Friday 8 November 2013

Network Management System - Part 1

The aim of this system is to use open source software to build a low-cost system for managing and security monitoring of a small to medium sized remote network.

Services specifically required (list will be updated as we go along):

  • Secure remote access onto network (SSH)
  • Centralised logging (syslog)
  • Equipment monitoring and alerting (nagios or similar)
  • Bandwidth monitoring (bandwidthd, etc)
  • Alert for outbound malware c&c

I've played with security onion in the past and it does a lot of the above out-of-the-box.  I would have liked to run that as one of a number of guests on an esxi host but the hardware isn't up to it.  I'm currently running all this on an old xpc shuttle with 2 GB of RAM a 250 GB HDD and a second NIC card (you need 2 ports - one for management and one for the network capturing).

So first of all go download security onion (SO) and get it installed. Its straightforward: Here's the official guide.

It includes the following script to update which we'll need again:

sudo soup

Security Onion Setup is now complete!

 Setup log can be found here:

 You may view IDS alerts using Sguil, Squert, Snorby, or ELSA (if enabled).

 Bro logs can be found in ELSA (if enabled) and the following location:

Rules downloaded by Pulledpork are stored in:

 Local rules can be added to:

 You can have PulledPork modify the downloaded rules
 by modifying the files in:

 Rules will be updated every day at 7:01 AM UTC.
 You can manually update them by running:

 Sensors can be tuned by modifying the files in:

Once thats finished run the following to make sure everything is up to date:

sudo apt-get update && sudo apt-get dist-upgrade

Then make sure all the SO services are running ok:

sudo service nsm status

Thats all for part 1.  Next post will be setting up SSH, remote desktop and adding some of the other services.

No comments:

Post a Comment