Open cloudstrifeedge opened 6 years ago
I would like to add...that I do not think it is a good idea to install it all on one Pi. I found it was much better to do a separate install for the server/client. This was mainly because if something is wrong you can re-install the client without much difficulty.
In terms of capturing all the network traffic, you will actually have to do the port mirroring. which I don't think is clearly outlined. If you watch the presentation Travis made about the design though you will see it there.
Finally, I am new to GitHub, but you may want to do pull requests for some of the changes you mention in your tutorial.
I think there are two ways to deploy your IDS device: one is to use a switch to do the port mirroring the other is to use your Pi as a sniffer
I use my Pi as a sniffer to collect packets through eth0 network card because I can't use a switch due to the layout of my home....
and why I use only one Pi to install this project? simply because I just want to save money......
of cause using two devices is a better choice. you can even use PCs or Servers if you want.
I'm writing about this simple guide to help those who want to install SweetSecurity to one single Pi. yes, surely we can save money. one Pi is enough.
well, I use Pi 3B+, 1GB RAM
CPU overload will be 30%-40% after all services been started.
I also have:
to install all components on a single Pi, you need to do this:
1. use a bigger swap partition. the default partition of Pi 3 B+ is about 100M. we need more! modifying Pi's swap partition is different from other Debain Linux! do NOT use
makeswap
command, because it's useless. instead, you need to modify /etc/dphys-swapfilechange CONF_SWAPSIZE from 100 to 2000000
restart the service:
sudo /etc/init.d/dphys-swapfile restart
now we have 2GB Swap partition
2.modify setup.py comment line 82,83,85,86 in file SweetSecurity/setup.py
3.modify a pre-install lib Pi uses Debain linux. to install Bro on Pi, you need to modify line 24,26,38,40,45,47 in file SweetSecurity/install/packages.py
change
libssl-dev
tolibssl1.0-dev
4. now run the setup.py
NOTICE:
critical-stack-intel in this project is still not working for me(2018-08-10). there's a server issue, you can see it here: https://groups.google.com/forum/#!topic/security-onion/axOCfBgjva4
so even I do this manually:
sudo -u critical-stack /usr/bin/critical-stack-intel --debug pull
it fails to update critical stack ip databse
when I run this:
sudo -u critical-stack /usr/bin/critical-stack-intel list
I find there's no feed been downloaded forever. no way no how.
so currently I suggest you guys use Alien Vault instead.
happy hacking