Building a Personal Network and Host Defense System Part 4: Network Protection With Suricata
It is inevitable that enemies will approach the castle. Thus we must not only monitor the perimeter of our castle but also actively defend it. Hence we will station Archers to defend our castle. To this on our machine we use Suricata.
As always clone the NHIDPS repository and change into the directory. You may skip the succeeding commands for building the golden image if you have already built one from previous walkthrough, otherwise run the commands below to build the golden image.
1
2
3
4
5
6
7
8
# hash the passwords and insert in the preseed fileROOT_PASSWORD="INSERT_ROOT_PASSWORD_HERE";USER_PASSWORD="INSERT_USER_PASSWORD_HERE"echo$ROOT_PASSWORD| mkpasswd -s -m sha-512 # replace passwd/root-password-crypted valueecho$USER_PASSWORD| mkpasswd -s -m sha-512 # replace passwd/user-password-crypted value# building the system with packer json definitionpacker plugins install github.com/hashicorp/virtualbox
ISO_URL="INSERT_ISO_FILEPATH"TMPDIR=./ PACKER_LOG_PATH=packer.log PACKER_LOG=2 packer build -var-file template-vars.json -force template.json
With existing golden image and earlier generated key pair, run the command below to configure the machine for network protection.
1
vagrant up --provision-with ansible # start and configure the vm
Log into the machine with your specified credentials and run the following commands to observe traffic logs.
1
2
3
4
5
6
7
8
9
10
11
# check the status of suricatasudo systemctl status suricata
# visit to a sitefor _ in {1..10};do curl -s https://example.com -o /dev/null;done# view network events observedtail -f /var/log/suricata/eve.json | jq -rc .
# see protection status and alert descriptiontail -f /var/log/suricata/eve.json | jq -rc .stats.ips
tail -f /var/log/suricata/fast.log
DevSecOps
