment. A version without a desktop will be used so that the OS uses the minimum possible resources thus leaving them available for Suricata.
Once the image is obtained it must be transferred to an SD and for this, I will use an application called Etcher. To download it simply go here. Note that the tool is available for Windows, Linux and Mac.
Next, you’ll see this application appear.
The application is as simple as it looks, simply select an ISO (in our case Raspbian that has just been downloaded), select the SD you want to format and click on “Flash!”. After a few minutes the SD will be ready to enter it in Raspi and boot the OS.
This is just one more way to install an OS in Raspberry, obviously those who have already worked with Raspberry and use other programs to install the OS or do it manually using “dd” can do so. I personally usually use the Linux’s “dd” instruction, but for those who like the simplest things, this tool seems great to me; three buttons and everything is ready to go.
Configuring Raspbian and installing Suricata.
Once there is an OS in our Raspberry, a few steps need to be taken before installing Suricata.
The first thing to do is to connect to our PI, by default the SSH service may be disabled. So, connect the PI to a monitor and initiate session with the user “pi” and the password “raspberry”.
Once connected, the following steps must be followed.
- Create a new user (replace “yeknu” with your username)
- Change the root password
- Delete pi user. Before carrying out this step, it is necessary to exit the session and enter as the new user created. In the case where the user pi cannot be deleted because there are still processes running, simply run kill -9 [PID].
- Enable the SSH service to run during start-up and start the service:
- Enable the network card’s promiscuous mode during computer start-up. Create the archive “/etc/network/interfaces.d/eth0” and enter the following values:
- Install Suricata, configure it and enable automatic start-up during power up.
- The first step is to download the script and run it for the first time.
Now Suricata is installed, but the set of rules that it has by default is very poor. To complete these rules those of emergingthreats will be used. These are updated almost daily so they must be kept as up-to-date as possible. For this, I have a small script in my GitHub repository that will keep these rules updated by running it through a scheduled task.
- Once executed, all the emerginthreats rules will be in the directory “/etc/suricata/rules/”. In order for them to be updated and recharged every night two tasks will be added to our crontab.
- After following all these steps suricata will be fully functional.
In a future post we’ll look at how to integrate Suricata with QradarCE. For any questions you may have do not hesitate to ask me through twitter @yeknu_. Furthermore, suggestions and comments are accepted.