IDS on FreeBSD

ids-stream-freebsd.md

IDS

Flow of communication

snort -> syslog -> kafka

SYSLOG

Add to /etc/rc.conf:

syslogd_enable="YES"
syslogd_flags="-s -v -v"

Restart syslog daemon:

service syslogd restart

Send event to syslog to test it:

/usr/bin/logger -p user.notice -t event_label -- "Notice event generated manually at `date`"

Check syslog log file:

tail -f /var/log/messages

SNORT

sudo sed -i '' '/^include \$RULE_PATH\/.*.rules$/d' /usr/local/etc/snort/snort.conf

pkg install snort

sed -i '' '/^include \$RULE_PATH\/.*.rules$/d' /usr/local/etc/snort/snort.conf

Modificações em /usr/local/etc/snort/snort.conf:

ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules
output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf

mkdir /usr/local/etc/snort/so_rules
mkdir /usr/local/etc/snort/rules/iplists
touch /usr/local/etc/snort/rules/local.rules
cp /usr/local/etc/snort/preproc_rules/sensitive-data.rules-sample /usr/local/etc/snort/preproc_rules/sensitive-data.rules
touch /usr/local/etc/snort/rules/white_list.rules
touch /usr/local/etc/snort/rules/black_list.rules

Create account in www.snort.org e set Oinkcode as defined in the account in file:

/usr/local/etc/pulledpork/pulledpork.conf

Configure rules:

sudo pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l

Test snort:

snort -A console -q  -c /usr/local/etc/snort/snort.conf -i em0

Enable support to syslog in /usr/local/etc/snort/snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT

Add to /etc/rc.conf:

snort_enable="YES"
snort_interface="re0"

KAFKA

sudo pkg install bash git gradle openjdk8 kafka zookeeper

ln -s /usr/local/bin/bash /bin/bash

Add to rc.conf:

# Zookeeper
zookeeper_enable="YES"
# Kafka
kafka_enable="YES"

Restart Kafka:

service zookeeper start

service kafka start

Install kafkacat to produce and consume to/from Kafka:

pkg install kafkacat

Write to Kafka producer from syslog:

tail -f /var/log/messages | kafkacat -P -b 0 -t syslog -z snappy
tail -f /var/log/auth.log | kafkacat -P -b 0 -t syslog -z snappy

Access information from Kafka:

kafkacat -C -b 0 -t syslog -z snappy

References

• https://blog.snort.org/2014/03/firing-up-openappid.html
• https://www.vultr.com/docs/how-to-configure-snort-on-debian
• https://project.altservice.com/journals/diff/3638?detail_id=5391