In this second part of “Detecting intruders at home”, we will look at the following points:

  • Installation and configuration of an operating system in raspberry pi 3 from Windows.
  • Installing and configuring Suricata.

Once we finish with these three points, we will have a fully functional NIDS in our house or any other place where we want to set it up. So, let’s get on with things.

Installing an Operating system

The first thing to do with Raspberry Pi is to give it an operating system to work with. In this case, by installing Raspbian as it is a fairly light distribution. In addition, having apt (Advanced Packing Tool) will allow us to install Suricata with a single instruction without the need to juggle GitHub, compilers, etc … If anyone wants to try it just go here, it’s not complicated, but it’s much simpler to use apt.

Installing Raspbian with Etcher.

The first step to take is to download the OS that is going to be installed, for this simply download Raspbian from the official Raspberry Pi website. This image takes up approximately 350 MB and does not have any graphic environment. A version without a desktop will be used so that the OS uses the minimum possible resources thus leaving them available for Suricata.

Once the image is obtained it must be transferred to an SD and for this, I will use an application called Etcher. To download it simply go here. Note that the tool is available for Windows, Linux and Mac.

Next, you’ll see this application appear.

The application is as simple as it looks, simply select an ISO (in our case Raspbian that has just been downloaded), select the SD you want to format and click on “Flash!”. After a few minutes the SD will be ready to enter it in Raspi and boot the OS.

This is just one more way to install an OS in Raspberry, obviously those who have already worked with Raspberry and use other programs to install the OS or do it manually using “dd” can do so. I personally usually use the Linux’s “dd” instruction, but for those who like the simplest things, this tool seems great to me; three buttons and everything is ready to go.

Configuring Raspbian and installing Suricata.

Once there is an OS in our Raspberry, a few steps need to be taken before installing Suricata.

The first thing to do is to connect to our PI, by default the SSH service may be disabled. So, connect the PI to a monitor and initiate session with the user “pi” and the password “raspberry”.

Once connected, the following steps must be followed.

  1. Create a new user (replace “yeknu” with your username)
#sudo su –

#adduser yeknu

Adding user `yeknu’ …

Adding new group `yeknu’ (1001) …

Adding new user `yeknu’ (1001) with group `yeknu’ …

Creating home directory `/home/yeknu’ …

Copying files from `/etc/skel’ …

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

 

  1. Change the root password
#passwd root

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

 

  1. Delete pi user

Before carrying out this step, it is necessary to exit the session and enter as the new user created.

#deluser pi

Removing user `pi’ …

Warning: group `pi’ has no more members.

Done.

 

In the case where the user pi cannot be deleted because there are still processes running, simply run kill -9 [PID].

 

  1. Enable the SSH service to run during start-up and start the service:
#update-rc.d ssh enable

#service ssh start

 

 

  1. Enable the network card’s promiscuous mode during computer start-up

Create the archive “/etc/network/interfaces.d/eth0” and enter the following values:

auto eth0

allow-hotplug eth0

iface eth0 inet dhcp

up /sbin/ifconfig eth0 promisc on

  1. Install Suricata, configure it and enable automatic start-up during power up.
#apt-get update

#apt-get upgrade -y

#apt-get dist-upgrade -y

#apt-get install suricata -y

#update-rc.d suricata enable

 

Now Suricata is installed, but the set of rules that it has by default is very poor. To complete these rules those of emergingthreats will be used. These are updated almost daily so they must be kept as up-to-date as possible. For this, I have a small script in my GitHub repository that will keep these rules updated by running it through a scheduled task.

The first step is to download the script and run it for the first time.

#wget https://raw.githubusercontent.com/yeknu/emerging_updater/master/emergingupdater.py -O /etc/suricata/emergingupdater.py

#python /etc/suricata/emergingupdater.py

 

Once executed, all the emerginthreats rules will be in the directory “/etc/suricata/rules/”. In order for them to be updated and recharged every night two tasks will be added to our crontab.

#crontab -e (If it’s the first time running it, it will ask for an editor to be selected)

0 2 * * * python /etc/suricata/emergingupdater.py

15 2 * * * suricatasc -c reload-rules

After following all these steps suricata will be fully functional.

In a future post we’ll look at how to integrate Suricata with QradarCE. For any questions you may have do not hesitate to ask me through twitter @yeknu_. Furthermore, suggestions and comments are accepted.

 

Compartir
Artículo anteriorWhat ISMS indicators can be useful for senior management?
mm
Security Engineer working in the cybersecurity sector for more than 2 years. Extensive experience in detecting threats using different techniques and applications: Snort, Suricata, Wazuh, Ossec, SIEM (Qradar), Honeypots. Passionate about security, he devotes his free time to the study of new threats and their detection (Threat Intelligence).